Postfix TLS with free CAcert.org certificates

1. Install Postfix with TLS

Since Postfix 2.2 release TLS support is included if compiled in. See: http://www.postfix.org/TLS_README.html.

2. Get familiar with CAcert.org website

Just go to https://www.cacert.org/ and join CAcert.org and fill in your details. There is also short process description available on their site. You'll get mail back to verify that you can read email on address you provided. After login, add domain and service will try to verify that you can read mail on one of following accounts: root, hostmaster, postmaster, admin, webmaster or email addresses that can be found on whois data of domain that you provided. Remember that only after you have verified your domain you can start adding servers that work on that domain.

3. Create private TLS key and certificate request

Certificate request is your public key to be signed by certificate authority. Creating it goes like this: (Note that Common Name is only relevant info, all other fields will be discard from cert by issuer.)

$ su -
Password:

mkdir /etc/postfix/tls
chown root:root /etc/postfix/tls
chmod 0500 /etc/postfix/tls
cd /etc/postfix/tls
openssl req -nodes -newkey rsa:2048 -keyout privatekey.pem -out csr.pem

Generating a 2048 bit RSA private key
...++++++
........++++++
writing new private key to 'privatekey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FI
State or Province Name (full name) [Some-State]:Uusimaa
Locality Name (eg, city) []:Porvoo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Petri Koistinen Home
Organizational Unit Name (eg, section) []:Desktop
Common Name (eg, YOUR name) []:joo.ath.cx
Email Address []:petri.koistinen@iki.fi

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

chown root:root /etc/postfix/tls/privatekey.pem
chmod 0400 /etc/postfix/tls/privatekey.pem
chown root:root /etc/postfix/tls/csr.pem
chmod 0400 /etc/postfix/tls/csr.pem

Private keys should belong to "root" and be readable only by root. Postfix loads private keys before dropping superuser privileges.

4. Send your public key to be singed by CAcert.org authority

Request new server certificate from CAcert.org web site. This howto assume that you select Class 1 certificate. When you are asked for CSR paste content of /etc/postfix/tls/req.pem to box. It should look like this:

-----BEGIN CERTIFICATE REQUEST-----
MIIB3TCCAUYCAQAwgZwxCzAJBgNVBAYTAkZJMRAwDgYDVQQIEwdVdXNpbWFhMQ8w
DQYDVQQHEwZQb3J2b28xHTAbBgNVBAoTFFBldHJpIEtvaXN0aW5lbiBIb21lMRAw
DgYDVQQLEwdEZXNrdG9wMRMwEQYDVQQDEwpqb28uYXRoLmN4MSQwIgYJKoZIhvcN
AQkBFhVwb3N0bWFzdGVyQGpvby5hdGguY3gwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAMRUl2qyye2osTKiFKUKml3/TyJ3KF0g98fMAZ2r3guyA876+N9QZQhs
9i9aCBCzAFmkbxnHwY4vRkmXp5NI34wQpypPw4rfcB3XK73XlNokBECQQfDHgsdL
ekJPrJ5nClJ0oGkPSmiZn4q5rBx3gLp6Mqf2kzR5kPmaHT9WXppVAgMBAAGgADAN
BgkqhkiG9w0BAQQFAAOBgQA7OqGhJ52NEaj4lVQgHGHOwPOd0sUQbJ8CiTwfnDS7
sDOktEFkH/kO8NZaes+eTn0diS/0wSf4JdP7nFc4ajEhIIIz49F8/Sukim8l0Ae5
FdwS9eQZ7lvDusvAxcfBnEl+WX19+/qE2fX6sd1FOa6K/PBxF6ViS/MK9kZT63z3
MQ==
-----END CERTIFICATE REQUEST-----

You should also verify on content of request with

openssl req -in /etc/postfix/tls/csr.pem -text -verify -noout

before sending it.

5. Install server certificate

Copy certificate from web page and put in /etc/postfix/tls/cert.pem file. Remember to do

chown root:postfix /etc/postfix/tls/cert.pem
chmod a=r /etc/postfix/tls/cert.pem

so that everybody can read it. You check contents of this file with

openssl x509 -in /etc/postfix/tls/cert.pem -text -noout

command, Validity and Subject fields should be checked at least.

