Re: allow mutual authentication with ssl certificate
Create the .db file with postmap. postmap hash:relay_clientcerts thanks for the hint! I did it and it almost worked. Almost, because the smtp server asked me for a certificate, but i can still send messages with my MUA with no certificate (or with a non-registered certificate). Which option should i change ? I thought it was relay_clientcerts, i tried smtpd_client_restrictions too (i don't want to remove the option permit_sasl_authentication, i just add check_ccert_access hash:/etc/postfix/relay_clientcerts). Thanks.
Re: allow mutual authentication with ssl certificate
On 8/23/2011 6:42 AM, Alano Conraz wrote: Create the .db file with postmap. postmap hash:relay_clientcerts thanks for the hint! I did it and it almost worked. Almost, because the smtp server asked me for a certificate, but i can still send messages with my MUA with no certificate (or with a non-registered certificate). Which option should i change ? I thought it was relay_clientcerts, i tried smtpd_client_restrictions too (i don't want to remove the option permit_sasl_authentication, i just add check_ccert_access hash:/etc/postfix/relay_clientcerts). Thanks. List the authorized certificate fingerprints in relay_clientcerts, and everywhere you have permit_mynetworks ADD permit_tls_clientcerts. If that's not working as expected, you'll need to show your config and what is happening. Please see http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones
allow mutual authentication with ssl certificate
Hi, I have a running mail server with postfix, which implements TLS support and SASL for authentication. I'm looking forward how to authenticate a smtp client thanks to his own certificate (eg i would like to create a self signed certificate for my thunderbird agent and rely on this certificate to authenticate myself to my smtp ). Furthermore, I would like to add this security measure to the one i already have on my server, ie with login/password. What i did til now is : - adding to the main.conf : smtpd_tls_ask_ccert=yes smtpd_use_tls=yes relay_clientcerts=hash:/etc/postfix/relay_clientcerts and i add permit_tls_client_cert to the smtpd_recipient_restriction. - creating a file /etc/postfix/relay_clientcerts.db (if i do note put the extension .db at the end i got in my log /etc/postfix/relay_clientcerts.db: no such file or directory... ) which contains the md5 hash and a domain name (ex: 00:8B:02:30:9D:18:F4:81:5D:2F:48:E4:5B:17:82:A7 client_1.my.domain) I got in the log : /etc/postfix/relay_clientcerts.db: Inappropriate file type or format. I don't know why, maybe you have a clue for me ? Thanks a lot.
Re: allow mutual authentication with ssl certificate
On 8/22/2011 10:12 AM, Alano Conraz wrote: Hi, I have a running mail server with postfix, which implements TLS support and SASL for authentication. I'm looking forward how to authenticate a smtp client thanks to his own certificate (eg i would like to create a self signed certificate for my thunderbird agent and rely on this certificate to authenticate myself to my smtp ). Furthermore, I would like to add this security measure to the one i already have on my server, ie with login/password. What i did til now is : - adding to the main.conf : smtpd_tls_ask_ccert=yes smtpd_use_tls=yes relay_clientcerts=hash:/etc/postfix/relay_clientcerts and i add permit_tls_client_cert to the smtpd_recipient_restriction. - creating a file /etc/postfix/relay_clientcerts.db (if i do note put the extension .db at the end i got in my log /etc/postfix/relay_clientcerts.db: no such file or directory... ) which contains the md5 hash and a domain name (ex: 00:8B:02:30:9D:18:F4:81:5D:2F:48:E4:5B:17:82:A7 client_1.my.domain) I got in the log : /etc/postfix/relay_clientcerts.db: Inappropriate file type or format. I don't know why, maybe you have a clue for me ? Thanks a lot. Create the .db file with postmap. postmap hash:relay_clientcerts See 'man postmap' for details. On a side note, very few desktop mail clients support TLS certificate authentication. Make sure Thunderbird supports this feature before you spend too much time on it. TLS certificate authentication is mostly used for MTA-to-MTA auth. -- Noel Jones
Re: allow mutual authentication with ssl certificate
On 08/22/2011 05:31 PM, Noel Jones wrote: [snip] On a side note, very few desktop mail clients support TLS certificate authentication. Make sure Thunderbird supports this feature before you spend too much time on it. TLS certificate authentication is mostly used for MTA-to-MTA auth. I used client certificate authentication with self-signed certificates with Thunderbird 3, Postfix and Dovecot that come with CentOS 5. Worked fine. Regards, Patrick
Re: allow mutual authentication with ssl certificate
On 8/22/2011 2:12 PM, Patrick Lists wrote: On 08/22/2011 05:31 PM, Noel Jones wrote: [snip] On a side note, very few desktop mail clients support TLS certificate authentication. Make sure Thunderbird supports this feature before you spend too much time on it. TLS certificate authentication is mostly used for MTA-to-MTA auth. I used client certificate authentication with self-signed certificates with Thunderbird 3, Postfix and Dovecot that come with CentOS 5. Worked fine. Regards, Patrick thanks for the confirmation. -- Noel Jones