On Thu, Sep 29, 2022 at 01:33:58PM -0700, Dan Mahoney wrote:
> I've always figured "if you configure your sendmail with both a client
> cert and a server cert, you might as well use it, after all, you paid
> for the thing".
Well, to what end? What do you do you with any client certificate you
might have received?
It would typically just be ignored, and some clients will fail to
complete the TLS handshake when their issuing CA is not among those
listed in the certificate request. In particular, if you sensibly
signal an empty list preferred CAs, some clients will be sure to fail.
On the other hand, if you send a bloated list of over 100 trusted issuer
DNs, you find that the resulting TLS server HELLO message is too big to
portably transmit to the client.
> Postfix does not ask for client certs by default. Sendmail does by
> default, if you configure a CAFile. Doing so is documented as one of
> the mandatory settings for StartTLS to work at all in sendmail.
Quite sensibly so. This is only relevant on port 587, and only when
you're sure that all the clients used by all authorised users will
behave sensibly.
> It seems at least a few people are putting the entirety of their
> browser trust chain into that file, thus saying "hey, send pretty much
> any commercially-signed cert you have configured on your mail server".
Exactly, otherwise, some clients will fail because their favourite
CA is not on the list (though some will fail anyway, even with the
full TLS message-size busting CA/B forum trust-anchor list).
> I can find no RFCs, etc, that specifically say whether this is
> recommended or not recommended behavior. I know the authors also move
> in the OpenSSL community, and probably in the standards community as
> well. Are you aware of anything (internet drafts, BCP documents,
> etc).
I am fairly sure there are no BCP RFCs for SMTP that cover client
certificate solicitation. Though I may yet write one related to
DANE client auth one of these days.
On Thu, Sep 29, 2022 at 05:18:15PM -0400, Wietse Venema wrote:
> > Postfix does not ask for client certs by default. Sendmail does
> > by default, if you configure a CAFile. Doing so is documented as
> > one of the mandatory settings for StartTLS to work at all in
> > sendmail.
>
> This may be turned on in Postfix with "smtpd_tls_ask_ccert = yes".
> The default goead back to 2005 when Postfix TLS support was added.
> Things have changed, but changing this should be tested over a
> longer time with a range of server configurations (single key,
> multi key) and client implementations.
I don't think that changing the default is warranted, especially
on port 25, where it will only do harm.
--
Viktor.
