RE: smtpd_tls_req_ccert and smtpd_tls_auth_only

From: Carlos Peón Costa (no email)
Date: Thu Sep 22 2005 - 10:57:19 EDT

  • Next message: mouss: "Re: virtual question"

    >... It's possible to use client certs without enforce tls?

    Reading carefully the docs its seems not possible

    "Please be aware, that this will inhibit TLS connections without a proper
    client certificate and that it makes sense only when non-TLS submission is
    disabled (smtpd_enforce_tls = yes). Otherwise, clients could bypass the
    restriction by simply not using STARTTLS at all."

    but I thing not using STARTTLS does not triggers permit_tls_clientcerts,
    permit_tls_all_clientcerts or check_ccert_access conditions.

    Looking at the source code, the reason seems to be another one:

         * Wrapper mode uses a dedicated port and always requires TLS.
         * XXX In non-wrapper mode, it is possible to require client certificate
         * verification without requiring TLS. Since certificates can be
         * only while TLS is turned on, this means that Postfix will happily
         * perform SMTP transactions when the client does not use the STARTTLS
         * command. For this reason, Postfix does not require client certificate
         * verification unless TLS is required.
        state->tls_context =
            tls_server_start(smtpd_tls_ctx, state->client,
                             state->name, state->addr, &(state->tls_info),
                           (var_smtpd_tls_req_ccert && state->tls_enforce_tls));

    but I don't understand it, tls_server_start seems to be used always on a tls

      * This is the actual startup routine for a new connection. We expect that
      * the SMTP buffers are flushed and the "220 Ready to start TLS" was sent
      * the client, so that we can immediately start the TLS handshake process.
    TLScontext_t *tls_server_start(SSL_CTX *server_ctx, VSTREAM *stream,
                                           int timeout, const char *peername,
                                           const char *peeraddr,
                                           tls_info_t *tls_info,
                                           int requirecert)

    Any idea if state->tls_enforce_tls condition can be removed?


  • Next message: mouss: "Re: virtual question"

    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs

    Powered By FreeBSD   Powered By FreeBSD