Tom, I've been following this thread and also not clear on your objectives. See inline.
In message <CAFMGiz844nczM041=-t49+mayvvz+svmynme8smx6q+zfsh...@mail.gmail.com> Tom Browder writes: > > On Mon, Mar 7, 2016 at 10:57 PM, Viktor Dukhovni > <postfix-us...@dukhovni.org> wrote: > > On Mon, Mar 07, 2016 at 08:30:54PM -0600, Tom Browder wrote: > >> On Mon, Mar 7, 2016 at 5:13 PM, Viktor Dukhovni > >> <postfix-us...@dukhovni.org> wrote: > >> > On Mon, Mar 07, 2016 at 03:18:11PM -0600, Tom Browder wrote: > >> >> I have a server with several vhosts. I am working on providing mail > >> >> services to each with TLS. I have server CA certs and unlocked keys > >> >> for each individual vhost. > >> > > >> > When you say "vhost", what do you mean? > >> > >> Virtual hosts. > > > > Gee thanks, but I'm not that thick... > > I certainly don't think that, Viktor--please pardon me if you think I > was being insulting. I clearly was not even thinking about the > several types of virtual hosts. I am running multiple virtual hosts > on a single, real Apache server. I have a fair amount of experience > with TLS and Apache but none with TLS and Postfix, so please forgive > my apparently stupid questions. > > > [ref] smtpd_tls_CApath seems > >> > No, that's mostly for verifying client certs and has very little > >> > to do with server certificates. > > > So what exactly is your question then? > ... HTTP and SMTP work quite differently with regard to TLS. With HTTP the server cert is provided after HTTP identifies which virtual host it thinks its talking to. The IP address along gives no clue. That connection is then used only for that virtual host. This is why you can have a TLS cert per vhost (aka DNS domain). With SMTP the server indicates it is willing to do TLS with the STARTTLS command, TLS is set up and then mail is exchanged. The MX server can exchange mail for multiple domains using the same connection. The cert is therefore tied to the MX server, not the domain(s) it is serving. > >> As it stands, I have an MX record for each virtual host, each pointing > >> to the "real" host. > > > > What's a "virtual host" again? Just multiple domains sharing a > > common MX record? Then you only need one certificate. > > Good deal. > > >> Right now I'm just trying to get smtp access from my local host and > >> would like to use TLS and client certs. > > > > This is too vague to mean anything. > > Okay, here is my objective: > > 1. Use ONE Postfix instance running on my remote server which has full > presence on the Internet with official domain names for several Apache > virtual hosts. (Postfix is running apparently successfully. I have > Cyrus SASL working when I access the smtpd while logged on the server > and can get a good telnet connection.) OK. Multiple domains. Fine so far. Mail delivered to what? > 2. Use my local host (with dynamic IP) to send mail (but not receive > mail) via the remote Postfix smtpd. (That is not working at the moment > [connection refused], but I am still tweaking Postfix variables.) Set up an smtpd mail submission agent (MSA) on port 587 and use TLS and SASL on that. Without client certs use smtpd_tls_security_level=may smtpd_tls_auth_only=yes to avoid snooping on the fairly weak SASL auth. If you have a client cert (can be self signed) also use (on your MSA) smtpd_tls_CAfile=path-to-CA-file smtpd_tls_req_ccert=yes smtpd_tls_security_level=encrypt As Viktor pointed out, look at the examples. Your home machine is a "null client". Your remote server is not a "null client" but if set up that way then you would get "connection refused". You need to instances of smtpd. One on port 587 (MSA) and a mail transfer agent (MTA) on port 25 which is where the MX record point to. > I want to be able to access the smtpd remotely via local lost smtp > clients and plan to use a client cert for access and TLS for the > connection. The desired local smtp client is Net::SMTP available with > Perl 6. local lost smtp clients? Good - client certs. Set up a MSA on port 587. > If that objective is not possible, please suggest the correct path > > Thank you for your patience with a Postfix dummy. > > Best regards, > > -Tom Fine so far but you haven't said what you expect the postfix MX to do with received mail. You have a few choices. Relay it per domain (easy - use transport_maps). Deliver it locally? Easy but t...@domain1.example.com and t...@domain2.example.com end up in the same mailbox (ie: tom, typically delivered to /var/mail/tom). Set up multiple IMAP server domains? See http://www.cyrusimap.org/docs/cyrus-imapd/2.4.8/install-virtdomains.php (for example). Something else? If so what? Either way take a look at http://www.postfix.org/VIRTUAL_README.html Hope this helps. Curtis
