I managed to get this running tonight and I'm looking for sanity checking, in case I'm completely missing something. Thanks.
I wish to allow incoming mail from any client with a valid certificate. My master.cf is: 10.0.0.1:submission inet n - n - - smtpd -o smtpd_recipient_restrictions=permit_tls_clientcerts,reject_unauth_destination -o smtpd_tls_req_ccert=yes -o smtpd_tls_auth_only=no -o smtpd_tls_security_level=encrypt -o smtpd_tls_cert_file=/usr/local/etc/ssl/server.pem -o smtpd_tls_key_file=/usr/local/etc/ssl/supernews.example.org.nopassword.key -o relay_clientcerts=hash:/usr/local/etc/postfix-config/main/relay_clientcerts -o smtpd_relay_restrictions=permit_tls_clientcerts,reject_unauth_destination -o smtpd_tls_ask_ccert=yes -o smtp_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt -o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt -o smtpd_sender_restrictions=hash:/usr/local/etc/postfix-config/sender_access I have some DNS issues (some of these hosts are remote and do not have public DNS entries) # cat /usr/local/etc/postfix-config/sender_access cliff.example.org OK The fingerprint for each each incoming client is listed here: # cat /usr/local/etc/postfix-config/main/relay_clientcerts 3A:2E:AB:6A:F1:D4:32:74:C9:C6:DD:2B:8D:2A:87:97 cliff.example.org I have this working. It seems to do what I want. For what it's worth: This is just for my use, no other users. -- Dan Langille - http://langille.org
