On 1 Feb 2016, at 13:39, Haravikk wrote:
Hi there,
I’m trying to configure client certificate authentication such that
it is only required for users (with valid username/password) when
sending e-mail *from* my mail server.
However, setting smtpd_tls_req_ccert = yes causes postfix to request a
certificate from all incoming connections, including mail servers that
are attempting to deliver mail.
Is there a way to enable client certificates only for auth
connections? I’ve already set smtpd_tls_auth_only = yes, but I’m
not sure how to enable client certificates only for senders, without
causing incoming messages to also be blocked.
Modern best practice for Internet email is to split mail transport and
initial message submission into distinct services: SMTP (RFC5321 and its
ancestors) on TCP port 25 and Message Submission (RFC6409 and its
ancestors) on port 587. If you do this, you can require certificates for
the port 587 submission service and not for the port 25 SMTP service. In
many cases (i.e. if not providing authenticated relay for mail submitted
elsewhere) a system with independent transport and submission services
need not allow authentication at all on the port 25 service.
