Thanks for the help. It turned out that relay_ccerts.db was copied from an old machine, and so the different db version was the problem.
-Earl On Jun 15, 2012, at 21:10 , Viktor Dukhovni wrote: > On Fri, Jun 15, 2012 at 10:13:50AM -0700, post...@lists.killian.com wrote: > > > I am perplexed by an issue. Could someone help me figure out > > what is going wrong? > > > > I migrated the configuration from a server running postfix > > 2.7.2 (opensuse 11.4). It mostly works, except that > > permit_tls_clientcerts seems to be ignored. It continues to > > work using the old postfix server box. > > Different versions of Berkeley DB? Out of table .db file? > Different main.cf content than reported via cut/paste > (always report output of 'postconf -n' or at least > 'postconf -n some_parameter ...'). > > > -o smtpd_etrn_restrictions=reject > > -o smtpd_enforce_tls=yes > > -o smtpd_tls_req_ccert=yes > > -o smtpd_tls_key_file=/etc/ssl/private/smtp.killian.com.key > > -o smtpd_tls_cert_file=/etc/ssl/certs/smtp.killian.com.pem > > -o > > smtpd_helo_restrictions=reject_invalid_hostname,permit_tls_clientcerts,reject > > -o > > smtpd_sender_restrictions=reject_non_fqdn_sender,reject_unknown_sender_domain > > -o > > smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_tls_clientcerts,reject > > What is the setting of "smtpd_client_restrictions" (No override for that > above). > > > Some relevant lines from main.cf: > > relay_clientcerts = hash:/etc/postfix/relay_ccerts > > smtpd_tls_fingerprint_digest = sha1 > > Sorry, evidence not produced via "postconf -n" is often faulty. > > > Some relevant lines from main.cf: > > > > Here is the relevant line from /etc/postfix/relay_ccerts: > > C4:89:7F:6D:A2:07:75:0D:52:29:50:92:F1:F6:F7:E0:3E:56:72:F0 > > guava.killian.com > > Table contents not obtained via "postmap -q" also often faulty. Check > the ".db" file, not the source file. > > > Jun 15 08:06:07 maple postfix/smtpd[22400]: > > guava.guavamaplevpn.killian.com[10.8.47.2]: Trusted: > > subject_CN=guava.killian.com, issuer=CAcert Class 3 Root, > > fingerprint=C4:89:7F:6D:A2:07:75:0D:52:29:50:92:F1:F6:F7:E0:3E:56:72:F0 > > Jun 15 08:06:08 maple postfix/smtpd[22400]: NOQUEUE: reject: RCPT from > > guava.guavamaplevpn.killian.com[10.8.47.2]: 554 5.7.1 > > <guava.lah.killian.com>: Helo command rejected: Access denied; > > from=<REDACTED> to=<REDACTED> proto=ESMTP helo=<guava.lah.killian.com> > > This was denied by a "reject" rule or a "REJECT" access table rule. > > > It seems to me that the submission port daemon should have processed > > smtpd_helo_restrictions=reject_invalid_hostname,permit_tls_clientcerts,reject > > and accepted the connection based on permit_tls_clientcerts. > > All the restrictions are evaluated not just helo checks. > > -- > Viktor.
