|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Postfix 2.2.10 and TLS with cient certificates for relay
From: Alexander Hoogerhuis (alexh
boxed.no)
Date: Tue Jul 11 2006 - 00:40:17 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Victor Duchovni wrote:
> On Tue, Jul 11, 2006 at 06:58:25AM +0200, Alexander Hoogerhuis wrote:
> that
>> I've got my postfix server to work so that it can allow clients with
>> valid certificates to relay, which makes it a lot easier for me instead
>> of making users to remember yet another passord.
>>
>> Currently I have to fingerprint every client certificate that should be
>> allowed to relay and manually update files, and it got me thinking. How
>> hard would it be for someone competent (that rules me out) to create
>> another smtpd-restriction that would automagically allow relaying if the
>> client certificate's email address (from the DN) matches any of the
>> domains in $virtual_mailbox_domains or $relay_domains?
>>
>
> Certificates that are issued for email addresses are usually intended
> for message signing not TLS, the converse is also true. It is not clear
> to me that CAs signing CNs for TLS look closely at email addresses, or
> that CAs signing certs for message signing look closely at CNs.
>
> The typical approach on an MSA that wants to relay with TLS credentials,
> is to to issue all certs from a private label, CA, trust only that CA,
> and allow relaying for all clients with certs from a trusted CA.
>
The solution you describe would bar a server from serving both TLS
clients signed by a local CA for relaying and accepting TLS conenctions
from other servers though?
I am not saying everyone is careful in looking at what they sign, but
this would allow a postfix server to be able to accept both TLS
connections from other servers that are not signed by the local and
private CA, and have clients connect with certificates form the local
and private CA and allow relaying.
Or do I get it right that what you say would allow you to order a
certfiicate from a public CA, use my domain in the subject CN email
adress and then relay through my machine? If that is the case, would it
be possible (and safe) to have a mechianism that would list the CAs
whose clients would be allowed to relay locally (so I can only list my
private CA, and those who I trust for relaying), making the overhead a
onetime per CA to be trusted and not a per user operation?
-A :)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]