On Fri, Jun 15, 2012 at 10:13:50AM -0700, post...@lists.killian.com wrote:
> I am perplexed by an issue. Could someone help me figure out
> what is going wrong?
>
> I migrated the configuration from a server running postfix
> 2.7.2 (opensuse 11.4). It mostly works, except that
> permit_tls_clientcerts seems to be ignored. It continues to
> work using the old postfix server box.
Different versions of Berkeley DB? Out of table .db file?
Different main.cf content than reported via cut/paste
(always report output of 'postconf -n' or at least
'postconf -n some_parameter ...').
> -o smtpd_etrn_restrictions=reject
> -o smtpd_enforce_tls=yes
> -o smtpd_tls_req_ccert=yes
> -o smtpd_tls_key_file=/etc/ssl/private/smtp.killian.com.key
> -o smtpd_tls_cert_file=/etc/ssl/certs/smtp.killian.com.pem
> -o
> smtpd_helo_restrictions=reject_invalid_hostname,permit_tls_clientcerts,reject
> -o
> smtpd_sender_restrictions=reject_non_fqdn_sender,reject_unknown_sender_domain
> -o
> smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_tls_clientcerts,reject
What is the setting of "smtpd_client_restrictions" (No override for that
above).
> Some relevant lines from main.cf:
> relay_clientcerts = hash:/etc/postfix/relay_ccerts
> smtpd_tls_fingerprint_digest = sha1
Sorry, evidence not produced via "postconf -n" is often faulty.
> Some relevant lines from main.cf:
>
> Here is the relevant line from /etc/postfix/relay_ccerts:
> C4:89:7F:6D:A2:07:75:0D:52:29:50:92:F1:F6:F7:E0:3E:56:72:F0 guava.killian.com
Table contents not obtained via "postmap -q" also often faulty. Check
the ".db" file, not the source file.
> Jun 15 08:06:07 maple postfix/smtpd[22400]:
> guava.guavamaplevpn.killian.com[10.8.47.2]: Trusted:
> subject_CN=guava.killian.com, issuer=CAcert Class 3 Root,
> fingerprint=C4:89:7F:6D:A2:07:75:0D:52:29:50:92:F1:F6:F7:E0:3E:56:72:F0
> Jun 15 08:06:08 maple postfix/smtpd[22400]: NOQUEUE: reject: RCPT from
> guava.guavamaplevpn.killian.com[10.8.47.2]: 554 5.7.1
> <guava.lah.killian.com>: Helo command rejected: Access denied;
> from=<REDACTED> to=<REDACTED> proto=ESMTP helo=<guava.lah.killian.com>
This was denied by a "reject" rule or a "REJECT" access table rule.
> It seems to me that the submission port daemon should have processed
> smtpd_helo_restrictions=reject_invalid_hostname,permit_tls_clientcerts,reject
> and accepted the connection based on permit_tls_clientcerts.
All the restrictions are evaluated not just helo checks.
--
Viktor.
