Configuring smtp_tls_cert_file for specific domain

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Configuring smtp_tls_cert_file for specific domain

sandeep pawar
Hi,

I am using postfix to send mails to external world. One of the external recipient mentioned the requirement to setup MTLS, where they want a publicly signed client side certificate to establish TLS. I want to present client side certificate only to the required domain as it can cause issues at times as per the doc. Is it possible to create a separate smtp transport and pass client TLS_CERT_FILE to it or should I use a different postfix instance altogether?

snippet from master.cf
tlsenforce unix  -       -       n       -       -       smtp -o smtp_tls_cert_file=/etc/postfix/cert.pem -o smtp_tls_key_file=/etc/postfix/cert.pem -o smtp_tls_loglevel=2 -o smtp_tls_policy_maps=cdb:/etc/postfix/tls_maps


Sandy
Reply | Threaded
Open this post in threaded view
|

Re: Configuring smtp_tls_cert_file for specific domain

Wietse Venema
sandeep pawar:

> Hi,
>
> I am using postfix to send mails to external world. One of the external
> recipient mentioned the requirement to setup MTLS, where they want a
> publicly signed client side certificate to establish TLS. I want to present
> client side certificate only to the required domain as it can cause issues
> at times as per the doc. Is it possible to create a separate smtp transport
> and pass client TLS_CERT_FILE to it or should I use a different postfix
> instance altogether?
>
> snippet from master.cf
> tlsenforce unix  -       -       n       -       -       smtp -o
> smtp_tls_cert_file=/etc/postfix/cert.pem -o
> smtp_tls_key_file=/etc/postfix/cert.pem -o smtp_tls_loglevel=2 -o
> smtp_tls_policy_maps=cdb:/etc/postfix/tls_maps

Assuming that this is an exceptional case and most email will not
use MTLS:

Postfix 3.0 and later:
----------------------

/etc/postfix/main.cf
   transport_maps = inline:{ { example.com = tlsenforce: } }

All Postfix versions:
---------------------
/etc/postfix/main.cf
   transport_maps = hash:/etc/postfix/transport

/etc/postfix/transport:
   # No "=" here.
   example.com tlsenforce:

This requires that you execute "postmap hash:/etc/postfix/transport".

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Configuring smtp_tls_cert_file for specific domain

Viktor Dukhovni
In reply to this post by sandeep pawar
On Fri, Mar 27, 2020 at 07:25:19PM +0530, sandeep pawar wrote:

> I am using postfix to send mails to external world. One of the external
> recipient mentioned the requirement to setup MTLS, where they want a
> publicly signed client side certificate to establish TLS. I want to present
> client side certificate only to the required domain as it can cause issues
> at times as per the doc. Is it possible to create a separate smtp transport
> and pass client TLS_CERT_FILE to it or should I use a different postfix
> instance altogether?
>
> snippet from master.cf
> tlsenforce unix  -       -       n       -       -       smtp
>   -o smtp_tls_cert_file=/etc/postfix/cert.pem
>   -o smtp_tls_key_file=/etc/postfix/cert.pem
>   -o smtp_tls_loglevel=2
>   -o smtp_tls_policy_maps=cdb:/etc/postfix/tls_maps

You probably don't need a transport-specific smtp_tls_policy_maps, both
the transport lookup and policy lookup are per-destination, so you
generally don't need multiple tables.

Also TLS loglevel=2 is *only* for occasional debugging, do not blithely
turn it on.

As for per-destination client certificates, now that we have SNI support
in the SMTP server, it is in principle possible to develop new code to
support per-destination client certificates without using a new
transport, but there are tricky interactions with the client-side of
the TLS proxy.  So a fixed client-cert per transport is perhaps
good enough...

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Configuring smtp_tls_cert_file for specific domain

sandeep pawar
Thanks Victor and Wiesta for the insight. TLS encryption seems to be working fine.
I was using higher log level for debugging only.

On Fri, Mar 27, 2020 at 11:11 PM Viktor Dukhovni <[hidden email]> wrote:
On Fri, Mar 27, 2020 at 07:25:19PM +0530, sandeep pawar wrote:

> I am using postfix to send mails to external world. One of the external
> recipient mentioned the requirement to setup MTLS, where they want a
> publicly signed client side certificate to establish TLS. I want to present
> client side certificate only to the required domain as it can cause issues
> at times as per the doc. Is it possible to create a separate smtp transport
> and pass client TLS_CERT_FILE to it or should I use a different postfix
> instance altogether?
>
> snippet from master.cf
> tlsenforce unix  -       -       n       -       -       smtp
>   -o smtp_tls_cert_file=/etc/postfix/cert.pem
>   -o smtp_tls_key_file=/etc/postfix/cert.pem
>   -o smtp_tls_loglevel=2
>   -o smtp_tls_policy_maps=cdb:/etc/postfix/tls_maps

You probably don't need a transport-specific smtp_tls_policy_maps, both
the transport lookup and policy lookup are per-destination, so you
generally don't need multiple tables.

Also TLS loglevel=2 is *only* for occasional debugging, do not blithely
turn it on.

As for per-destination client certificates, now that we have SNI support
in the SMTP server, it is in principle possible to develop new code to
support per-destination client certificates without using a new
transport, but there are tricky interactions with the client-side of
the TLS proxy.  So a fixed client-cert per transport is perhaps
good enough...

--
    Viktor.


--
Sandeep Pawar