Loading ...
Sorry, an error occurred while loading the content.

295781Re: submission by cert verification only

Expand Messages
  • Dan Langille
    Oct 7, 2013
    • 0 Attachment
      On 2013-10-06 22:40, Noel Jones wrote:
      > On 10/6/2013 7:52 PM, Dan Langille wrote:
      > I managed to get this running tonight and I'm looking for sanity
      > checking, in case I'm completely missing something. Thanks.
      >
      > I wish to allow incoming mail from any client with a valid certificate.
      > My master.cf is:
      >
      > 10.0.0.1:submission inet n - n - - smtpd
      > -o
      > smtpd_recipient_restrictions=permit_tls_clientcerts,reject_unauth_destination
      >
      > You probably want to use "reject" rather than
      > "reject_unauth_destination" to prevent outsiders from sending local
      > mail via submission.
      >
      >
      > -o smtpd_tls_req_ccert=yes
      > -o smtpd_tls_auth_only=no
      > -o smtpd_tls_security_level=encrypt
      > -o smtpd_tls_cert_file=/usr/local/etc/ssl/server.pem
      > -o
      > smtpd_tls_key_file=/usr/local/etc/ssl/supernews.example.org.nopassword.key
      > -o
      > relay_clientcerts=hash:/usr/local/etc/postfix-config/main/relay_clientcerts
      > -o
      > smtpd_relay_restrictions=permit_tls_clientcerts,reject_unauth_destination
      >
      > This is OK since it fulfills the intended function of preventing
      > unauthorized relaying, but for consistency and simplicity you might
      > want to change it to match your -o smtpd_recipient_restrictions.

      All done. Thank you.

      > -o smtpd_tls_ask_ccert=yes
      > -o smtp_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
      > -o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
      > -o
      > smtpd_sender_restrictions=hash:/usr/local/etc/postfix-config/sender_access
      >
      > Your sender_access file has no effect right now. To restrict
      > submission to a single sender domain, use something like:
      > # main.cf
      > submission_sender_restrictions =
      > check_sender_access hash:/usr/local/etc/postfix-config/sender_access
      > reject
      >
      > # master.cf
      > 10.0.0.1:submission ...
      > ...
      > -o smtpd_sender_restrictions=$submission_sender_restrictions

      At first, I thought this will be a global setting affecting all services
      specified in master.cf.
      I don't want that.

      Then I realized submission_sender_restrictions is a macro, ready for
      inclusion elsewhere.

      > Also, remember that any other smtpd_*_restrictions settings you have
      > in main.cf will be inherited by your master.cf submission service.
      > Some people find it useful to explicitly set unused restrictions
      > empty to prevent surprises.
      > -o smtpd_client_restrictions=
      > -o smtpd_helo_restrictions=
      > -o smtpd_data_restrictions=

      Done.

      What I have now is:

      10.0.0.1:submission inet n - n - - smtpd
      -o smtpd_recipient_restrictions=permit_tls_clientcerts,reject
      -o smtpd_tls_req_ccert=yes
      -o smtpd_tls_auth_only=no
      -o smtpd_tls_security_level=encrypt
      -o smtpd_tls_cert_file=/usr/local/etc/ssl/server.pem
      -o
      smtpd_tls_key_file=/usr/local/etc/ssl/supernews.example.org.nopassword.key
      -o
      relay_clientcerts=hash:/usr/local/etc/postfix-config/main/relay_clientcerts
      -o smtpd_relay_restrictions=permit_tls_clientcerts,reject
      -o smtpd_tls_ask_ccert=yes
      -o smtp_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
      -o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
      -o smtpd_sender_restrictions=$submission_sender_restrictions
      -o smtpd_client_restrictions=
      -o smtpd_helo_restrictions=
      -o smtpd_data_restrictions=


      Thank you Noel.

      >
      >
      >
      > -- Noel Jones
      >
      >
      >
      > I have some DNS issues (some of these hosts are remote and do not have
      > public DNS entries)
      >
      > # cat /usr/local/etc/postfix-config/sender_access
      > cliff.example.org OK
      >
      > The fingerprint for each each incoming client is listed here:
      >
      > # cat /usr/local/etc/postfix-config/main/relay_clientcerts
      > 3A:2E:AB:6A:F1:D4:32:74:C9:C6:DD:2B:8D:2A:87:97 cliff.example.org
      >
      > I have this working. It seems to do what I want.
      >
      > For what it's worth: This is just for my use, no other users.
      >


      --
      Dan Langille - http://langille.org/
    • Show all 9 messages in this topic