Re: Using different CA for smtpd on port 25 on and port 587

[Roland Dirlewanger]

Victor, Thanks a lot for your reply. Let me answer your questions. On Tue, Oct 20, 2009 at 10:25:20PM +0200, Roland Dirlewanger wrote: I would like to set up TLS on our mail server the following way : * connections to port 25 may use TLS. If TLS is used, our server should verify the client certificate using the CAs found in OpenSSL's ca-bundle.crt Victor Duchovni wrote : Why do you expect clients on port 25 to have client certificates? In my opinion, as soon as a non anonymous TLS connection is set up between a client and a server, it is legitimate for both sides to verify whom they are talking to. This leaves interesting lines in the log files such as "Trusted TLS connection established from ..." or "Trusted: subject_CN=..., issuer=..., fingerprint=...". * connections to port 587 are required to use TLS. Our server should verify the client certificate using the CAs of our own private key infrastructure. These CAs are bundled in a file named ca-cnrs-bundle.crt Why do you expect submission clients to present client certificates? Most TLS-enabled MUAs do not support client certificates with SMTP. What type of clients are you expecting? What will you do with their certificates once the "trust chain" is verified? The clients are mostly Mozilla Thunderbird. On port 587, the variable smtpd_recipient_restrictions is set to "permit_tls_all_clientcerts,reject" in order to allow the relaying only for clients using a certificate which can be trusted. What's in "main.cf"? Do you have an smtpd_tls_CApath defined? You really should post the output of "postconf -n" as requested in the list welcome message or <http://www.postfix.org/DEBUG_README.html#mail>. Actually, in order to focus on the problem, I tried to use a minimal set of definitions in main.cf and master.cf. I chose to remove almost everything concerning TLS from main.cf and put it in one place, master.cf. Thus, there's no smtpd_tls_CApath nor smtpd_tls_CAfile defined in main.cf. The command "postconf -n | grep _tls_" gives the following output : smtp_tls_CApath = smtp_tls_loglevel = 1 smtp_tls_security_level = may smtpd_tls_CApath = smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes What am I doing wrong ? Is there a way to configure our postfix server to distinguish certificates issued by our PKI from other certificates ? Yes, by using a suitable CAfile + CApath combination. This is the content of master.cf. smtp      inet  n       -       n       -       -       smtpd   -o smtpd_tls_cert_file=/etc/postfix/tls/certs/server-cert-chain.pem   -o smtpd_tls_key_file=/etc/postfix/tls/private/server.key   -o smtpd_tls_CAfile=/etc/postfix/tls/certs/ca-bundle.crt   -o smtpd_tls_security_level=may   -o smtpd_tls_ask_ccert=yes submission inet n       -       n       -       -       smtpd   -o smtpd_tls_cert_file=/etc/postfix/tls/certs/server-cert-chain.pem   -o smtpd_tls_key_file=/etc/postfix/tls/private/server.key   -o smtpd_tls_CAfile=/etc/postfix/tls/certs/ca-cnrs-bundle.crt   -o smtpd_tls_security_level=encrypt   -o smtpd_tls_ask_ccert=yes   -o smtpd_recipient_restrictions=permit_tls_all_clientcerts,reject What would be the correct combination of CAfile + CApath ? Thanks a lot in advance. Roland.