295781Re: submission by cert verification only
- Oct 7, 2013On 2013-10-06 22:40, Noel Jones wrote:
> On 10/6/2013 7:52 PM, Dan Langille wrote:All done. Thank you.
> I managed to get this running tonight and I'm looking for sanity
> checking, in case I'm completely missing something. Thanks.
> I wish to allow incoming mail from any client with a valid certificate.
> My master.cf is:
> 10.0.0.1:submission inet n - n - - smtpd
> You probably want to use "reject" rather than
> "reject_unauth_destination" to prevent outsiders from sending local
> mail via submission.
> -o smtpd_tls_req_ccert=yes
> -o smtpd_tls_auth_only=no
> -o smtpd_tls_security_level=encrypt
> -o smtpd_tls_cert_file=/usr/local/etc/ssl/server.pem
> This is OK since it fulfills the intended function of preventing
> unauthorized relaying, but for consistency and simplicity you might
> want to change it to match your -o smtpd_recipient_restrictions.
> -o smtpd_tls_ask_ccert=yesAt first, I thought this will be a global setting affecting all services
> -o smtp_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
> -o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
> Your sender_access file has no effect right now. To restrict
> submission to a single sender domain, use something like:
> # main.cf
> submission_sender_restrictions =
> check_sender_access hash:/usr/local/etc/postfix-config/sender_access
> # master.cf
> 10.0.0.1:submission ...
> -o smtpd_sender_restrictions=$submission_sender_restrictions
specified in master.cf.
I don't want that.
Then I realized submission_sender_restrictions is a macro, ready for
> Also, remember that any other smtpd_*_restrictions settings you haveDone.
> in main.cf will be inherited by your master.cf submission service.
> Some people find it useful to explicitly set unused restrictions
> empty to prevent surprises.
> -o smtpd_client_restrictions=
> -o smtpd_helo_restrictions=
> -o smtpd_data_restrictions=
What I have now is:
10.0.0.1:submission inet n - n - - smtpd
Thank you Noel.
> -- Noel Jones
> I have some DNS issues (some of these hosts are remote and do not have
> public DNS entries)
> # cat /usr/local/etc/postfix-config/sender_access
> cliff.example.org OK
> The fingerprint for each each incoming client is listed here:
> # cat /usr/local/etc/postfix-config/main/relay_clientcerts
> 3A:2E:AB:6A:F1:D4:32:74:C9:C6:DD:2B:8D:2A:87:97 cliff.example.org
> I have this working. It seems to do what I want.
> For what it's worth: This is just for my use, no other users.
Dan Langille - http://langille.org/
- << Previous post in topic Next post in topic >>