Re: TLS client certs question
Wietse Venema: > Chris Bamford: > > Thanks guys. I'd like to know about both sender and recipient domain. > > You want the Postfix SMTP client to use a customer-specific client > certificate when it delivers email: > > - FROM that customer domain (i.e. customer domain = sender domain) > > - TO that customer domain (i.e. the customer domain = recipient domain). > > The difference matters. For posterity, I am referring to the envelope sender (the MAIL FROM email address in SMTP) versus the envelope recipient (the RCPT TO email address in SMTP). Wietse
Re: TLS client certs question
Chris Bamford: > Thanks guys. I'd like to know about both sender and recipient domain. You want the Postfix SMTP client to use a customer-specific client certificate when it delivers email: - FROM that customer domain (i.e. customer domain = sender domain) - TO that customer domain (i.e. the customer domain = recipient domain). The difference matters. Wietse
Re: TLS client certs question
> On 9 Aug 2021, at 11:42 am, Chris Bamford wrote: > > Thanks guys. I'd like to know about both sender and recipient domain. Are you asking a question??? That's much too short to mean anything to anyone but you... -- Viktor.
Re: TLS client certs question
Thanks guys. I'd like to know about both sender and recipient domain. Chris On Aug 8, 2021, 18:30, at 18:30, Wietse Venema wrote: >Viktor Dukhovni: >> On Sun, Aug 08, 2021 at 10:50:48AM -0400, Wietse Venema wrote: >> >> > I suppose that each client certificate will be valid only with a >> > specific host, so you would have to update the sender_transport >> > table to return a transport:nexthop result. >> >> FWIW, the OP's question was: > > I would like to know how Postfix handles client certificates > for delivery i.e. when it makes a remote connection to deliver > email. > >> Is it possible to control the certificate that is used per >domain? >> >> If per-domain means per destination nexthop regardless of sender, the >> configuration would be simpler. Assuming just a small number of >client >> certs, just configure a separate transport for each client cert, and >use >> transport_maps to map the domain in question to that transport. > >The question as posed previously in off-list email: > >Is it possible to control the certificate that is used per email >/ per customer? > >So we know that "customer" means "domain", and "certificate" means >"client certificate". We don't know if "domain" is sender or recipient. > > Wietse
Re: TLS client certs question
Viktor Dukhovni: > On Sun, Aug 08, 2021 at 10:50:48AM -0400, Wietse Venema wrote: > > > I suppose that each client certificate will be valid only with a > > specific host, so you would have to update the sender_transport > > table to return a transport:nexthop result. > > FWIW, the OP's question was: I would like to know how Postfix handles client certificates for delivery i.e. when it makes a remote connection to deliver email. > Is it possible to control the certificate that is used per domain? > > If per-domain means per destination nexthop regardless of sender, the > configuration would be simpler. Assuming just a small number of client > certs, just configure a separate transport for each client cert, and use > transport_maps to map the domain in question to that transport. The question as posed previously in off-list email: Is it possible to control the certificate that is used per email / per customer? So we know that "customer" means "domain", and "certificate" means "client certificate". We don't know if "domain" is sender or recipient. Wietse
Re: TLS client certs question
On Sun, Aug 08, 2021 at 10:50:48AM -0400, Wietse Venema wrote: > I suppose that each client certificate will be valid only with a > specific host, so you would have to update the sender_transport > table to return a transport:nexthop result. FWIW, the OP's question was: Is it possible to control the certificate that is used per domain? If per-domain means per destination nexthop regardless of sender, the configuration would be simpler. Assuming just a small number of client certs, just configure a separate transport for each client cert, and use transport_maps to map the domain in question to that transport. -- Viktor.
