On Fri, 2015-01-30 at 05:35 +0000, Viktor Dukhovni wrote: > On Fri, Jan 30, 2015 at 05:27:59AM +0000, srach wrote: > > > >> ?1. Know for sure that the relay mail comes from the #1 server.? A added > > >> header can be made fake so I look for a better way that is not possible > > >> to > > >> fake. > > > > > Restrict access to the non-default port via TLS client certs or SASL. > > And I often find it easier to configure client certs, no SASL or > PAM configuration nightmares. :-) > > > > With the SASL opportunity is it still true that Postfix with the Dovecot > > SASL > > where I am building Postfix with > > > > -DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE="dovecot" > > > > is not possible to use as SASL client but only Cyrus? > > Indeed Dovecot only provides the (complex) server-side of SASL. > The client side still requires Cyrus SASL support, so you can build > with both. > > > With the TLS client cert opportunity for authenticating my Postfix relay as > > client to the other mail server that is receiving the relay mail I have > > some > > small confusion. > > -o smtpd_tls_security_level=encrypt > -o smtpd_tls_ask_ccert=yes > # If all clients need a cert on this port > # -o smtpd_tls_req_ccert=yes > > on port 587 or whatever you choose for the relay-to-relay service > port. > > > When I make the self-signed client certificate for my Postfix relay > > instance > > I have read that I must give it the email address of the 'login user' > > exactly > > so it can be a match? > > Nothing of the sort. Postfix access control between the relays > will be by "fingerprint". Just set: > > # Default, backwards-compatible, md5 "looks bad" in audits: > # SHA-1 still has plenty of 2nd-preimage resistance: > # > smtpd_tls_fingerprint_digest = sha1 > > > I do not know which user I must give?? Becuase there > > will be mail for many different users that will be relayed? > > I'd have said something about that if it were relevant. >
Here is a quick write up with recipient relay addresses using a SMTP transport with an MD5 hash, somewhat like above. You could do it with relay domains also I suppose and with most transports I would imagine.. It is a very dirty method if MTA TLS CERT verification is your single point of security however. http://myspew.com/projects/postfix-tls-fingerprints-for-mta-to-mta-identification Andy
signature.asc
Description: This is a digitally signed message part
