Using different CA for smtpd on port 25 on and port 587

[Roland Dirlewanger]

Hi folks, I would like to set up TLS on our mail server the following way : connections to port 25 may use TLS. If TLS is used, our server should verify the client certificate using the CAs found in OpenSSL's ca-bundle.crt connections to port 587 are required to use TLS. Our server should verify the client certificate using the CAs of our own private key infrastructure. These CAs are bundled in a file named ca-cnrs-bundle.crt I thought the following configuration in master.cf should have achieved this in Postfix 2.5.6 : smtp      inet  n       -       n       -       -       smtpd   -o smtpd_tls_cert_file=/etc/postfix/tls/certs/server-cert-chain.pem   -o smtpd_tls_key_file=/etc/postfix/tls/private/server.key   -o smtpd_tls_CAfile=/etc/postfix/tls/certs/ca-bundle.crt   -o smtpd_tls_security_level=may   -o smtpd_tls_ask_ccert=yes submission inet n       -       n       -       -       smtpd   -o smtpd_tls_cert_file=/etc/postfix/tls/certs/server-cert-chain.pem   -o smtpd_tls_key_file=/etc/postfix/tls/private/server.key   -o smtpd_tls_CAfile=/etc/postfix/tls/certs/ca-cnrs-bundle.crt   -o smtpd_tls_security_level=encrypt   -o smtpd_tls_ask_ccert=yes   -o smtpd_recipient_restrictions=permit_tls_all_clientcerts,reject Unfortunately, it doesn't work. With this configuration, either kind of certificates (those issued by our PKI, those which have a root certificate in ca-bundle.crt) are considered as trusted on port 25 *and* on port 587. It seems to me that CAs from ca-bundle.crt and CAs from ca-cnrs-bundle.crt have merged together. What am I doing wrong ? Is there a way to configure our postfix server to distinguish certificates issued by our PKI from other certificates ? Thanks a lot for your help. Roland. -- Roland Dirlewanger CNRS - Delegation Aquitaine-Limousin Esplanade des Arts et Metiers - BP 105 33402 TALENCE CEDEX tel: 05 57 35 58 52, fax: 05 57 35 58 01