Difference between revisions of "Postfix cert based relay"
(→server main.cf) |
|||
| Line 7: | Line 7: | ||
Postfix has two ways of allowing relaying with certificates, but here I will only specify one. | Postfix has two ways of allowing relaying with certificates, but here I will only specify one. | ||
| − | + | ||
in order to allow relaying we need to have some settings in place: | in order to allow relaying we need to have some settings in place: | ||
| − | + | == starttls == | |
<pre> | <pre> | ||
# TLS SERVER settings | # TLS SERVER settings | ||
| Line 65: | Line 65: | ||
smtp_tls_protocols = !SSLv2, !SSLv3 | smtp_tls_protocols = !SSLv2, !SSLv3 | ||
</pre> | </pre> | ||
| + | |||
| + | == server side certificate based relaying == | ||
| + | |||
| + | Just three settings: | ||
| + | |||
| + | <pre> | ||
| + | # ask for certificates: | ||
| + | smtpd_tls_ask_ccert = yes | ||
| + | |||
| + | # these certs may relay | ||
| + | relay_clientcerts = hash:/etc/postfix/relay_clientcerts | ||
| + | smtpd_tls_fingerprint_digest = sha1 | ||
| + | </pre> | ||
| + | |||
| + | the file relay_clientcerts is a normal postfix hash database with in the left hand side the fingerprint and on the right hand side any field we want. The most logical thing to put in there is the name of the owner of the certificate because locating one based just on its fingerprint is more involved ;-) | ||
| + | |||
| + | So use your favourite tool to find the fingerprint of the certificates you want to allow relaying through your server and create that file like this: | ||
| + | |||
| + | <pre> | ||
| + | AB:9D:0F:F6:BA:00:25:BD:BB:A5:07:DD:53:CF:74:XX:E7:80:65:16 name_owner | ||
| + | <pre> | ||
| + | |||
| + | After you are done, postmap the file like with any other postfix hash database. | ||
| + | |||
| + | == smtpd restrictions == | ||
| + | finally, one needs to allow the people using the certificates to relay. You can accomplish this like so: | ||
| + | |||
| + | <pre> | ||
| + | # smtpd client restrictions | ||
| + | smtpd_client_restrictions = | ||
| + | permit_tls_clientcerts, | ||
| + | reject_rbl_client zen.spamhaus.org | ||
| + | |||
| + | # smtpd recipient restriction | ||
| + | smtpd_recipient_restrictions = | ||
| + | permit_tls_clientcerts, | ||
| + | reject_non_fqdn_recipient, | ||
| + | reject_non_fqdn_sender, | ||
| + | permit_mynetworks, | ||
| + | reject_unauth_destination, | ||
| + | reject_rbl_client zen.spamhaus.org, | ||
| + | check_policy_service unix:postgrey/socket, | ||
| + | |||
| + | </pre> | ||
| + | |||
| + | so we add permit_tls_clientcerts before other reject directives (the first one wins) and after that you can reload postfix. If everything went fine we should be able to relay from our clients. | ||
| + | |||
| + | == test certificate authority == | ||
| + | |||
| + | == perl client == | ||
Revision as of 20:52, 22 July 2015
In order to securely allow roaming smtp clients to relay through a postfix smtp server one common setup is using SASL authentication in combination with starttls and a (usually virtual) user database.
There are plenty of info about how to set that up so I will not do it here.
What not many people know is that you can setup postfix to allow relaying using a certificates (PKI).
Postfix has two ways of allowing relaying with certificates, but here I will only specify one.
in order to allow relaying we need to have some settings in place:
Contents
starttls
# TLS SERVER settings # offer tls to clients smtpd_use_tls = yes
local cert and key
in this case I use the excellent startssl.com free certificates because they are trusted by most devices and they are free. The smtpd_tls_cert_file has the startssl chain cert (just cat your.cert startssl.crt > postfix.crt to get it).
The smtpd_tls_key_file should be readonly for root. I share this key with apache, so it is alse readonly for apache, but not for the rest (440 perms).
# local cert smtpd_tls_key_file = /etc/pki/tls/private/startssl_asenjo_nl.key smtpd_tls_cert_file = /etc/pki/tls/certs/postfix_certchain.crt
trusted CA bundly file
centos sets it here:
# CA bundle smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
entropy generator , logs, headers
# random source generator tls_random_source = dev:/dev/urandom # log level tls # 0 default no logging # 1 startup and cert info # 2: 1 + info on tls negotiation # 3: 2 + hex and ascii dumps negotiation # 4: 3 + hex and ascii dumps trasnmission after client starttls smtpd_tls_loglevel = 1 # add tls header info smtpd_tls_received_header = yes
tls caching, tls ciphers
# tls session cache smtpd_tls_session_cache_database = btree:$data_directory/smtpd_cache smtpd_tls_session_cache_timeout = 3600s # disable insecure ciphers smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2, !SSLv3 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_protocols = !SSLv2, !SSLv3
server side certificate based relaying
Just three settings:
# ask for certificates: smtpd_tls_ask_ccert = yes # these certs may relay relay_clientcerts = hash:/etc/postfix/relay_clientcerts smtpd_tls_fingerprint_digest = sha1
the file relay_clientcerts is a normal postfix hash database with in the left hand side the fingerprint and on the right hand side any field we want. The most logical thing to put in there is the name of the owner of the certificate because locating one based just on its fingerprint is more involved ;-)
So use your favourite tool to find the fingerprint of the certificates you want to allow relaying through your server and create that file like this:
AB:9D:0F:F6:BA:00:25:BD:BB:A5:07:DD:53:CF:74:XX:E7:80:65:16 name_owner
<pre>
After you are done, postmap the file like with any other postfix hash database.
== smtpd restrictions ==
finally, one needs to allow the people using the certificates to relay. You can accomplish this like so:
<pre>
# smtpd client restrictions
smtpd_client_restrictions =
permit_tls_clientcerts,
reject_rbl_client zen.spamhaus.org
# smtpd recipient restriction
smtpd_recipient_restrictions =
permit_tls_clientcerts,
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
permit_mynetworks,
reject_unauth_destination,
reject_rbl_client zen.spamhaus.org,
check_policy_service unix:postgrey/socket,
so we add permit_tls_clientcerts before other reject directives (the first one wins) and after that you can reload postfix. If everything went fine we should be able to relay from our clients.
