Re: Certificate only authentication on 587

Sun, 05 Apr 2015 19:55:30 -0700 

On Sat, Apr 04, 2015 at 07:40:33PM +0100, Nick Howitt wrote:

>    The client I am using is K-9 mail ...
> 
>    The line I am currently trying in master.cf is:
> 
>      submission inet n       -       n       -       -       smtpd
>        -o smtpd_sasl_auth_enable=yes
>        -o 
> smtpd_client_restrictions=permit_sasl_authenticated,permit_tls_clientcerts,permit_tls_all_clientcerts,reject
>        -o smtpd_tls_ask_ccert=yes
>        -o 
> smtpd_recipient_restrictions=permit_tls_all_clientcerts,reject_unauth_destination,reject
>        -o smtpd_tls_CAfile=/etc/pki/CA/ca-cert.pem
>        -o smtp_tls_note_starttls_offer=yes
>        -o broken_sasl_auth_clients=yes

Yuck.  Instead set these in main.cf:

        main.cf:
            submission_recipient_restrictions = 
                permit_tls_all_clientcerts,             # Just the certs signed 
by the CA here???
                reject_unauth_destination,              # Why this given the 
next line???
                reject
            submission_client_restrictions =
                permit_sasl_authenticated,              # SASL, but blocked in 
recipient restrictions???
                permit_tls_clientcerts,                 # Also the certs in the 
relay certs table, but too late???
                permit_tls_all_clientcerts,
                reject

and use variables in master.cf:

    submission inet n       -       n       -       -       smtpd
        -o smtpd_client_restrictions=$submission_client_restrictions
        -o smtpd_recipient_restrictions=$submission_recipient_restrictions
        ...

But first you need to resolve a profound inconsistency between and
within these settings.  What exactly do you want to permit?  Any
certificate issued by the CAs in

    /etc/pki/CA/ca-cert.pem

or particular certificates in the relay certs table or both?

The restrictions are a mess, fix that first.

-- 
        Viktor.

Reply via email to