Thank you Wietse for your reply. The only real problem is clear communication to the client.
I will always validate the sender address. When the client is authenticated, it is validated differently than when the client is not authenticated (using policyd). For example: * Unauthenticated user must use an external (unknown) domain for sender address. * An authenticated user must use a local (known) domain for sender address. When client certificate-authentication fails, the client gets no feedback about this. But does get rejected, stating that he is using an invalid domain in the sender address. This is very misleading to the real problem, wrong or expired credentials. Of course, if we enable SASL authentication (not an option in my case), this situation would not occur, because the client gets a reject based on the failed credentials, before the sender address is provided. Regards, Atze Zitman -----Oorspronkelijk bericht----- Van: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] Namens Wietse Venema Verzonden: dinsdag 29 juli 2014 13:17 Aan: Postfix users Onderwerp: Re: Can Postfix verify client certificate fingerprint when supporting StartTLS? Urgentie: Laag Atze Zitman: > Hello everyone, > > I hope I have the correct mailing list for my question. Initially I > asked this question at: > http://stackoverflow.com/questions/24999580/can-postfix-verify-client- > certificate-fingerprint-when-supporting-starttls > > According to the Postfix TLS Readme there are 3 ways to configure the > server-side to support access control: > * permit_tls_clientcerts > * permit_tls_all_clientcerts > * check_ccert_access type:table > > But these three options are only configurable for the configuration property: > * smtpd_client_restrictions As documented they are also available for smtpd_{helo,sender,recipient, data,end_of_data}_restrictions. > The only alternative I have, is to use my policy daemon, and verify > the authentication at the first "MAIL FROM" (MAIL STATE). At this > point I am rejecting the sender address, based on the authentication. > But I would like to reject the client right after the TLS negotiation. Why? What problem are you trying to solve? Please explain the problem instead of the solution (reject client immediately after the TLS handshake). Wietse
