Re: TLS client certs question
Thanks guys. I'd like to know about both sender and recipient domain. Chris On Aug 8, 2021, 18:30, at 18:30, Wietse Venema wrote: >Viktor Dukhovni: >> On Sun, Aug 08, 2021 at 10:50:48AM -0400, Wietse Venema wrote: >> >> > I suppose that each client certificate will be valid only with a >> > specific host, so you would have to update the sender_transport >> > table to return a transport:nexthop result. >> >> FWIW, the OP's question was: > > I would like to know how Postfix handles client certificates > for delivery i.e. when it makes a remote connection to deliver > email. > >> Is it possible to control the certificate that is used per >domain? >> >> If per-domain means per destination nexthop regardless of sender, the >> configuration would be simpler. Assuming just a small number of >client >> certs, just configure a separate transport for each client cert, and >use >> transport_maps to map the domain in question to that transport. > >The question as posed previously in off-list email: > >Is it possible to control the certificate that is used per email >/ per customer? > >So we know that "customer" means "domain", and "certificate" means >"client certificate". We don't know if "domain" is sender or recipient. > > Wietse
Re: TLS client certs question
Thanks Wietse, I missed this first time, this must be the walkthrough that Viktor mentioned. Very useful, I will take a closer look on Monday. Best, Chris On Aug 7, 2021, 15:19, at 15:19, Wietse Venema wrote: >Chris Bamford: >> Hello, >> >> I would like to know how Postfix handles client certificates for >delivery >> i.e. when it makes a remote connection to deliver email. >> >> Is it possible to control the certificate that is used per domain? > >The client certificate is a Postfix SMTP client setting; the >certificate will be used for all email deliveries by that Postfix >SMTP client. > >The following example uses one Postfix SMTP client per sender domain, >each Postfix SMTP client having its own client certificate: > >/etc/postfix/main.cf: >sender_dependent_default_transport_maps = > hash:/etc/postfix/sender_transport > # In case you need a cert for all other deliveries. > # static:/etc/postfix/default-cert/pem > >/etc/postfix/sender_transport: ># Searched by sender email address and @domain. >@example.comsmtp-example-com >@example.orgsmtp-example-org >... > >/etc/postfix/master.cf: >smtp-example-com .. .. .. .. .. .. .. smtp >-o smtp_tls_cert_file=/etc/postfix/example-com-cert.pem >smtp-example-org .. .. .. .. .. .. .. smtp >-o smtp_tls_cert_file=/etc/postfix/example-org-cert.pem >... > >To make this more scalable, the Postfix SMTP client would need the >opposite of tls_server_sni_maps, to dynamically choose the client >certificate based on the sender info. > > Wietse
Re: TLS client certs question
Thanks Viktor, That's good to know. Where can I find this walkthrough? Chris On Aug 7, 2021, 17:25, at 17:25, Viktor Dukhovni wrote: >On Sat, Aug 07, 2021 at 11:10:39AM +0100, Chris Bamford wrote: > >> I would like to know how Postfix handles client certificates for >delivery >> i.e. when it makes a remote connection to deliver email. >> >> Is it possible to control the certificate that is used per domain? > >Wietse posted a detailed walk through for per *sender* domain client >certs. The short answer is that: > >* Client certificates are per-transport. Multiple TLS client certs > require multiple smtp/unix transports. > > * You can choose the transport by destination domain, and/or partition > the choice of default transport by sender domain. > >-- >VIktor.
TLS client certs question
Hello, I would like to know how Postfix handles client certificates for delivery i.e. when it makes a remote connection to deliver email. Is it possible to control the certificate that is used per domain? Thanks, - Chris