On Sun, Oct 06, 2013 at 08:52:06PM -0400, Dan Langille wrote:
[ What Noel said, plus see below. ]
> 10.0.0.1:submission inet n - n - - smtpd
> -o smtpd_tls_req_ccert=yes
Fine.
> -o smtpd_tls_auth_only=no
This seems silly. Since authentication gets them nowhere, why
allow plaintext password leaks? Just disable SASL period.
> -o smtpd_tls_ask_ccert=yes
This is implied by req_ccert.
> -o smtp_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
This is an SMTP client parameter that serves no purpose here.
> -o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
This is a bad idea. Instead set this to an empty file. The list
of all the CA DNs from this file is sent to the client, but your
clients probably don't need CA hints. Otherwise make this is a
small list of one or two suitable CAs that issue the certificates
which are admitted via the relay certs file. You should your digest
algorithm explicitly (sha1 or better if available as with OpenSSL
1.0.0 or later or the most recent Postfix patches that make sha256
available with older OpenSSL releases).
> # cat /usr/local/etc/postfix-config/main/relay_clientcerts
> 3A:2E:AB:6A:F1:D4:32:74:C9:C6:DD:2B:8D:2A:87:97 cliff.example.org
This looks like md5, and while still largely resistant to 2nd
preimage attacks, you should still avoid it.
--
Viktor.
