On Tue, Aug 15, 2017 at 04:33:28PM +0200, Ralph Seichter wrote:
> > I want to: (1) use TLS for an encrypted SMTP connections from
> > authorized relay clients, (2) use TLS client certs for the
> > authentication of the relay clients, and (3) avoid use of
> > SASL entirely.
>
> In your master.cf, you can use something along these lines:
>
> submission inet n - n - - smtpd
> -o relay_clientcerts=hash:${config_directory}/relay_clientcerts
> -o smtpd_client_restrictions=permit_mynetworks,permit_tls_clientcerts,reject
> (...add more settings according to your needs...)
>
> This will enable client-certificate based authentication for port 587,
> with the file relay_clientcerts storing certificate fingerprint data.
Don't forget to add:
# To use client certs, we need to ask for them.
#
# Use "req_ccert" instead, if, and only if, all the client certs
# are required to be issued by a trusted CA
#
-o smtpd_tls_ask_ccert=yes
#
# Set an explicit digest algorithm to match the actual algorithm
# used to create the lookup keys in the relay_clientcerts table,
# the legacy default of md5 is not recommended.
#
-o smtpd_tls_fingerprint_digest=sha256
to the list of override options for the submission service.
--
Viktor.
