On 2022-10-04 at 12:00:55 UTC-0400 (Tue, 04 Oct 2022 18:00:55 +0200)
Michael <m...@hemathor.de>
is rumored to have said:
hey,
i am trying to set up a postfix 3.5.13 server as a destination for
multiple null-clients, but am failing with verifying the client's
self-signed client certificate.
are self-signed certificates prohibited from this kind of
verification?
Yes, definitionally. "Verification" means auditing the trust chain to
reach a trusted root certificate. Unless you add the self-signed cert to
your set of trusted roots, you cannot verify it.
TLS_README does'n help me with this issue.
From that file...
To verify a remote SMTP client certificate, the Postfix SMTP server
needs to
trust the certificates of the issuing Certification Authorities. These
certificates in "PEM" format can be stored in a single
$smtpd_tls_CAfile or in] multiple files, one CA per file in the
$smtpd_tls_CApath directory. If
you use a directory, don't forget to create the necessary "hash" links
with:
# $OPENSSL_HOME/bin/c_rehash /path/to/directory
The $smtpd_tls_CAfile contains the CA certificates of one or more
trusted
CAs. The file is opened (with root privileges) before Postfix enters
the
optional chroot jail and so need not be accessible from inside the
chroot
jail.
Additional trusted CAs can be specified via the $smtpd_tls_CApath
directory,
in which case the certificates are read (with $mail_owner privileges)
from
the files in the directory when the information is needed. Thus, the
$smtpd_tls_CApath directory needs to be accessible inside the optional
chroot jail.
When you configure the Postfix SMTP server to request client
certificates,
the DNs of Certification Authorities in $smtpd_tls_CAfile are sent to
the
client, in order to allow it to choose an identity signed by a CA you
trust.
If no $smtpd_tls_CAfile is specified, no preferred CA list is sent, and
the
client is free to choose an identity signed by any CA. Many clients use
a
fixed identity regardless of the preferred CA list and you may be able
to
reduce TLS negotiation overhead by installing client CA certificates
mostly
or only in $smtpd_tls_CApath. In the latter case you need not specify a
$smtpd_tls_CAfile.
Note, that unless client certificates are used to allow greater access
to
TLS authenticated clients, it is best to not ask for client
certificates at
all, as in addition to increased overhead some clients (notably in some
cases qmail) are unable to complete the TLS handshake when client
certificates are requested.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
