Re: [SLUG] Looking for docs on Postfix-TLS (no SASL!)

[Mary Gardiner]

On Sat, Sep 04, 2004, Mary Gardiner wrote:
> # Two additional options has been added for relay control to the UCE rules:
> #   permit_tls_clientcerts    (a)
[snip]
> # postfix will relay if 
> # (a) a valid (it passed the verification) client certificate is presented
> #     and its fingerprint is listed in the list of client certs
> #     (relay_clientcerts),

Excellent, this *does* work without needing SASL. The mistake I had made
was stuffing up the storing of my client's fingerprint on the
server-side, I stored the wrong fingerprint.

For people who are interested:

server settings in main.cf:

        relay_clientcerts = hash:/etc/postfix/relay_certs

        smtpd_recipient_restrictions =
                permit_tls_clientcerts, # this is the key bit that
                                        # tells it to relay for clients
                                        # with matching fingerprints
                # more restrictions here including the important:
                check_relay_domains # no open relay

        smtpd_use_tls = yes
        smtpd_tls_ask_ccert = yes

        smtpd_tls_key_file = /etc/postfix/tls/key.pem
        smtpd_tls_cert_file = /etc/postfix/tls/cert.pem
        smtpd_tls_CAfile = /etc/postfix/tls/cacert.pem
        smtp_tls_key_file = /etc/postfix/tls/key.pem
        smtp_tls_cert_file = /etc/postfix/tls/cert.pem
        smtp_tls_CAfile = /etc/postfix/tls/cacert.pem

/etc/postfix/relay_certs looks like this and is hashed by postmap:

        95:F1:DB:33:C4:90:75:D4:AE:67:30:BC:88:51:54:52 client.example.com

[where 95:etc etc is the fingerprint of the client's SSL key]

client settings:

        relayhost = example.com:587

        smtp_use_tls = yes
        smtpd_tls_ask_ccert = yes

        smtpd_tls_key_file = /etc/postfix/tls/key.pem
        smtpd_tls_cert_file = /etc/postfix/tls/cert.pem
        smtpd_tls_CAfile = /etc/postfix/tls/cacert.pem
        smtp_tls_key_file = /etc/postfix/tls/key.pem
        smtp_tls_cert_file = /etc/postfix/tls/cert.pem
        smtp_tls_CAfile = /etc/postfix/tls/cacert.pem

        smtp_tls_per_site = hash:/etc/postfix/tls_per_site

/etc/postfix/tls_per_site looks like this and is hashed by postmap:

        example.com    MUST

All keys are signed by the Certificate Authority whose key is
/etc/postfix/tls/cacert.pem (the same certificate on both client and
server) -- I followed directions at
http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/doc/myownca.html
to be my own CA.

-Mary
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html