2009/8/21 Florin Andrei <flo...@andrei.myip.org>: > I'm setting up SASL with TLS for remote clients. As an additional security > measure, I would like the server to ask the email clients to present their > client certificates. According to the docs, this is accomplished with: > > smtpd_tls_ask_ccert = yes
If you intend to extract "security" from this, I imagine you'd want to enforce the use of client-certs, otherwise anyone can simply choose not to. This will dependent on the rest of your config, which isn't shown (postconf -n). Of course, you couldn't enforce this except on a non-public-facing system, or on the submission port (587). > Also, after enabling this option, I connected to Postfix with a TLS-enabled > email client with all the certificates installed. I saw this line in the > logs: > > Aug 20 22:49:01 server postfix/smtpd[7724]: connect from > unknown[XXX.YYY.ZZZ.KKK] > Aug 20 22:49:02 server postfix/smtpd[7724]: setting up TLS connection from > unknown[XXX.YYY.ZZZ.KKK] > Aug 20 22:49:02 server postfix/smtpd[7724]: Anonymous TLS connection > established from unknown[XXX.YYY.ZZZ.KKK]: TLSv1 with cipher AES128-SHA > (128/128 bits) > > Why does it say "Anonymous TLS connection"? I don't know much about client-TLS with postfix, but I imagine there's any number of reasons the client negotiated an anonymous TLS connection. Perhaps it quietly doesn't like the server's self-signed cert, perhaps there's a cipher negotiation mismatch, perhaps the client doesn't bother supplying its own cert (assuming it has one). > I thought the anonymous ciphers > are disabled when client certs are used. What makes you say that? ask_ccert should do exactly that, but nothing more. I believe this behaviour would be governed by: http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_ciphers