Join Log in
Score:2
TomS avatar Server

Configure postfix to enforce client certificate authentication for one domain

kr flag
TomS

I have a postfix server which processes mails for several domains. The server is using TLS encryption if the client requests ist, but does currently not enforce it for compatibility reasons.

Now there's a new domain which this server should process mails for, where TLS should be enforced and where clients habe to authenticate using client certificates.

Is it possible to configure postfix for this scenario while not changing the setup for all other domains? If yes, how?

82
1 + 1
anx avatar
fr flag
anx
Asking for certificates and actually doing something with the information as part of (possibly conditional) smtpd_*_restrictions is intentionally separate. It sound like you want split up your service ports between optional and implicit (or at least mandatory) security though, to get yourself cleaner rulesets: Would be annoying to troubleshoot for a client to successfully setup TLS under a relaxed "plaintext would be okay as well" policy, only to then fail authentication because otherwise acceptable TLS versions are not valid when you actually depend on the signature indicating authorization.
2
Reply
Score:1
avatar Server
jp flag
Esa Jokinen

This is not possible with a single smtpd instance, but you can configure multiple smtpd instances through master.cf, as you already should have one instance for handling incoming mail on port 25 and another for outbound mail on port 465 (implicit TLS per RFC 8314, 3) or 587 for submission with plain text & STARTTLS.

I would suggest configuring the port 587 for the legacy clients, as it already supports plain text and TLS is only available through STARTTLS, whereas on port 465 TLS handshake begins immediately – which goes perfectly with the requirements for your new domain.

Let's assume example.com is the legacy domain and example.net the protected one.

The key is to:

  1. use different myhostname configurations
  2. limit the allowed sender address(es) with smtpd_sender_restrictions=reject_unlisted_sender

In master.cf:

# Legacy access on submission port 587 for example.com
submission  inet  n  -  -  -  -  smtpd
  -o myhostname=example.com
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_restrictions=reject_unlisted_sender
  -o { smtpd_recipient_restrictions=
         reject_non_fqdn_recipient,
         reject_unknown_recipient_domain,
         permit_sasl_authenticated, reject }

# Client certificate required on port 465 for example.net
smtps inet  n  -  -  -  -  smtpd
  -o myhostname=example.net
  -o smtpd_tls_wrappermode=yes
  -o smtpd_tls_req_ccert=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_restrictions=reject_unlisted_sender
  -o { smtpd_recipient_restrictions=
         reject_non_fqdn_recipient,
         reject_unknown_recipient_domain,
         permit_sasl_authenticated, reject }

You could even enforce that certain users can only use certain addresses, which works with both configurations, e.g.,

  -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
  -o { smtpd_sender_restrictions =
         reject_unlisted_sender,
         reject_sender_login_mismatch }
+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.