On 2022-10-04 at 12:00:55 UTC-0400 (Tue, 04 Oct 2022 18:00:55 +0200)
Michael <m...@hemathor.de>
is rumored to have said:

hey,

i am trying to set up a postfix 3.5.13 server as a destination for multiple null-clients, but am failing with verifying the client's self-signed client certificate.

are self-signed certificates prohibited from this kind of verification?

Yes, definitionally. "Verification" means auditing the trust chain to reach a trusted root certificate. Unless you add the self-signed cert to your set of trusted roots, you cannot verify it.

TLS_README does'n help me with this issue.

From that file...


To verify a remote SMTP client certificate, the Postfix SMTP server needs to
        trust the certificates of the issuing Certification Authorities. These
certificates in "PEM" format can be stored in a single $smtpd_tls_CAfile or in] multiple files, one CA per file in the $smtpd_tls_CApath directory. If you use a directory, don't forget to create the necessary "hash" links with:

            # $OPENSSL_HOME/bin/c_rehash /path/to/directory

The $smtpd_tls_CAfile contains the CA certificates of one or more trusted CAs. The file is opened (with root privileges) before Postfix enters the optional chroot jail and so need not be accessible from inside the chroot
        jail.

Additional trusted CAs can be specified via the $smtpd_tls_CApath directory, in which case the certificates are read (with $mail_owner privileges) from
        the files in the directory when the information is needed. Thus, the
        $smtpd_tls_CApath directory needs to be accessible inside the optional
        chroot jail.

When you configure the Postfix SMTP server to request client certificates, the DNs of Certification Authorities in $smtpd_tls_CAfile are sent to the client, in order to allow it to choose an identity signed by a CA you trust. If no $smtpd_tls_CAfile is specified, no preferred CA list is sent, and the client is free to choose an identity signed by any CA. Many clients use a fixed identity regardless of the preferred CA list and you may be able to reduce TLS negotiation overhead by installing client CA certificates mostly
        or only in $smtpd_tls_CApath. In the latter case you need not specify a
        $smtpd_tls_CAfile.

Note, that unless client certificates are used to allow greater access to TLS authenticated clients, it is best to not ask for client certificates at
        all, as in addition to increased overhead some clients (notably in some
        cases qmail) are unable to complete the TLS handshake when client
        certificates are requested.




--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Reply via email to