Requesting certificates

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Requesting certificates

lists@lazygranch.com
I'm not at the point where I want to verify certs and reject mail,
because the mail must go through! However I would like at least
for postfix to request the cert. (Forgive my terminology here if I am
not phrasing this properly.) Basically I would just eyeball the header
and look at the cert request on a case by case basis.

Here is a part of an email header from an email that I sent myself
(sanitized to stay off google)
----------------
Received: from mydomain.com (unknown [myipaddress])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client did not present a certificate)
 by www.example.com (Postfix) with ESMTPSA id 1604469A2A
 for <[hidden email]>; Fri, 22 Dec 2017 09:01:13 +0000 (UTC)
-----------------------

From master.cf, with the emphasis on the last line:
--------------------------
submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_tls_ask_ccert=yes
-------------------------------------------

From main.cf (sanitized):
--------------------------------
# TLS
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/letsencrypt/live/mydomain.com/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mydomain.com/fullchain.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
#next line experimental
smtpd_tls_ask_ccert = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
----------------------------------

My reasoning here being since I have a real (enough) cert from a CA rather than a self-signed one, I should be able to let the recipient's MTA sniff my cert.

I suppose if this is dumb I'm going to find out. ;-)




Reply | Threaded
Open this post in threaded view
|

Re: Requesting certificates

Dominic Raferd
On 22 December 2017 at 09:38, [hidden email] <[hidden email]> wrote:
​...
From main.cf (sanitized):
--------------------------------
# TLS
smtpd_use_tls = yes
​​
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/letsencrypt/live/mydomain.com/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mydomain.com/fullchain.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
#next line experimental
​​
smtpd_tls_ask_ccert = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

BTW, smtpd_use_tls = yes is deprecated for Postfix 2.3+:
smtpd_tls_security_level = may achieves the same thing.
Reply | Threaded
Open this post in threaded view
|

Re: Requesting certificates

lists@lazygranch.com
On Fri, 22 Dec 2017 09:52:13 +0000
Dominic Raferd <[hidden email]> wrote:

> On 22 December 2017 at 09:38, [hidden email]
> <[hidden email]> wrote:
>
> > ​...
> > From main.cf (sanitized):
> > --------------------------------
> > # TLS
> > smtpd_use_tls = yes
> > ​​
> > smtpd_tls_security_level = may
> > smtpd_tls_auth_only = yes
> > smtpd_tls_key_file = /etc/letsencrypt/live/mydomain.com/privkey.pem
> > smtpd_tls_cert_file
> > = /etc/letsencrypt/live/mydomain.com/fullchain.pem
> > smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes
> > #next line experimental
> > ​​
> > smtpd_tls_ask_ccert = yes
> > smtpd_tls_session_cache_timeout = 3600s
> > tls_random_source = dev:/dev/urandom  
>
>
> BTW, smtpd_use_tls = yes is deprecated for Postfix 2.3+: ​
> ​
> smtpd_tls_security_level = may achieves the same thing.

Thanks. I just commented out the line and everything works the same.
I have
compatibility_level = 2
in the main.cf.