how to map per-smtp-transport ssl certs/keys ?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

how to map per-smtp-transport ssl certs/keys ?

PGNet Dev

i'm modifying a relay config.  atm, i've

        master.cf
                ...
                [127.0.0.1]:10001  inet  n  -  n  -  -  smtpd
                ...
                -o content_filter=lmdb:/etc/postfix/relay_transports

                relay-out  unix  -  -  n  -  -  smtp
                -o smtp_tls_policy_maps=lmdb:/etc/postfix/relay_tls_policy
                -o smtp_tls_cert_file=/ssl/client.RSA.crt
                -o smtp_tls_key_file=/ssl/client.RSA.key

        cat /etc/postfix/relay_transports

                example1.com  relay-out:[mx.example1.com]:25
                example2.com  relay-out:[mx.example2.com]:10025
                ...

        cat /etc/postfix/relay_tls_policy
                [mx.example1.com]:25     secure  match=mx.example1.com
                [mx.example2.com]:10025  secure  match=mx.example2.com
                ...


this^ has worked just fine.

my config, atm, uses the single RSA crt/key for all transports.


example2.com has just changed its requirements, and uses/accepts only EC certs.

where/how would I specify a per-transport cert/key pair?


i've read through

        http://www.postfix.org/TLS_README.html

and haven't ID'd a relevant per-transport cert/key mapping


i considered

        http://www.postfix.org/postconf.5.html#tls_server_sni_maps

but that seems server-side only (?),

        "map names received from remote SMTP clients via the TLS Server Name Indication (SNI) extension to the appropriate keys and certificate chains. This parameter is implemented in the Postfix TLS library, and applies to both smtpd(8) and the SMTP server mode of tlsproxy(8)."


i also took a look at

        http://www.postfix.org/postconf.5.html#smtp_tls_per_site

but, again, haven't figured out where/how to provide the per-transport cert/key mappings.

what's the correct approach here?
Reply | Threaded
Open this post in threaded view
|

Re: how to map per-smtp-transport ssl certs/keys ?

Viktor Dukhovni
On Mon, Jul 20, 2020 at 02:36:08PM -0700, PGNet Dev wrote:

> i'm modifying a relay config.  atm, i've
>
> master.cf
> ...
> [127.0.0.1]:10001  inet  n  -  n  -  -  smtpd
> ...
> -o content_filter=lmdb:/etc/postfix/relay_transports
>
> relay-out  unix  -  -  n  -  -  smtp
> -o smtp_tls_policy_maps=lmdb:/etc/postfix/relay_tls_policy
> -o smtp_tls_cert_file=/ssl/client.RSA.crt
> -o smtp_tls_key_file=/ssl/client.RSA.key
>
> cat /etc/postfix/relay_transports
>
> example1.com  relay-out:[mx.example1.com]:25
> example2.com  relay-out:[mx.example2.com]:10025
> ...
>
> cat /etc/postfix/relay_tls_policy
> [mx.example1.com]:25     secure  match=mx.example1.com
> [mx.example2.com]:10025  secure  match=mx.example2.com
> ...
>
>
> this^ has worked just fine.
>
> my config, atm, uses the single RSA crt/key for all transports.
>
>
> example2.com has just changed its requirements, and uses/accepts only EC certs.
>
> where/how would I specify a per-transport cert/key pair?

You're already doing it per-transport:

> relay-out  unix  -  -  n  -  -  smtp
> -o smtp_tls_policy_maps=lmdb:/etc/postfix/relay_tls_policy
> -o smtp_tls_cert_file=/ssl/client.RSA.crt
> -o smtp_tls_key_file=/ssl/client.RSA.key

Perhaps you meant per-nexthop?  That's not presently supported, instead
you can configure a second transport, with a different set of keys, and
use that transport for the destinations in question.

> I considered
>
> http://www.postfix.org/postconf.5.html#tls_server_sni_maps
>
> but that seems server-side only (?),

Correct, as described.

> i also took a look at
>
> http://www.postfix.org/postconf.5.html#smtp_tls_per_site

That interface is deprecated, the preferred one is:

> http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps[

Which you're already using.

> but, again, haven't figured out where/how to provide the per-transport
> cert/key mappings.

You keep saying "per-transport", but you clearly mean per-destination.
But in fact, per-transport is what's possible, and you can choose an
appropriate transport for each destination, via the transport(5) table.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: how to map per-smtp-transport ssl certs/keys ?

PGNet Dev
On 7/20/20 2:45 PM, Viktor Dukhovni wrote:
> Perhaps you meant per-nexthop?  That's not presently supported,

Well that'll certainly make it harder to find!  Noted.

> instead you can configure a second transport, with a different set of keys, and
> use that transport for the destinations in question.

That's simple enough to manage. Thx.

> You keep saying "per-transport", but you clearly mean per-destination.

Yup; fair enuf. Thx for 'fixing' my bad-lingo!