6. Get CAcert.org root certificate

It you run Debian or Ubuntu and have installed ca-certificates package and chosen CAcert.org root certificate to be used you can skip this part.

wget -nv https://www.cacert.org/certs/root.crt -O /etc/postfix/tls/root.crt
chown root:postfix /etc/postfix/tls/root.crt
chmod a=r /etc/postfix/tls/root.crt

Here is the CAcert.org root certificate

-----BEGIN CERTIFICATE-----
MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290
IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO
BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi
MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ
ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ
8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6
zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y
fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7
w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc
G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k
epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q
laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ
QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU
fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826
YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAc4w
ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY
gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe
MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0
IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy
dC5vcmeCAQAwDwYDVR0TAQH/BAUwAwEB/zAyBgNVHR8EKzApMCegJaAjhiFodHRw
czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0
dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl
aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC
AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg
b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB
ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc
nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg
18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/c
gr/c6EWtTZBzCDyUZbAEmXZ/4rzCahWqlwQ3JNgelE5tDlG+1sSPypZt90Pf6DBl
Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY
sONvRUgzEv/+PDIqVPfE94rwiCPCR/5kenHA0R6mY7AHfqQv0wGP3J8rtsYIqQ+T
SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/HMaMyRa+xMwyN2hzXwj7UfdJUzYF
CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/lpOt5hvk9C8JzC6WZrG/8Z7jlLwum
GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk
zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/qbn3BHLt4Ui9SyIAmW
omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD
-----END CERTIFICATE-----

You can examine root certificate in detail with this command

openssl x509 -in /etc/postfix/tls/root.crt -text -noout

It is important that root certificate is good and not tampered. You should see exactly this as output of that command:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
        Validity
            Not Before: Mar 30 12:29:49 2003 GMT
            Not After : Mar 29 12:29:49 2033 GMT
        Subject: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)
                Modulus (4096 bit):
                    00:ce:22:c0:e2:46:7d:ec:36:28:07:50:96:f2:a0:
                    33:40:8c:4b:f1:3b:66:3f:31:e5:6b:02:36:db:d6:
                    7c:f6:f1:88:8f:4e:77:36:05:41:95:f9:09:f0:12:
                    cf:46:86:73:60:b7:6e:7e:e8:c0:58:64:ae:cd:b0:
                    ad:45:17:0c:63:fa:67:0a:e8:d6:d2:bf:3e:e7:98:
                    c4:f0:4c:fa:e0:03:bb:35:5d:6c:21:de:9e:20:d9:
                    ba:cd:66:32:37:72:fa:f7:08:f5:c7:cd:58:c9:8e:
                    e7:0e:5e:ea:3e:fe:1c:a1:14:0a:15:6c:86:84:5b:
                    64:66:2a:7a:a9:4b:53:79:f5:88:a2:7b:ee:2f:0a:
                    61:2b:8d:b2:7e:4d:56:a5:13:ec:ea:da:92:9e:ac:
                    44:41:1e:58:60:65:05:66:f8:c0:44:bd:cb:94:f7:
                    42:7e:0b:f7:65:68:98:51:05:f0:f3:05:91:04:1d:
                    1b:17:82:ec:c8:57:bb:c3:6b:7a:88:f1:b0:72:cc:
                    25:5b:20:91:ec:16:02:12:8f:32:e9:17:18:48:d0:
                    c7:05:2e:02:30:42:b8:25:9c:05:6b:3f:aa:3a:a7:
                    eb:53:48:f7:e8:d2:b6:07:98:dc:1b:c6:34:7f:7f:
                    c9:1c:82:7a:05:58:2b:08:5b:f3:38:a2:ab:17:5d:
                    66:c9:98:d7:9e:10:8b:a2:d2:dd:74:9a:f7:71:0c:
                    72:60:df:cd:6f:98:33:9d:96:34:76:3e:24:7a:92:
                    b0:0e:95:1e:6f:e6:a0:45:38:47:aa:d7:41:ed:4a:
                    b7:12:f6:d7:1b:83:8a:0f:2e:d8:09:b6:59:d7:aa:
                    04:ff:d2:93:7d:68:2e:dd:8b:4b:ab:58:ba:2f:8d:
                    ea:95:a7:a0:c3:54:89:a5:fb:db:8b:51:22:9d:b2:
                    c3:be:11:be:2c:91:86:8b:96:78:ad:20:d3:8a:2f:
                    1a:3f:c6:d0:51:65:87:21:b1:19:01:65:7f:45:1c:
                    87:f5:7c:d0:41:4c:4f:29:98:21:fd:33:1f:75:0c:
                    04:51:fa:19:77:db:d4:14:1c:ee:81:c3:1d:f5:98:
                    b7:69:06:91:22:dd:00:50:cc:81:31:ac:12:07:7b:
                    38:da:68:5b:e6:2b:d4:7e:c9:5f:ad:e8:eb:72:4c:
                    f3:01:e5:4b:20:bf:9a:a6:57:ca:91:00:01:8b:a1:
                    75:21:37:b5:63:0d:67:3e:46:4f:70:20:67:ce:c5:
                    d6:59:db:02:e0:f0:d2:cb:cd:ba:62:b7:90:41:e8:
                    dd:20:e4:29:bc:64:29:42:c8:22:dc:78:9a:ff:43:
                    ec:98:1b:09:51:4b:5a:5a:c2:71:f1:c4:cb:73:a9:
                    e5:a1:0b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
            X509v3 Authority Key Identifier: 
                keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
                DirName:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
                serial:00

