On Tue, Jul 29, 2014 at 11:42:01AM +0200, Atze Zitman wrote:
> According to the Postfix TLS Readme there are 3 ways to configure the
> server-side to support access control:
>
> * permit_tls_clientcerts
> * permit_tls_all_clientcerts
> * check_ccert_access type:table
>
> But these three options are only configurable for the configuration property:
>
> * smtpd_client_restrictions
As Wietse pointed out, also with
smtpd_{helo,sender,relay,recipient,data,end_of_data}_restrictions.
> This property will trigger the verification at the time the connection is
> established with the client.
No, by default "smtpd_delay_reject = yes", and thus no restrictions
are evaluated before "RCPT TO", at which point each of
smtpd_client_retrictions,
smtpd_helo_retrictions,
smtpd_sender_retrictions,
smtpd_relay_retrictions,
smtpd_recipient_retrictions
is evaled in turn for *each* recipient.
> This is useful when you support SSL (SMTPS
> or SSMTP), but not when you are using StartTLS.
A false premise, yields a false conclusion. Don't set "smtpd_delay_reject
= no", and (almost) all the restrictions are available for use with
all the built-in restriction classes, the exception being that
recipient address checks don't work at the data and end_of_data
stages.
> I actually created a policy daemon and used the "check_ccert_access
> type:table" for "smtpd_client_restrictions". That way I was able to confirm
> that postfix was at CONNECT state, and no client certificate information
> was available.
Perhaps you set "smtpd_delay_reject = no". In that case, if there is good
reason to do so, use "check_ccert_access" in "smtpd_recipient_restrictions" or
"smtpd_relay_restrictions" (Postfix 2.10 or later IIRC).
> The only alternative I have, is to use my policy daemon, and verify the
> authentication at the first "MAIL FROM" (MAIL STATE). At this point I am
> rejecting the sender address, based on the authentication. But I would
> like to reject the client right after the TLS negotiation.
False premise, false conclusion. However, early reject (before
RCPT TO) is unwise, since your logs won't contain any sender or
recipient information about the rejected clients. It is far preferrable
to not reject early. Also many systems will not bounce mail when the
server returns 5XX before "MAIL FROM". Thus the client will keep on
trying until the message expires. This is a bad idea.
> Is this possible? Otherwise, can I request this as a feature? (How? Where?)
You're asking the wrong questions.
> So instead of:
> openssl s_client -connect localhost:25 -starttls smtp -cert cert.crt -key
> key.pem -ign_eof
> ----
> 250 DSN
>
> I would like:
> openssl s_client -connect localhost:25 -starttls smtp -cert cert.crt -key
> key.pem -ign_eof
> ----
> 535 5.7.8 Error: authentication failed: authentication failure
Actually, if you knew what this entailed, you would not want this.
What you really want is to reject at "RCPT TO".
--
Viktor.
