Re: Relay based on either auth or cert?
On May 11, 2021 8:35 PM, Sean Kamath wrote:I was pondering a message Gille Chehade commented on (https://narkive.com/2puCGKoq.4) a very long time ago. He said: > The cert verification happens at the transport level, not the SMTP level > and an invalid certificate will cause TLS to abort and close connection. > > You can use this for example to have your local CA issue certificates to > a set of internal machines and have the mail gateway accept relaying for > these machines without authentication. > > You can also use this to ensure that users have a two-factor auth, their > credentials no longer are enough to relay, they would also have to use a > valid certificate issued by your CA. if their credentials are stolen, it > will not allow people to use the server as a spamming center. > > Or you could decide to authenticate users using certificates and not the > traditional user/password mechanism. A client will then have to show you > a valid certificate otherwise connection will drop at TLS negotiation. What I’m wondering is if there is a way to do both on the submission port (one of two factors, either being sufficient for relaying). In other words, accept mail on the submission port from either an authenticated user using a password, or verify they are using a certificate. I don’t want to require users using a password to use a cert, and I don’t want users using a cert be required to authenticate with a password. Is this possible? Sean You may be able to coax `auth-optional' to do what you want. Edgar
Re: Relay based on either auth or cert?
On May 11, 2021 8:35 PM, Sean Kamath wrote:I was pondering a message Gille Chehade commented on (https://narkive.com/2puCGKoq.4) a very long time ago. He said: > The cert verification happens at the transport level, not the SMTP level > and an invalid certificate will cause TLS to abort and close connection. > > You can use this for example to have your local CA issue certificates to > a set of internal machines and have the mail gateway accept relaying for > these machines without authentication. > > You can also use this to ensure that users have a two-factor auth, their > credentials no longer are enough to relay, they would also have to use a > valid certificate issued by your CA. if their credentials are stolen, it > will not allow people to use the server as a spamming center. > > Or you could decide to authenticate users using certificates and not the > traditional user/password mechanism. A client will then have to show you > a valid certificate otherwise connection will drop at TLS negotiation. What I’m wondering is if there is a way to do both on the submission port (one of two factors, either being sufficient for relaying). In other words, accept mail on the submission port from either an authenticated user using a password, or verify they are using a certificate. I don’t want to require users using a password to use a cert, and I don’t want users using a cert be required to authenticate with a password. Is this possible? Sean You could have separate listen directives on separate ports. Of course the users would have to set up their clients correctly. Edgar
Relay based on either auth or cert?
I was pondering a message Gille Chehade commented on (https://narkive.com/2puCGKoq.4) a very long time ago. He said: > The cert verification happens at the transport level, not the SMTP level > and an invalid certificate will cause TLS to abort and close connection. > > You can use this for example to have your local CA issue certificates to > a set of internal machines and have the mail gateway accept relaying for > these machines without authentication. > > You can also use this to ensure that users have a two-factor auth, their > credentials no longer are enough to relay, they would also have to use a > valid certificate issued by your CA. if their credentials are stolen, it > will not allow people to use the server as a spamming center. > > Or you could decide to authenticate users using certificates and not the > traditional user/password mechanism. A client will then have to show you > a valid certificate otherwise connection will drop at TLS negotiation. What I’m wondering is if there is a way to do both on the submission port (one of two factors, either being sufficient for relaying). In other words, accept mail on the submission port from either an authenticated user using a password, or verify they are using a certificate. I don’t want to require users using a password to use a cert, and I don’t want users using a cert be required to authenticate with a password. Is this possible? Sean
