Thanks Victor and Wiesta for the insight. TLS encryption seems to be working fine. I was using higher log level for debugging only.
On Fri, Mar 27, 2020 at 11:11 PM Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > On Fri, Mar 27, 2020 at 07:25:19PM +0530, sandeep pawar wrote: > > > I am using postfix to send mails to external world. One of the external > > recipient mentioned the requirement to setup MTLS, where they want a > > publicly signed client side certificate to establish TLS. I want to > present > > client side certificate only to the required domain as it can cause > issues > > at times as per the doc. Is it possible to create a separate smtp > transport > > and pass client TLS_CERT_FILE to it or should I use a different postfix > > instance altogether? > > > > snippet from master.cf > > tlsenforce unix - - n - - smtp > > -o smtp_tls_cert_file=/etc/postfix/cert.pem > > -o smtp_tls_key_file=/etc/postfix/cert.pem > > -o smtp_tls_loglevel=2 > > -o smtp_tls_policy_maps=cdb:/etc/postfix/tls_maps > > You probably don't need a transport-specific smtp_tls_policy_maps, both > the transport lookup and policy lookup are per-destination, so you > generally don't need multiple tables. > > Also TLS loglevel=2 is *only* for occasional debugging, do not blithely > turn it on. > > As for per-destination client certificates, now that we have SNI support > in the SMTP server, it is in principle possible to develop new code to > support per-destination client certificates without using a new > transport, but there are tricky interactions with the client-side of > the TLS proxy. So a fixed client-cert per transport is perhaps > good enough... > > -- > Viktor. > -- Sandeep Pawar
