requiring TLS on a pool of servers

Mon, 14 Oct 2013 05:13:42 -0700

I have a group of Postfix servers. I want communications between these servers to be TLS and clients must present a known certificate.
These servers are also public-facing and accept incoming mail from servers not under my control. 


I just started setting this up and it seems to be working as expected.  
I'm looking for feedback and suggestions.   I think I understand what 
I'm doing.



Each of these servers will accept mail from the other servers on port 
5587.


The master.cf has something like this:

64.147.113.42:5587 inet n       -       n       -       -       smtpd
-o smtp_tls_security_level=encrypt
-o smtpd_recipient_restrictions=permit_tls_clientcerts,reject
-o smtpd_tls_req_ccert=yes
-o smtpd_tls_auth_only=no
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_cert_file=/usr/local/etc/ssl/server.pem
-o smtpd_tls_key_file=/usr/local/etc/ssl/D.example.org.nopassword.key
-o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
-o smtpd_sender_restrictions=
-o smtpd_relay_restrictions=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_data_restrictions=

Some of the entries from main.cf are:

smtp_tls_policy_maps = hash:/usr/local/etc/postfix-config/tls_policy
transport_maps = hash:/usr/local/etc/postfix-config/transport
relay_clientcerts = hash:/usr/local/etc/postfix-config/relay_clientcerts
smtpd_tls_fingerprint_digest=sha1
smtp_tls_fingerprint_digest=sha1

Ensure that comms is via TLS:

# cat /usr/local/etc/postfix-config/tls_policy
[A.example.org]:5587 encrypt protocols=TLSv1 ciphers=high
[B.example.org]:5587 encrypt protocols=TLSv1 ciphers=high
[C.example.org]:5587 encrypt protocols=TLSv1 ciphers=high

Make sure the comms goes to the right service:

# cat /usr/local/etc/postfix-config/transport
A.example.org  :[A.example.org]:5587
B.example.org  :[B.example.org]:5587
C.example.org  :[C.example.org]:5587

Accept incoming mail only if these certs are presented:

# cat /usr/local/etc/postfix-config/relay_clientcerts

11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33:44 
a.example.org
11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33:55 
b.example.org
11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33:66 
c.example.org


--
Dan Langille - http://langille.org/






















					Reply via email to