Есть задача – воспользоваться почтовым сервером с работы для отправления писем из дома. Одно из решений – использование авторизации (SASL), здесь приведено второе решение – авторизация по сертификатам.
Делалось по TLS README и по сути является его вольным переводом.
Имеем дерево сертификатов:
Root Certificate
Дома прописан Home Server Certificate, на работе Work Server Certificate; на обоих машинах прописаны Root и Intermidiate сертификаты. Postfix на работе требует, чтобы машина:
Известность сертификата может определяться несколькими методами:
В нашем случае был использован первый — permit_tls_clientcerts.
NOTE: Обращаю внимание, что для permit_tls_clientcerts не требуется верификации сертификата. Другими словами, он не обязан быть Trusted. Но мы всё равно это сделаем.
Перво-наперво надо с генерировать сертификаты.
Добавить позже
The $smtpd_tls_CAfile contains the CA certificates of one or more trusted CAs. The file is opened (with root privileges) before Postfix enters the optional chroot jail and so need not be accessible from inside the chroot jail.
Additional trusted CAs can be specified via the $smtpd_tls_CApath directory, in which case the certificates are read (with $mail_owner privileges) from the files in the directory when the information is needed. Thus, the $smtpd_tls_CApath directory needs to be accessible inside the optional chroot jail.
To enable a remote SMTP client to verify the Postfix SMTP server certificate, the issuing CA certificates must be made available to the client. You should include the required certificates in the server certificate file, the server certificate first, then the issuing CA(s) (bottom-up order).
To receive a remote SMTP client certificate, the Postfix SMTP server must explicitly ask for one (any contents of $smtpd_tls_CAfile are also sent to the client as a hint for choosing a certificate from a suitable CA). Unfortunately, Netscape clients will either complain if no matching client certificate is available or will offer the user client a list of certificates to choose from. Additionally some MTAs (notably some versions of qmail) are unable to complete TLS negotiation when client certificates are requested, and abort the SMTP session. So this option is “off” by default. You will however need the certificate if you want to use certificate based relaying with, for example, the permit_tls_clientcerts feature. A server that wants client certificates must first present its own certificate. While Postfix 2.3 by default offers anonymous ciphers to remote SMTP clients, these are automatically suppressed when the Postfix SMTP server is configured to ask for client certificates.