Postfix cert based relay
From Asenjo
Revision as of 20:33, 22 July 2015 by Natxo (Talk | contribs) (Created page with "In order to securely allow roaming smtp clients to relay through a postfix smtp server one common setup is using SASL authentication in combination with starttls and a (usuall...")
In order to securely allow roaming smtp clients to relay through a postfix smtp server one common setup is using SASL authentication in combination with starttls and a (usually virtual) user database.
There are plenty of info about how to set that up so I will not do it here.
What not many people know is that you can setup postfix to allow relaying using a certificates (PKI).
Postfix has two ways of allowing relaying with certificates, but here I will only specify one.
server main.cf
in order to allow relaying we need to have some settings in place:
# TLS SERVER settings # offer tls to clients smtpd_use_tls = yes # local cert smtpd_tls_key_file = /etc/pki/tls/private/startssl_asenjo_nl.key smtpd_tls_cert_file = /etc/pki/tls/certs/postfix_certchain.crt # CA bundle smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt # random source generator tls_random_source = dev:/dev/urandom # log level tls # 0 default no logging # 1 startup and cert info # 2: 1 + info on tls negotiation # 3: 2 + hex and ascii dumps negotiation # 4: 3 + hex and ascii dumps trasnmission after client starttls smtpd_tls_loglevel = 1 # add tls header info smtpd_tls_received_header = yes # tls session cache smtpd_tls_session_cache_database = btree:$data_directory/smtpd_cache smtpd_tls_session_cache_timeout = 3600s # disable insecure ciphers smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2, !SSLv3 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_protocols = !SSLv2, !SSLv3