Re: TLS client certs question
Wietse Venema: > Chris Bamford: > > Hello, > > > > I would like to know how Postfix handles client certificates for delivery > > i.e. when it makes a remote connection to deliver email. > > > > Is it possible to control the certificate that is used per domain? > > The client certificate is a Postfix SMTP client setting; the > certificate will be used for all email deliveries by that Postfix > SMTP client. > > The following example uses one Postfix SMTP client per sender domain, > each Postfix SMTP client having its own client certificate: > > /etc/postfix/main.cf: > sender_dependent_default_transport_maps = > hash:/etc/postfix/sender_transport > # In case you need a cert for all other deliveries. > # static:/etc/postfix/default-cert/pem > > /etc/postfix/sender_transport: > # Searched by sender email address and @domain. > @example.comsmtp-example-com > @example.orgsmtp-example-org > ... > > /etc/postfix/master.cf: > smtp-example-com .. .. .. .. .. .. .. smtp > -o smtp_tls_cert_file=/etc/postfix/example-com-cert.pem > smtp-example-org .. .. .. .. .. .. .. smtp > -o smtp_tls_cert_file=/etc/postfix/example-org-cert.pem > ... > > To make this more scalable, the Postfix SMTP client would need the > opposite of tls_server_sni_maps, to dynamically choose the client > certificate based on the sender info. I suppose that each client certificate will be valid only with a specific host, so you would have to update the sender_transport table to return a transport:nexthop result. /etc/postfix/main.cf: sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport # In case you need a cert for all other deliveries. # static:/etc/postfix/default-cert/pem /etc/postfix/sender_transport: # Searched by sender email address and @domain. # Returns transport:nexthop. @example.comsmtp-example-com:relayhost-for-example.com @example.orgsmtp-example-org:relayhost-for-example.org ... /etc/postfix/master.cf: smtp-example-com .. .. .. .. .. .. .. smtp -o smtp_tls_cert_file=/etc/postfix/example-com-cert.pem smtp-example-org .. .. .. .. .. .. .. smtp -o smtp_tls_cert_file=/etc/postfix/example-org-cert.pem ... > Wietse >
Re: TLS client certs question
Thanks Wietse, I missed this first time, this must be the walkthrough that Viktor mentioned. Very useful, I will take a closer look on Monday. Best, Chris On Aug 7, 2021, 15:19, at 15:19, Wietse Venema wrote: >Chris Bamford: >> Hello, >> >> I would like to know how Postfix handles client certificates for >delivery >> i.e. when it makes a remote connection to deliver email. >> >> Is it possible to control the certificate that is used per domain? > >The client certificate is a Postfix SMTP client setting; the >certificate will be used for all email deliveries by that Postfix >SMTP client. > >The following example uses one Postfix SMTP client per sender domain, >each Postfix SMTP client having its own client certificate: > >/etc/postfix/main.cf: >sender_dependent_default_transport_maps = > hash:/etc/postfix/sender_transport > # In case you need a cert for all other deliveries. > # static:/etc/postfix/default-cert/pem > >/etc/postfix/sender_transport: ># Searched by sender email address and @domain. >@example.comsmtp-example-com >@example.orgsmtp-example-org >... > >/etc/postfix/master.cf: >smtp-example-com .. .. .. .. .. .. .. smtp >-o smtp_tls_cert_file=/etc/postfix/example-com-cert.pem >smtp-example-org .. .. .. .. .. .. .. smtp >-o smtp_tls_cert_file=/etc/postfix/example-org-cert.pem >... > >To make this more scalable, the Postfix SMTP client would need the >opposite of tls_server_sni_maps, to dynamically choose the client >certificate based on the sender info. > > Wietse
Re: TLS client certs question
Thanks Viktor, That's good to know. Where can I find this walkthrough? Chris On Aug 7, 2021, 17:25, at 17:25, Viktor Dukhovni wrote: >On Sat, Aug 07, 2021 at 11:10:39AM +0100, Chris Bamford wrote: > >> I would like to know how Postfix handles client certificates for >delivery >> i.e. when it makes a remote connection to deliver email. >> >> Is it possible to control the certificate that is used per domain? > >Wietse posted a detailed walk through for per *sender* domain client >certs. The short answer is that: > >* Client certificates are per-transport. Multiple TLS client certs > require multiple smtp/unix transports. > > * You can choose the transport by destination domain, and/or partition > the choice of default transport by sender domain. > >-- >VIktor.
Re: TLS client certs question
On Sat, Aug 07, 2021 at 11:10:39AM +0100, Chris Bamford wrote: > I would like to know how Postfix handles client certificates for delivery > i.e. when it makes a remote connection to deliver email. > > Is it possible to control the certificate that is used per domain? Wietse posted a detailed walk through for per *sender* domain client certs. The short answer is that: * Client certificates are per-transport. Multiple TLS client certs require multiple smtp/unix transports. * You can choose the transport by destination domain, and/or partition the choice of default transport by sender domain. -- VIktor.
Re: TLS client certs question
Chris Bamford: > Hello, > > I would like to know how Postfix handles client certificates for delivery > i.e. when it makes a remote connection to deliver email. > > Is it possible to control the certificate that is used per domain? The client certificate is a Postfix SMTP client setting; the certificate will be used for all email deliveries by that Postfix SMTP client. The following example uses one Postfix SMTP client per sender domain, each Postfix SMTP client having its own client certificate: /etc/postfix/main.cf: sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport # In case you need a cert for all other deliveries. # static:/etc/postfix/default-cert/pem /etc/postfix/sender_transport: # Searched by sender email address and @domain. @example.comsmtp-example-com @example.orgsmtp-example-org ... /etc/postfix/master.cf: smtp-example-com .. .. .. .. .. .. .. smtp -o smtp_tls_cert_file=/etc/postfix/example-com-cert.pem smtp-example-org .. .. .. .. .. .. .. smtp -o smtp_tls_cert_file=/etc/postfix/example-org-cert.pem ... To make this more scalable, the Postfix SMTP client would need the opposite of tls_server_sni_maps, to dynamically choose the client certificate based on the sender info. Wietse
TLS client certs question
Hello, I would like to know how Postfix handles client certificates for delivery i.e. when it makes a remote connection to deliver email. Is it possible to control the certificate that is used per domain? Thanks, - Chris