Re: Re: Re: How to detect the receiving of mail for sure from only that relay and then make action only in that case?

Fri, 30 Jan 2015 06:45:49 -0800 

Hello all

Thanks for the multiple advises.

30. Jan 2015 13:46 by a...@extracted.org:


> On Fri, 2015-01-30 at 05:35 +0000, Viktor Dukhovni wrote:
>
>> And I often find it easier to configure client certs, no SASL or
>> PAM configuration nightmares. :-)
>>




 I have made the easy decisision for the TLS method with agreement that it is 
more simple.  SASL especially the Cyrus method is full of confusion for me!

With the TLS method I made the self-signed CA and client certificates.  I 
installed the client certificate on the #1 server and the CA certificate on 
the #2 server.

I have the sha1 fingerprint calculation for both of the certificates

    srach_CA.crt
        SHA1 
Fingerprint=11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11

    srachsvr_client.crt
        SHA1 
Fingerprint=22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22

On the #1 server in the http://main.cf I set

relay_transport = relay2:[11.22.33.44]:9443
smtp_tls_policy_maps = /etc/postfix-out/tls_policy

/etc/postfix-out/tls_policy
[11.22.33.44]:9443 fingerprint 
match=11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11

So if right this will make for sure that the relay server only will relay to 
the #2 server if the #2 server gives this fingerprint in the TLS hand shake 
reply.

But at the document

http://www.postfix.org/TLS_README.html

I think the tls_policy is for "destinations".  So only for the sending side.

I too want the #2 server to only ACCEPT the relay mail from the #1 server if 
the #1 server gives the fingerprint = 
22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22.

So this is not tls_policy file on the #2 server?  Where is the configuration 
to be set for the #2 server to only accept relay mail from the #1 server if 
match equals?








> Here is a quick write up with recipient relay addresses using a SMTP
> transport with an MD5 hash, somewhat like above.  You could do it with
> relay domains also I suppose and with most transports I would imagine..
> It is a very dirty method if MTA TLS CERT verification is your single
> point of security however.
> http://myspew.com/projects/postfix-tls-fingerprints-for-mta-to-mta-identification
>



Why is this a "very dirty" method?  I think it is a strong method may be the 
best no?

*S*

Reply via email to