On 2/1/2016 12:39 PM, Haravikk wrote: > Hi there, > > I’m trying to configure client certificate authentication such that it is > only required for users (with valid username/password) when sending e-mail > *from* my mail server. > > However, setting smtpd_tls_req_ccert = yes causes postfix to request a > certificate from all incoming connections, including mail servers that are > attempting to deliver mail. > > Is there a way to enable client certificates only for auth connections? I’ve > already set smtpd_tls_auth_only = yes, but I’m not sure how to enable client > certificates only for senders, without causing incoming messages to also be > blocked. > > Thanks, > Haravikk >
The TLS connection happens well before postfix knows if the client intends to send AUTH, so what you ask is not possible. This is why it's recommended to enable AUTH only on port 587 submission, and not on the general-use port 25 smtpd. If you restrict AUTH to only port 587, it's easy to add "-o smtpd_tls_req_ccert=yes" to the master.cf submission entry. -- Noel Jones