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 CRL Distribution Points: 
                URI:https://www.cacert.org/revoke.crl

            Netscape CA Revocation Url: 
                https://www.cacert.org/revoke.crl
            Netscape CA Policy Url: 
                http://www.cacert.org/index.php?id=10
            Netscape Comment: 
                To get your own certificate for FREE head over to http://www.cacert.org
    Signature Algorithm: md5WithRSAEncryption
        28:c7:ee:9c:82:02:ba:5c:80:12:ca:35:0a:1d:81:6f:89:6a:
        99:cc:f2:68:0f:7f:a7:e1:8d:58:95:3e:bd:f2:06:c3:90:5a:
        ac:b5:60:f6:99:43:01:a3:88:70:9c:9d:62:9d:a4:87:af:67:
        58:0d:30:36:3b:e6:ad:48:d3:cb:74:02:86:71:3e:e2:2b:03:
        68:f1:34:62:40:46:3b:53:ea:28:f4:ac:fb:66:95:53:8a:4d:
        5d:fd:3b:d9:60:d7:ca:79:69:3b:b1:65:92:a6:c6:81:82:5c:
        9c:cd:eb:4d:01:8a:a5:df:11:55:aa:15:ca:1f:37:c0:82:98:
        70:61:db:6a:7c:96:a3:8e:2e:54:3e:4f:21:a9:90:ef:dc:82:
        bf:dc:e8:45:ad:4d:90:73:08:3c:94:65:b0:04:99:76:7f:e2:
        bc:c2:6a:15:aa:97:04:37:24:d8:1e:94:4e:6d:0e:51:be:d6:
        c4:8f:ca:96:6d:f7:43:df:e8:30:65:27:3b:7b:bb:43:43:63:
        c4:43:f7:b2:ec:68:cc:e1:19:8e:22:fb:98:e1:7b:5a:3e:01:
        37:3b:8b:08:b0:a2:f3:95:4e:1a:cb:9b:cd:9a:b1:db:b2:70:
        f0:2d:4a:db:d8:b0:e3:6f:45:48:33:12:ff:fe:3c:32:2a:54:
        f7:c4:f7:8a:f0:88:23:c2:47:fe:64:7a:71:c0:d1:1e:a6:63:
        b0:07:7e:a4:2f:d3:01:8f:dc:9f:2b:b6:c6:08:a9:0f:93:48:
        25:fc:12:fd:9f:42:dc:f3:c4:3e:f6:57:b0:d7:dd:69:d1:06:
        77:34:0a:4b:d2:ca:a0:ff:1c:c6:8c:c9:16:be:c4:cc:32:37:
        68:73:5f:08:fb:51:f7:49:53:36:05:0a:95:02:4c:f2:79:1a:
        10:f6:d8:3a:75:9c:f3:1d:f1:a2:0d:70:67:86:1b:b3:16:f5:
        2f:e5:a4:eb:79:86:f9:3d:0b:c2:73:0b:a5:99:ac:6f:fc:67:
        b8:e5:2f:0b:a6:18:24:8d:7b:d1:48:35:29:18:40:ac:93:60:
        e1:96:86:50:b4:7a:59:d8:8f:21:0b:9f:cf:82:91:c6:3b:bf:
        6b:dc:07:91:b9:97:56:23:aa:b6:6c:94:c6:48:06:3c:e4:ce:
        4e:aa:e4:f6:2f:09:dc:53:6f:2e:fc:74:eb:3a:63:99:c2:a6:
        ac:89:bc:a7:b2:44:a0:0d:8a:10:e3:6c:f2:24:cb:fa:9b:9f:
        70:47:2e:de:14:8b:d4:b2:20:09:96:a2:64:f1:24:1c:dc:a1:
        35:9c:15:b2:d4:bc:55:2e:7d:06:f5:9c:0e:55:f4:5a:d6:93:
        da:76:ad:25:73:4c:c5:43

