Re: Postfix should provide fingerprint, verify and secure levels inbound too (smtpd)

Fri, 11 Jul 2014 07:46:45 -0700 

On Fri, Jul 11, 2014 at 11:10:37AM +0200, BlueStar88 wrote:

> Postfix in fact does already host-certificate checks in both
> directions/roles, which results in "Trusted TLS connections
> established from/to ..." in the optimum case.

What would the server do differently with a client certificate than
without?  You want access control based on a client name? Which
name?  (Certificates can have many subjectAlternativeName values).

> Inbound-wise (smtpd) I'm able to set "none", "may" and "encrypt"
> as "smtpd_tls_security_level".

The server has no secure reference identity for the client, and thus
cannot perform PKIX name checks.  Therefore "secure", "verify" and
"dane" are not applicable.  The "check_cccert_access" feature can
do access control based on client certificate fingerprints.

> What exactly is the point on having a complete certificate check
> on inbound connections and being not able to make any use of it?

Not much, I generally recommend an empty CA list.  However, you
can use CAs with:

    http://www.postfix.org/postconf.5.html#smtpd_tls_req_ccert
    http://www.postfix.org/postconf.5.html#permit_tls_all_clientcerts

> Many large email providers and commercial organisations have a
> provable host certificate in their MTA's client-role in place, just
> waiting to make a strict use of, if someone likes to.

SMTP is not like HTTPS, and CA issued certificates are of little
use in SMTP:

http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-10#section-1.3

> My proposal is to extend the ability to set the same strictness
> schemes to inbound connections as well.

What concretely would you do?  Wishful thinking is all well and good,
but reality means that a design has to work and deliver some benefits
to justify its costs.

> I'd like to setup a Trusted-only MTA for a special domain. My
> strong wish is, that both directions are validated at the
> verify/secure/fingerprint level by myself, to have a sort of basic
> proven integrity from my perspective as result.

You can use check_ccert_access, provided you're provisioning the
keys on both ends.

-- 
        Viktor.

Reply via email to