On Fri, Jan 30, 2015 at 05:27:59AM +0000, srach wrote:
> >> ?1. Know for sure that the relay mail comes from the #1 server.? A added
> >> header can be made fake so I look for a better way that is not possible to
> >> fake.
>
> > Restrict access to the non-default port via TLS client certs or SASL.
And I often find it easier to configure client certs, no SASL or
PAM configuration nightmares. :-)
> With the SASL opportunity is it still true that Postfix with the Dovecot SASL
> where I am building Postfix with
>
> -DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE="dovecot"
>
> is not possible to use as SASL client but only Cyrus?
Indeed Dovecot only provides the (complex) server-side of SASL.
The client side still requires Cyrus SASL support, so you can build
with both.
> With the TLS client cert opportunity for authenticating my Postfix relay as
> client to the other mail server that is receiving the relay mail I have some
> small confusion.
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_ask_ccert=yes
# If all clients need a cert on this port
# -o smtpd_tls_req_ccert=yes
on port 587 or whatever you choose for the relay-to-relay service
port.
> When I make the self-signed client certificate for my Postfix relay instance
> I have read that I must give it the email address of the 'login user' exactly
> so it can be a match?
Nothing of the sort. Postfix access control between the relays
will be by "fingerprint". Just set:
# Default, backwards-compatible, md5 "looks bad" in audits:
# SHA-1 still has plenty of 2nd-preimage resistance:
#
smtpd_tls_fingerprint_digest = sha1
> I do not know which user I must give?? Becuase there
> will be mail for many different users that will be relayed?
I'd have said something about that if it were relevant.
--
Viktor.