7. c_rehash will let OpenSSL know about CAcert.org root certificate

I hope CAcert.org root certificate will be shipped some day with OpenSSL by default, but in the meanwhile we need add it. Finding where OpenSSL root certificates are stored can be little bit tricky. With Debian (or Ubuntu) directory is /usr/lib/ssl/certs. You can install it like this: (Debian ca-certificates users must not do this.)

cp /etc/postfix/tls/root.crt /usr/lib/ssl/certs/CAcert.org_Root_Certificate.pem
c_rehash /usr/lib/ssl/certs

In case you don't have that c_rehash perl script you can download it here. I hope it works.

After installation of root certificate, you should test installation like this:

petri@dsl-prvgw1nf5:/etc/postfix/tls$ openssl verify /etc/postfix/tls/cert.pem 
/etc/postfix/tls/cert.pem: OK

If installation failed you probably get message like this:

petri@dsl-prvgw1nf5:/etc/postfix/tls$ openssl verify /etc/postfix/tls/cert.pem 
/etc/postfix/tls/cert.pem: /CN=joo.ath.cx
error 20 at 0 depth lookup:unable to get local issuer certificate

8. Configure Postfix main.cf file

Add this configuration to /etc/postfix/main.cf if that's where your main.cf is.

# TLS PART START

smtp_tls_CAfile = /etc/postfix/tls/root.crt
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtp_tls_security_level = may
smtp_tls_loglevel = 1

smtpd_tls_CAfile = /etc/postfix/tls/root.crt
smtpd_tls_cert_file = /etc/postfix/tls/cert.pem
smtpd_tls_key_file = /etc/postfix/tls/privatekey.pem
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

# TLS PART END

Debian ca-certificates users should alternatively do same except on these lines

...
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
...
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
...

Make sure that $data_directory is set.

You (and I) probably should learn how to add other than CAcert.org root certificates too. By the way, btree databases need Berkeley DB support.

9. Test installation

First you could test your own server by "telnet localhost 25" and saying "EHLO localhost" checking if you can see "STARTTLS" greeting. If you do, just say "STARTTLS" and check what server replies back and check what Postfix log files says.

Then next send message between two servers that support TLS and have CAcert.org root certificates installed. Receiving server should have mail log looking like this:

Oct 16 17:18:23 dsl-prvgw1ib8 postfix/smtpd[2921]: connect from dsl-prvgw1nf5.dial.inet.fi[80.223.61.245]
Oct 16 17:18:23 dsl-prvgw1ib8 postfix/smtpd[2921]: setting up TLS connection from dsl-prvgw1nf5.dial.inet.fi[80.223.61.245]
Oct 16 17:18:24 dsl-prvgw1ib8 postfix/smtpd[2921]: fingerprint=C9:54:81:FB:D4:05:05:32:CA:1C:8D:0B:C8:7E:58:E2
Oct 16 17:18:24 dsl-prvgw1ib8 postfix/smtpd[2921]: Verified: subject_CN=joo.ath.cx, issuer=CA Cert Signing Authority
Oct 16 17:18:24 dsl-prvgw1ib8 postfix/smtpd[2921]: TLS connection established from dsl-prvgw1nf5.dial.inet.fi[80.223.61.245]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Oct 16 17:18:24 dsl-prvgw1ib8 postfix/smtpd[2921]: 19EB52019D88D: client=dsl-prvgw1nf5.dial.inet.fi[80.223.61.245]

And header of received message should have header looking like this:

Received: from dsl-prvgw1nf5.dial.inet.fi (dsl-prvgw1nf5.dial.inet.fi [80.223.61.245])
    (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    (Client CN "joo.ath.cx", Issuer "CA Cert Signing Authority" (verified OK))
    by dsl-prvgw1ib8.dial.inet.fi (Postfix) with ESMTP id 19EB52019D88D
    for <petri@juu.ath.cx>; Sat, 16 Oct 2004 17:18:24 +0300 (EEST)

Everything should be done now. Please note, that if receiver's server don't have CAcert.org root certificate installed header will look like this:

    ...
    (Client CN "joo.ath.cx", Issuer "CA Cert Signing Authority" (not verified))
    ...

