On Tue, Aug 15, 2017 at 04:33:28PM +0200, Ralph Seichter wrote: > > I want to: (1) use TLS for an encrypted SMTP connections from > > authorized relay clients, (2) use TLS client certs for the > > authentication of the relay clients, and (3) avoid use of > > SASL entirely. > > In your master.cf, you can use something along these lines: > > submission inet n - n - - smtpd > -o relay_clientcerts=hash:${config_directory}/relay_clientcerts > -o smtpd_client_restrictions=permit_mynetworks,permit_tls_clientcerts,reject > (...add more settings according to your needs...) > > This will enable client-certificate based authentication for port 587, > with the file relay_clientcerts storing certificate fingerprint data.
Don't forget to add: # To use client certs, we need to ask for them. # # Use "req_ccert" instead, if, and only if, all the client certs # are required to be issued by a trusted CA # -o smtpd_tls_ask_ccert=yes # # Set an explicit digest algorithm to match the actual algorithm # used to create the lookup keys in the relay_clientcerts table, # the legacy default of md5 is not recommended. # -o smtpd_tls_fingerprint_digest=sha256 to the list of override options for the submission service. -- Viktor.