Victor Duchovni a écrit :
Well, thanks to SMTP on the submission port, all the burden of authentication can be pushed on it. So, you're right, there's probably no reason for a server to authenticate clients on port 25.- Many (ideally most, if they are wisely configured) clients will not supply TLS certs even when these are requested.- Asking for client TLS certificates with normal mail delivery reduce interoperability, as some clients fail when asked for certs. - There is little useful authentication function performed by the client certificates. Mere validity of the trust chain is rather useless, in the absense of any useful processing of the certified name(s). It is best practice to not request client certificates on port 25, and for SMTP clients delivering to MX hosts to not offer them even if requested.
However, in our environment, the mail user agents we use don't have these interoperability problems. I think (I hope) our server never had to reject mail because of an MTA having a client part that failed when asked for its certificate.
That is the reason why I believe that even if the processing of the certified subject of the certificate is limited to log "Trusted" or "Untrusted", this is useful information : traffic that used to be trusted suddenly becoming untrusted is the sign that something's wrong. Investigating on that will almost every time lead to an expired certificate or some kind of misconfiguration, but one cannot exclude that this is due to a man in the middle attack, IP or DNS spoofing.
submission inet n - n - - smtpd -o smtpd_tls_cert_file=/etc/postfix/tls/certs/server-cert-chain.pem -o smtpd_tls_key_file=/etc/postfix/tls/private/server.key -o smtpd_tls_CAfile=/etc/postfix/tls/certs/ca-cnrs-bundle.crt -o smtpd_tls_security_level=encrypt -o smtpd_tls_ask_ccert=yes -o smtpd_recipient_restrictions=permit_tls_all_clientcerts,rejectOn the submission port, only clients whose certificates are issued by CAs listed in your CA file (and perhaps also any root CA in the server certificate file, if OpenSSL also trusts that by default) will be allowed. Post verbose logging from the submission service (append "-v" after the "smtpd" on the first line) that demonstrates any contrary behaviour. Try again with any root CA removed from your "server-cert-chain.pem", list just the leaf cert and all intermediate CAs, but not the root cert.
Thanks for the hints. I'll check that. Roland. -- Roland Dirlewanger CNRS - Delegation Aquitaine-Limousin Esplanade des Arts et Metiers - BP 105 33402 TALENCE CEDEX tel: 05 57 35 58 52, fax: 05 57 35 58 01
