On Wed, Jan 05, 2022 at 04:10:26AM -0500, Ruben Safir <ru...@mrbrklyn.com> wrote:
> > > > > > > > /etc/postfix/main.cf: > > > > smtpd_sasl_type = dovecot > > > > smtpd_sasl_path = private/auth > > > > > > Can't this be done with tls withouth dovecot or sasl? > > > > Authentication is needed by Dovecot for IMAP access > > to read email. So it should be available for use by > > Postfix as well. > > > > Authentication should also be required by Postfix for > > submission of email from remote clients like > > Thunderbird. The only typical exception to that would > > be when the Thunderbird clients are on a "trusted" > > network, and so their IP address can take the place of > > SASL authentication in order for Postfix to decide that > > it's OK to accept mail from them to be relayed to the > > outside world. Some would argue that SASL > > authentication should always be used whenever possible. > > > > However, even though TLS (usually) only verifies the > > identity of the server, rather than authenticating the > > client, it can do that as well, by using client > > certificates in addition to the server certificate. See > > http://www.postfix.org/TLS_README.html for details. > > Thank you > > > So yes, you should be able to replace uses of > > permit_sasl_authenticated in various parameters > > with "smtpd_tls_req_ccert = yes" as -o option > > override in master.cf for your submission service. > > I'm sure there's more to it, but the TLS_README > > should help. > > smtpd_tls_ask_ccert = yes > > is on - so it is asking for client certificates? > But that is really not authetication, if I understand things. It's asking for them (from all clients, even for remote mail servers sending you mail which isn't helpful), but it's only asking, not requiring. It's better to require them for the submission service in master.cf and then match the client certificates against a list of known fingerprints. Then I think it counts as authentication, in the sense that you know that your users are using expected client certificates, rather than using expected usernames and passwords. > > > I tried to do this and I get this error > > > > > > An error occurred while sending mail: Outgoing server (SMTP) error. The > > > server responded: TLS not available due to local problem. > > > > The Postfix server's logfile should contain more information > > about what the local problem was. > > FWIW, the error ended up being that there was no cache database Well done fixing it. > First I needed to create a pem file > /etc/postfix/tls/smtpd.pem which is a selft signed certificate and key > > > root readable only > www2:/etc/postfix/tls # ls -al > total 12 > drwx------ 2 root postfix 4096 Jan 3 14:06 . > drwxr-xr-x 4 root root 4096 Jan 3 14:47 .. > -r-------- 1 root root 1998 Jan 3 11:27 smtpd.pem > > > and I had to create the cache database in /var/spool/postfix > > queue_directory = /var/spool/postfix > smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache > smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache As I said earlier, you should use $data_directory rather than $queue_directory (as of Postfix 2.5), but I think Postfix logs a warning and creates the databases in $data_directory anyway. Also, smtpd_tls_session_cache_database is not needed anymore (since Postfix 2.11), and should be left blank. http://www.postfix.org/postconf.5.html#smtpd_tls_session_cache_database And you already had smtp_tls_session_cache_database set (but that's only for outgoing mail). So it seems odd that creating smtpd_tls_session_cache_database (which is no longer needed) would have fixed your problem. But as long as it's working now, that's the main thing. :-) cheers, raf
