On Tue, Oct 20, 2009 at 10:25:20PM +0200, Roland Dirlewanger wrote: > Hi folks, > > I would like to set up TLS on our mail server the following way : > > * connections to port 25 may use TLS. If TLS is used, our server should > verify the client certificate using the CAs found in OpenSSL's > ca-bundle.crt
Why do you expect clients on port 25 to have client certificates? Generally, "smtpd_tls_ask_ccert = no", and turning it on port 25 of an MX host is not recommended. If you are operating a submission service only with submission on both 25 and 587, then this may be more reasonable. If port 25 does not request client certs, none are ever presented, and so no CAfile or CApath is necessary. > * connections to port 587 are required to use TLS. Our server should > verify the client certificate using the CAs of our own private key > infrastructure. These CAs are bundled in a file named > ca-cnrs-bundle.crt Why do you expect submission clients to present client certificates? Most TLS-enabled MUAs do not support client certificates with SMTP. What type of clients are you expecting? What will you do with their certificates once the "trust chain" is verified? > I thought the following configuration in master.cf should have achieved > this in Postfix 2.5.6 : > > smtp inet n - n - - smtpd > -o smtpd_tls_cert_file=/etc/postfix/tls/certs/server-cert-chain.pem > -o smtpd_tls_key_file=/etc/postfix/tls/private/server.key > -o smtpd_tls_CAfile=/etc/postfix/tls/certs/ca-bundle.crt > -o smtpd_tls_security_level=may > -o smtpd_tls_ask_ccert=yes Yes, but why ask for client certificates? How are they used once/if presented? > submission inet n - n - - smtpd > -o smtpd_tls_cert_file=/etc/postfix/tls/certs/server-cert-chain.pem > -o smtpd_tls_key_file=/etc/postfix/tls/private/server.key > -o smtpd_tls_CAfile=/etc/postfix/tls/certs/ca-cnrs-bundle.crt > -o smtpd_tls_security_level=encrypt > -o smtpd_tls_ask_ccert=yes > -o smtpd_recipient_restrictions=permit_tls_all_clientcerts,reject > > Unfortunately, it doesn't work. With this configuration, either kind of > certificates (those issued by our PKI, those which have a root certificate > in ca-bundle.crt) are considered as trusted on port 25 *and* on port 587. > It seems to me that CAs from ca-bundle.crt and CAs from ca-cnrs-bundle.crt > have merged together. What's in "main.cf"? Do you have an smtpd_tls_CApath defined? You really should post the output of "postconf -n" as requested in the list welcome message or <http://www.postfix.org/DEBUG_README.html#mail>. > What am I doing wrong ? Is there a way to configure our postfix server to > distinguish certificates issued by our PKI from other certificates ? Yes, by using a suitable CAfile + CApath combination. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.