On Thu, Jan 06, 2022 at 02:09:45PM +1100, raf wrote:
> > is on - so it is asking for client certificates?
> > But that is really not authetication, if I understand things.
>
> It's asking for them (from all clients, even for remote
> mail servers sending you mail which isn't helpful), but
> it's only asking, not requiring. It's better to require
> them for the submission service in master.cf and then
> match the client certificates against a list of known
> fingerprints.
I don't think that requiring client certs is a best practice. It
precludes concurrent use of alternative authentication methods. Just
asking is generally enough
Authorisation then happens via some combination of:
www.postfix.org/postconf.5.html#check_ccert_access
http://www.postfix.org/postconf.5.html#permit_tls_clientcerts
www.postfix.org/postconf.5.html#relay_clientcerts
Some clients may only present their certificates when the issuing CA
subject DN appears in the server's client cert solicitation. The
Postfix server solicitation will list the CA subject names in
smtpd_tls_CAfile. This should ideally be separately configurable,
with smtpd_tls_CAfile as the default source.
> > queue_directory = /var/spool/postfix
> > smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
> > smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
>
> As I said earlier, you should use $data_directory
> rather than $queue_directory (as of Postfix 2.5),
> but I think Postfix logs a warning and creates the
> databases in $data_directory anyway.
Best to not rely on the "helpful" redirect, the configuration should
match actual behaviour.
--
Viktor.
