On Tue, Oct 04, 2022 at 06:00:55PM +0200, Michael wrote:
> I am trying to set up a postfix 3.5.13 server as a destination for
> multiple null-clients, but am failing with verifying the client's
> self-signed client certificate. Are self-signed certificates
> prohibited from this kind of verification?
Sure, but not with
smtpd_tls_req_ccert = yes
which requires that the client-certficate pass verification up to a
known trust-anchor, instead set:
smtpd_tls_ask_ccert = yes
and then refuse connections that are not permitted by a certificate
check.
> compatibility_level = 3.5
The major.minor syntax was introduced with Postfix 3.6, for Postfix 3.5
use "3".
> relay_clientcerts = hash:/etc/postfix/relay_clientcerts_md5
> smtpd_client_restrictions = permit_inet_interfaces, permit_tls_clientcerts,
> reject
This will do, but I would advise SHA256 at this point:
http://www.postfix.org/postconf.5.html#smtpd_tls_fingerprint_digest
smtpd_tls_fingerprint_digest = sha256
and of course use sha256 keys in the table.
--
Viktor.
