On 8/22/2011 10:12 AM, Alano Conraz wrote: > Hi, > > I have a running mail server with postfix, which implements TLS > support and SASL for authentication. I'm looking forward how to > authenticate a smtp client thanks to his own certificate (eg i would > like to create a self signed certificate for my thunderbird agent > and rely on this certificate to authenticate myself to my smtp ). > Furthermore, I would like to add this security measure to the one i > already have on my server, ie with login/password. > What i did til now is : > - adding to the main.conf : > smtpd_tls_ask_ccert=yes > smtpd_use_tls=yes > relay_clientcerts=hash:/etc/postfix/relay_clientcerts > and i add "permit_tls_client_cert" to the smtpd_recipient_restriction. > - creating a file /etc/postfix/relay_clientcerts.db (if i do note > put the extension .db at the end i got in my log > "/etc/postfix/relay_clientcerts.db: no such file or directory"... ) > which contains the md5 hash and a domain name > (ex: 00:8B:02:30:9D:18:F4:81:5D:2F:48:E4:5B:17:82:A7 client_1.my.domain) > > I got in the log : /etc/postfix/relay_clientcerts.db: Inappropriate > file type or format. I don't know why, maybe you have a clue for me ? > Thanks a lot.
Create the .db file with postmap. postmap hash:relay_clientcerts See 'man postmap' for details. On a side note, very few desktop mail clients support TLS certificate authentication. Make sure Thunderbird supports this feature before you spend too much time on it. TLS certificate authentication is mostly used for MTA-to-MTA auth. -- Noel Jones
