Re: Certificate only authentication on 587

[Nick Howitt]

On 06/04/2015 03:54, Viktor Dukhovni wrote: On Sat, Apr 04, 2015 at 07:40:33PM +0100, Nick Howitt wrote: The client I am using is K-9 mail ... The line I am currently trying in master.cf is: submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,permit_tls_clientcerts,permit_tls_all_clientcerts,reject -o smtpd_tls_ask_ccert=yes -o smtpd_recipient_restrictions=permit_tls_all_clientcerts,reject_unauth_destination,reject -o smtpd_tls_CAfile=/etc/pki/CA/ca-cert.pem -o smtp_tls_note_starttls_offer=yes -o broken_sasl_auth_clients=yes Yuck. Instead set these in main.cf: main.cf: submission_recipient_restrictions = permit_tls_all_clientcerts, # Just the certs signed by the CA here??? reject_unauth_destination, # Why this given the next line??? reject submission_client_restrictions = permit_sasl_authenticated, # SASL, but blocked in recipient restrictions??? permit_tls_clientcerts, # Also the certs in the relay certs table, but too late??? permit_tls_all_clientcerts, reject and use variables in master.cf: submission inet n - n - - smtpd -o smtpd_client_restrictions=$submission_client_restrictions -o smtpd_recipient_restrictions=$submission_recipient_restrictions ... But first you need to resolve a profound inconsistency between and within these settings. What exactly do you want to permit? Any certificate issued by the CAs in /etc/pki/CA/ca-cert.pem or particular certificates in the relay certs table or both? The restrictions are a mess, fix that first. Thanks very much for this. I understand restrictions are a mess because I'm afraid I struggle with some of the docs and I am hyper-scared or opening up the server too much. I was placing all restrictions in master.cf as I did not want to mess with the distro's set up in main.cf - largely because I am not clear in my mind of what I'm doing. Also everything in master.cf has built up in an attempt to get things working. It started with basic user/pass authentication and went from there: submission inet n       -       n       -       -       smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject Initially I wanted to use the relay certs table only but the docs seem to indicate it is only available for 2.9+ and I am stuck on 2.6.6. I was getting an error in the logs about permit_tls_clientcerts so in some of my testing I was running without and just trying to validate on the ca-cert. Are you able to confirm is permit_tls_clientcerts works in 2.6.6? I did not know about using variables in main.cf like submission_recipient_restrictions and submission_client_restrictions so I'll give them a whirl. I'd love some understanding of when to use client_restrictions and when to use recipient_restrictions - even just pointing me to a doc. Ideally all I want is to allow specified relay client certificates, blocking everything else but if it is not supported with my version of postfix, certificates issued by my self-signed CA will have to do. FWIW, I think get authentication in postfix with certificates issued by my CA but K-9 mail always throws an error: Apr  5 16:28:02 server postfix/smtpd[8819]: connect from motog.howitts.co.uk[172.17.2.113] Apr  5 16:28:02 server postfix/smtpd[8819]: setting up TLS connection from motog.howitts.co.uk[172.17.2.113] Apr  5 16:28:02 server postfix/smtpd[8819]: motog.howitts.co.uk[172.17.2.113]: Trusted: subject_CN=ourfamily, issuer=ca.server.howitts.lan, fingerprint=13:45:A2:B4:94:B0:18:4A:E3:46:C0:29:29:BE:1E:27 Apr  5 16:28:02 server postfix/smtpd[8819]: Trusted TLS connection established from motog.howitts.co.uk[172.17.2.113]: TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits) Regards, Nick