Perhaps you could ask nicely if CAcert.org root certificate could be installed on receiving server.

Even if your certificate is not verified, your mail will be delivered, if it's accepted by receiving server. Not verified means that servers don't trust each others via Certificate Authority (CA) that is common to both parties. Without verification, you can not know if your communication is tampered in between, but still the communication is encrypted between the servers. For more information see for example Wikipedia article on a href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack"> Man in the middle attack.

10. Extra: Practical usage scenario: Road warrior and Secure SMTP Relay Server

Scenario

Here is a way to enable relay based on TLS certificate trust rather than usual IP address trust (see mynetworks option).

Client (x40.daemon.fi) configuration in main.cf:

myhostname = x40.daemon.fi
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
inet_interfaces = loopback-only
relayhost = daemon.fi:submission

# TLS PART START

smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_cert_file = /etc/postfix/tls/cert.pem
smtp_tls_key_file = /etc/postfix/tls/privatekey.pem
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtp_tls_security_level = fingerprint
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_ciphers = high
smtp_tls_fingerprint_digest = sha1
# Following match to relayhost. This is fingerprint of shell.daemon.fi certificate.
smtp_tls_fingerprint_cert_match = D2:2A:C6:BE:25:B5:2C:30:90:C9:3D:ED:51:CB:8B:1C:92:AF:C1:0E

# If inet_interfaces = loopback-only, this servers only localhost and securing that connection is pretty useless
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_cert_file = /etc/postfix/tls/cert.pem
smtpd_tls_key_file = /etc/postfix/tls/privatekey.pem
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes

# TLS PART END

Server (shell.daemon.fi) configuration

master.cf addtion:

submission inet n       -       -       -       -       smtpd
	-o smtpd_tls_req_ccert=yes
	-o smtpd_tls_security_level=encrypt
	-o smtpd_tls_fingerprint_digest=sha1
	-o smtpd_relay_restrictions=$submission_cert_access
	-o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
	-o smtpd_tls_mandatory_ciphers=high

main.cf addition:

submission_cert_access = check_ccert_access hash:/etc/postfix/cert-access, reject

content of /etc/postfix/cert-access

# Following match to client cert. This is fingerprint of x40.daemon.fi certificate.
DA:7A:18:8D:ED:F1:5F:4F:0A:46:BC:60:3B:BB:5E:A9:61:3E:6D:F7 OK
# add here multiple client certs

Remember to do

postmap /etc/postfix/cert-access

Getting certificate fingerprint

root@shell:~# openssl x509 -noout -fingerprint -sha1 -in /etc/postfix/tls/cert.pem
SHA1 Fingerprint=D2:2A:C6:BE:25:B5:2C:30:90:C9:3D:ED:51:CB:8B:1C:92:AF:C1:0E

Conclusion

With help of these instructions you can enable email relay for certain users which present verifiable certificate with certain fingerprint. It doesn't matter on which IP address mail relay client is connecting from. This could be useful for mobile users. Note that this will use submission port 587/tcp on server side. It's far more commonly open that ordinary 25/tcp SMTP port. See RFC 6409 for more info.

11. Please provide feedback about this document

You can provide feedback about this document to me: petri.koistinen@iki.fi. All feedback is welcome, whatever it's about tiny typos or major misconceptions. Don't be afraid to ask anything or don't worry about flooding my mailbox, so far I have only got 20 replies by email. If you just got TLS working with help of this document, drop me a line or send message me on IRC, details on front page of my home pages. You might also be interest about my spam filtering configuration for Postfix.

And remember that this doesn't provide end-to-end security for email, but it helps a bit.


Document author: Petri T. Koistinen. Document last modified: Tuesday, 25-Aug-2015 14:53:21 EEST
Please, use this permanent URL for linking to this document: http://www.iki.fi/petri.koistinen/postfix/postfix-tls-cacert.shtml