On Tue, Jun 09, 2015 at 04:36:35PM -0700, PGNd wrote: > I'm forwarding specific mail from a remote Postfix instance to a local one. > > I'm switching from SASL auth to high-encryption tls cert auth'd connection. > > It works to the extent that > > (1) connections without the TLS cert in place are rejected > (2) a Trusted TLS connection is established at the server > (3) mail's received
Sounds good so far. > On receipt, log on local > > Jun 9 14:08:40 local010 postfix/relay-local/smtpd[14395]: Trusted TLS > connection established from internal.remote016.DDDD.com[10.1.1.16]: TLSv1.2 > with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) The client certificate is issued by a CA trusted by the server. > Jun 9 14:08:40 remote016 postfix/relay-remote/smtp[31281]: > internal.local010.DDDD.com[10.128.1.10]:11587: > subject_CN=relay-local.local010.DDDD.com, issuer_CN=DDDD.com_CA, > fingerprint=AA:..., pkey_fingerprint=BB:... This is not normally logged at TLS loglevel 1, and higher log levels are not recommended for routine use. > Jun 9 14:08:40 remote016 postfix/relay-remote/smtp[31281]: Untrusted > TLS connection established to internal.local010.DDDD.com[10.128.1.10]:11587: > TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) This means that the server's certificate is not issued by a CA trusted by the client, and the security level is "may", "encrypt" or perhaps "dane" (and the server has no DNSSEC signed TLSA records). > Should that be "Untrusted TLS connection", or needs to be modified to be > a "Trusted TLS connection"? Your choice. At present the server is not authenticated. > since there's no Trust until the server auths the connection that this is > OK as is. The fact that the server accepts the client identity in no way confirms the server identity to the client. > 11587 inet n - n - - smtpd What about main.cf settings? > -o alias_database= > -o alias_maps= > -o relayhost= > -o relay_clientcerts=lmdb:/etc/postfix/relay_clientcerts > -o relay_domains= > -o relay_transport=relay:[127.0.0.1]:30011 > -o smtp_helo_name=relay-local.DDDD.com These are not smtpd(8) parameters and can't be set via master.cf smtpd(8) overrides. > -o smtpd_enforce_tls=yes This one is obsolete. > Also the local's > > -o > smtpd_relay_restrictions=permit_mynetworks,permit_tls_clientcerts,reject_unauth_destination > > seems it could safely be > > -o smtpd_relay_restrictions=permit_tls_clientcerts,reject > > Any reason not to? Fine either way provided no clients need to be admitted based on IP address alone. -- Viktor.