« Setting up sendmail to use a client certificate | Digikam and geotagging » |
Configuring Postfix to accept client certificates
Sunday, December 12, 2010
In my previous post, I showed how to set up sendmail to present a client certificate. In my setup, I have several sendmail clients authenticating to a Postfix server. This post will describe how to set up Postfix to ask for and accept client certificates.
First, you will need to acquire a server certificate, either by getting one signed by a real CA or signing one yourself (but for a server, it's probably better to get a real one). Then modify /etc/postfix/main.cf
with the following settings:
# This is the server's cert smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.crt # server's private key smtpd_tls_key_file = /etc/pki/tls/private/postfix.key # certificate of the certificate authority that signed the client certs smtpd_tls_CAfile = /etc/pki/tls/certs/ca.crt # announce to clients that TLS is available smtpd_tls_security_level = may # ask client to present a cert to the server smtpd_tls_ask_ccert = yes
Now when the SMTP client presents a client certificate signed by the CA referred to by smtpd_tls_CAfile
, Postfix will be able to verify its authenticity.
You can use this for access control. For example, in smtpd_client_restrictions
, you can create accept certain certificates. As an example, this will allow only clients who present a cert and are listed in the file:
smtpd_client_restrictions = check_ccert_access hash:/etc/postfix/whitelist reject
You can create the whitelist by creating a text file with these contents:
# the key is the MD5 fingerprint; the value is the action to perform
# (see access(5)
for details)
6E:E0:44:FA:42:73:33:EF:15:F7:46:16:96:7C:62:3E OK
You can get the fingerprint of a key by using:
$ openssl x509 -fingerprint -noout -md5 -in client.crt
Be sure to run postmap
to update the database file. There is no need to restart or reload Postfix when changing database files, but you do have to reload when changing main.cf
.
# postmap /etc/postfix/whitelist
Postfix 2.5 and later support digest algorithms other than MD5 via the smtpd_tls_fingerprint_digest
parameter.
Comments
There are no comments.