On Sun, Nov 24, 2019 at 09:45:20PM +0100, Lars Kollstedt wrote:
> We've someone running
>
> smtpd_tls_received_header=yes
> smtpd_tls_ask_ccert = yes
> smtpd_tls_CApath=/etc/ssl/certs
>
> on his Postfix MX servers in our nearer environment, but I don't want
> to maintain a list of all his domains to present the client
> certificate there.
>
> But I understand the wish to also cryptographically verify this
> direction. So I would like to make his servers logging the
> verification of the client certificate "I've crypographically sure got
> the mail from that host."
>
> At the moment it's a single MX server name on the other end but a
> bunch of domains. And since the transport map is working on domain
> names prior of the MX lookup (at least as far as I know) this is not
> an option.
Humouring the curiousity of that particular receiving system is not
worth the complexity of attempting to keep track of the associated
domains, or presenting client certs to all strangers who ask and then
inventing a complex fallback scheme in case they fumble the resulting
handshake.
Your best bet is to simply not configure any client certs, you don't
need them to get the mail delivered.
Yes, Postfix could in principle have late binding of client certificates
by MX hostname (a dual to SNI-based certificate selection on the server).
It is not clear that there is sufficient merit in such a feature.
--
Viktor.
