Re: TLS client certs question

Sun, 08 Aug 2021 07:51:19 -0700 

Wietse Venema:
> Chris Bamford:
> > Hello,
> > 
> > I would like to know how Postfix handles client certificates for delivery
> > i.e. when it makes a remote connection to deliver email.
> > 
> > Is it possible to control the certificate that is used per domain?
> 
> The client certificate is a Postfix SMTP client setting; the
> certificate will be used for all email deliveries by that Postfix
> SMTP client.
> 
> The following example uses one Postfix SMTP client per sender domain,
> each Postfix SMTP client having its own client certificate:
> 
> /etc/postfix/main.cf:
>     sender_dependent_default_transport_maps = 
>       hash:/etc/postfix/sender_transport 
>       # In case you need a cert for all other deliveries.
>       # static:/etc/postfix/default-cert/pem
> 
> /etc/postfix/sender_transport:
>     # Searched by sender email address and @domain.
>     @example.com        smtp-example-com
>     @example.org        smtp-example-org
>     ...
> 
> /etc/postfix/master.cf:
>     smtp-example-com .. .. .. .. .. .. .. smtp
>         -o smtp_tls_cert_file=/etc/postfix/example-com-cert.pem
>     smtp-example-org .. .. .. .. .. .. .. smtp
>         -o smtp_tls_cert_file=/etc/postfix/example-org-cert.pem
>     ...
> 
> To make this more scalable, the Postfix SMTP client would need the
> opposite of tls_server_sni_maps, to dynamically choose the client
> certificate based on the sender info.

I suppose that each client certificate will be valid only with a
specific host, so you would have to update the sender_transport
table to return a transport:nexthop result.

/etc/postfix/main.cf:
    sender_dependent_default_transport_maps =
      hash:/etc/postfix/sender_transport
      # In case you need a cert for all other deliveries.
      # static:/etc/postfix/default-cert/pem

/etc/postfix/sender_transport:
    # Searched by sender email address and @domain.
    # Returns transport:nexthop.
    @example.com        smtp-example-com:relayhost-for-example.com
    @example.org        smtp-example-org:relayhost-for-example.org
    ...

/etc/postfix/master.cf:
    smtp-example-com .. .. .. .. .. .. .. smtp
        -o smtp_tls_cert_file=/etc/postfix/example-com-cert.pem
    smtp-example-org .. .. .. .. .. .. .. smtp
        -o smtp_tls_cert_file=/etc/postfix/example-org-cert.pem
    ...

>       Wietse
>

Reply via email to