Am 11.07.2014 11:53, schrieb BlueStar88:
> On Fri, 11 Jul 2014 11:29:11 +0200
> Robert Schetterer <r...@sys4.de> wrote:
>
>> Am 11.07.2014 11:10, schrieb BlueStar88:
>>> I'd like to setup a Trusted-only MTA for a special domain.
>>
>> if you have both servers under your control you may always cover con by
>> vpn, and use special transport ,additional to postfix secure features
>
> Hello Robert,
>
> yes, I do this already between my own servers. ;-)
>
> My point is, to roll out internet reachable special domains, with having
> security features enabled to their full extend. This covers perfect inbound
> handling as well. Postfix does already fully qualified certificate checks on
> inbound connections, but I can't make any use of it. Well, except realtime
> log file parsing (looking for "Trusted TLS connection established from...")
> and taking whatever action thereafter.
>
> Best would be, if Postfix simply rejects inbound TLS connections, which are
> not reaching the given security level.
>
>
> Regards
>
> BlueStar88
>
something like this ?
relay_clientcerts (default: empty)
List of tables with remote SMTP client-certificate fingerprints or
public key fingerprints (Postfix 2.9 and later) for which the Postfix
SMTP server will allow access with the permit_tls_clientcerts feature.
The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to
Postfix version 2.5).
Postfix lookup tables are in the form of (key, value) pairs. Since
we only need the key, the value can be chosen freely, e.g. the name of
the user or host: D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80
lutzpc.at.home
Example:
relay_clientcerts = hash:/etc/postfix/relay_clientcerts
For more fine-grained control, use check_ccert_access to select an
appropriate access(5) policy for each client. See RESTRICTION_CLASS_README.
Note: Postfix 2.9.0–2.9.5 computed the public key fingerprint
incorrectly. To use public-key fingerprints, upgrade to Postfix 2.9.6 or
later.
This feature is available with Postfix version 2.2.
Best Regards
MfG Robert Schetterer
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
