On 2013-10-06 22:40, Noel Jones wrote:
On 10/6/2013 7:52 PM, Dan Langille wrote:
I managed to get this running tonight and I'm looking for sanity
checking, in case I'm completely missing something. Thanks.
I wish to allow incoming mail from any client with a valid certificate.
My master.cf is:
10.0.0.1:submission inet n - n - - smtpd
-o
smtpd_recipient_restrictions=permit_tls_clientcerts,reject_unauth_destination
You probably want to use "reject" rather than
"reject_unauth_destination" to prevent outsiders from sending local
mail via submission.
-o smtpd_tls_req_ccert=yes
-o smtpd_tls_auth_only=no
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_cert_file=/usr/local/etc/ssl/server.pem
-o
smtpd_tls_key_file=/usr/local/etc/ssl/supernews.example.org.nopassword.key
-o
relay_clientcerts=hash:/usr/local/etc/postfix-config/main/relay_clientcerts
-o
smtpd_relay_restrictions=permit_tls_clientcerts,reject_unauth_destination
This is OK since it fulfills the intended function of preventing
unauthorized relaying, but for consistency and simplicity you might
want to change it to match your -o smtpd_recipient_restrictions.
All done. Thank you.
-o smtpd_tls_ask_ccert=yes
-o smtp_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
-o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
-o
smtpd_sender_restrictions=hash:/usr/local/etc/postfix-config/sender_access
Your sender_access file has no effect right now. To restrict
submission to a single sender domain, use something like:
# main.cf
submission_sender_restrictions =
check_sender_access hash:/usr/local/etc/postfix-config/sender_access
reject
# master.cf
10.0.0.1:submission ...
...
-o smtpd_sender_restrictions=$submission_sender_restrictions
At first, I thought this will be a global setting affecting all services
specified in master.cf.
I don't want that.
Then I realized submission_sender_restrictions is a macro, ready for
inclusion elsewhere.
Also, remember that any other smtpd_*_restrictions settings you have
in main.cf will be inherited by your master.cf submission service.
Some people find it useful to explicitly set unused restrictions
empty to prevent surprises.
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_data_restrictions=
Done.
What I have now is:
10.0.0.1:submission inet n - n - - smtpd
-o smtpd_recipient_restrictions=permit_tls_clientcerts,reject
-o smtpd_tls_req_ccert=yes
-o smtpd_tls_auth_only=no
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_cert_file=/usr/local/etc/ssl/server.pem
-o
smtpd_tls_key_file=/usr/local/etc/ssl/supernews.example.org.nopassword.key
-o
relay_clientcerts=hash:/usr/local/etc/postfix-config/main/relay_clientcerts
-o smtpd_relay_restrictions=permit_tls_clientcerts,reject
-o smtpd_tls_ask_ccert=yes
-o smtp_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
-o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
-o smtpd_sender_restrictions=$submission_sender_restrictions
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_data_restrictions=
Thank you Noel.
-- Noel Jones
I have some DNS issues (some of these hosts are remote and do not have
public DNS entries)
# cat /usr/local/etc/postfix-config/sender_access
cliff.example.org OK
The fingerprint for each each incoming client is listed here:
# cat /usr/local/etc/postfix-config/main/relay_clientcerts
3A:2E:AB:6A:F1:D4:32:74:C9:C6:DD:2B:8D:2A:87:97 cliff.example.org
I have this working. It seems to do what I want.
For what it's worth: This is just for my use, no other users.
--
Dan Langille - http://langille.org/
