I'm setting up SASL with TLS for remote clients. As an additional
security measure, I would like the server to ask the email clients to
present their client certificates. According to the docs, this is
accomplished with:
smtpd_tls_ask_ccert = yes
But there are some ominous warnings about broken MTAs which may have
problems when delivering to Postfix if this option is used. If I
understand correctly, the broken delivery should only occur when those
MTAs attempt to do TLS to Postfix. So, this should not be a problem for
all the regular, unencrypted email I receive normally, is that right?
Also, after enabling this option, I connected to Postfix with a
TLS-enabled email client with all the certificates installed. I saw this
line in the logs:
Aug 20 22:49:01 server postfix/smtpd[7724]: connect from
unknown[XXX.YYY.ZZZ.KKK]
Aug 20 22:49:02 server postfix/smtpd[7724]: setting up TLS connection
from unknown[XXX.YYY.ZZZ.KKK]
Aug 20 22:49:02 server postfix/smtpd[7724]: Anonymous TLS connection
established from unknown[XXX.YYY.ZZZ.KKK]: TLSv1 with cipher AES128-SHA
(128/128 bits)
Why does it say "Anonymous TLS connection"? I thought the anonymous
ciphers are disabled when client certs are used.
All the crypto stuff (CA, server cert, client cert) is ok, I tested it
already with the email client and Dovecot (secure IMAP).
--
Florin Andrei
http://florin.myip.org/
