Hello List,
is there a clean way to optionally present a client certificate to a Postfix
MX configured with
smtpd_tls_received_header=yes
smtpd_tls_ask_ccert = yes
smtpd_tls_CApath=/etc/ssl/certs
without breaking the use of TLS or even the mail delivery to MXes that are
verifying presented client certificates against a local CA, and rejecting
anything else.
I don't want to configure them all explicitly in /etc/postfix/transport.
My first idea was:
/etc/postfix/master.cf:
smtp_ccert unix - - y - - smtp
-o syslog_name=postfix/$service_name
-o smtp_tls_cert_file=/etc/postfix/ssl/crt/server.crt
-o smtp_tls_key_file=/etc/postfix/ssl/key/server.key
/etc/postfix/main.cf:
default_transport = smtp_ccert:
fallback_transport = smtp:
I worried a bit about penalty times in greylisting scenaries since I expected
this to retry to fast, and the greylisting daemon not to notice the difference
between the attempts with and without greylisting.
But postfix isn't even trying with the fallback transport in this case.
fallback_relay and smtp_fallback_relay shows the same behavior (isn't used).
The idea behind this is to have a fully verified transport trust chain within
the header when all postfix servers on the transport do this.
Any ideas?
Kind regards
Lars
--
Lars Kollstedt
Telefon: +49 6151 16-71027
E-Mail: l...@man-da.de
man-da.de GmbH
Dolivostraße 11
64293 Darmstadt
Sitz der Gesellschaft: Darmstadt
Amtsgericht Darmstadt, HRB 9484
Geschäftsführer: Andreas Ebert
