December 2010 1 post

Configuring Postfix to accept client certificates

Sunday, December 12, 2010


In my previous post, I showed how to set up sendmail to present a client certificate. In my setup, I have several sendmail clients authenticating to a Postfix server. This post will describe how to set up Postfix to ask for and accept client certificates.

First, you will need to acquire a server certificate, either by getting one signed by a real CA or signing one yourself (but for a server, it's probably better to get a real one). Then modify /etc/postfix/main.cf with the following settings:

# This is the server's cert
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.crt

# server's private key
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key

# certificate of the certificate authority that signed the client certs
smtpd_tls_CAfile = /etc/pki/tls/certs/ca.crt

# announce to clients that TLS is available
smtpd_tls_security_level = may

# ask client to present a cert to the server
smtpd_tls_ask_ccert = yes

Now when the SMTP client presents a client certificate signed by the CA referred to by smtpd_tls_CAfile, Postfix will be able to verify its authenticity.

You can use this for access control. For example, in smtpd_client_restrictions, you can create accept certain certificates. As an example, this will allow only clients who present a cert and are listed in the file:

smtpd_client_restrictions =
   check_ccert_access hash:/etc/postfix/whitelist
   reject

You can create the whitelist by creating a text file with these contents:

# the key is the MD5 fingerprint; the value is the action to perform
# (see access(5) for details)
6E:E0:44:FA:42:73:33:EF:15:F7:46:16:96:7C:62:3E             OK

You can get the fingerprint of a key by using:

$ openssl x509 -fingerprint -noout -md5 -in client.crt

Be sure to run postmap to update the database file. There is no need to restart or reload Postfix when changing database files, but you do have to reload when changing main.cf.

# postmap /etc/postfix/whitelist

Postfix 2.5 and later support digest algorithms other than MD5 via the smtpd_tls_fingerprint_digest parameter.

Tags: certificate, email, encryption, postfix | Posted at 20:42 | Comments (0)