On Fri, Nov 22, 2019 at 12:11:21PM +0100, Lars Kollstedt wrote:
> Is there a clean way to optionally present a client certificate to a
> Postfix MX without breaking the use of TLS or even the mail delivery
> to MXes that are verifying presented client certificates against a
> local CA, and rejecting anything else.
Have you recently seen MX hosts that solicit client certs and then abort
the TLS handshake when these don't verify? The Postfix documentation
speculatively warns against promiscuous use of client certs:
http://www.postfix.org/postconf.5.html#smtp_tls_cert_file
Do not configure client certificates unless you must present client
TLS certificates to one or more servers. Client certificates are not
usually needed, and can cause problems in configurations that work
well without them.
but the ecosystem may have improved since those words of caution were
written.
> I don't want to configure them all explicitly in /etc/postfix/transport.
You certainly can't blacklist all the bad sites, and so the right
answer is to whitelist only the sites to which you need to present
client certs.
> My first idea was:
> /etc/postfix/master.cf:
> smtp_ccert unix - - y - - smtp
> -o syslog_name=postfix/$service_name
> -o smtp_tls_cert_file=/etc/postfix/ssl/crt/server.crt
> -o smtp_tls_key_file=/etc/postfix/ssl/key/server.key
>
> /etc/postfix/main.cf:
> default_transport = smtp_ccert:
> fallback_transport = smtp:
You have failed to read the documentation of "fallback_transport".
http://www.postfix.org/postconf.5.html#fallback_transport
Optional message delivery transport that the local(8) delivery agent
should use for names that are not found in the aliases(5) or UNIX
password database.
It is NOT used on SMTP delivery (temporary) failure.
> But postfix isn't even trying with the fallback transport in this case.
As expected.
> The idea behind this is to have a fully verified transport trust chain within
> the header when all postfix servers on the transport do this.
There's no need to attempt to present your client certificate to random
strangers, even if they're bold enough to ask whether you're one of
their relations.
Postfix does not presently have support for a sort of inverse-SNI,
where a client certificate chain is selected via the tls policy table,
without a dedicated custom transport. It is not clear this is needed.
--
Viktor.
