From: Andrew Diederich (andrewdiedgmail.com)
Date: Wed May 31 2006 - 13:55:39 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 5/31/06, Victor Duchovni <Victor.Duchovnimorganstanley.com> wrote:
> On Wed, May 31, 2006 at 11:30:53AM -0600, Andrew Diederich wrote:
> > I used smtpd_tls_CApath, which I believe does the same thing.
>
> Your impression is not correct. It works the same for *verification*,
> of presented certificates, but not for requesting CA certificates.
<snip>
> With luck, you may reach a different conclusion if you don't deviate
> from the documened approach:
>
> To receive a remote SMTP client certificate, the Postfix SMTP server must
> explicitly ask for one (any contents of $smtpd_tls_CAfile are also sent
> to the client as a hint for choosing a certificate from a suitable CA).

Ok. I turned on smtpd_tls_CAfile and reloaded.
smtpd_tls_CAfile = /etc/postfix/CAfile.pem
smtpd_tls_CApath = /etc/postfix/CAdir
smtpd_tls_ask_ccert = yes

It looks like outlook is still not sending the certificate. The cert
is identified in the S/MIME settings in outlook, which is as close as
I could find to put it. The difference in logs between opera
(working) and outloook (not working) is this attr_clnt_connect line.
It is not present in outlook, so I think outlook still isn't
presenting the client cert.

May 31 12:31:32 tango postfix/smtpd[8421]: setting up TLS connection
from example.com[10.1.1.1]
May 31 12:31:32 tango postfix/smtpd[8421]: attr_clnt_connect:
connected to private/tlsmgr
May 31 12:31:32 tango postfix/smtpd[8421]: send attr request = seed

The fingerprint and CA aren't identified in the outlook log, which was
another indication to me it wasn't presenting the client cert to
postfix.

Thanks for the tip on smtpd_tls_CAfile, though as far as I can tell
it's still an Outlook issue.

--
Andrew Diederich

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]