1
23.7 Legacy Series / How can I enable client cert validation, so remote MTA can verify?
« on: December 20, 2023, 05:06:30 pm »
Hello there
I'm using OPNsense with the Postfix plugin as a mail gateway.
We have a secure mail provider here in Switzerland called IncaMail.
They require us to have our MTA provide a client certificate to their receiving MTA when we send mails to them.
You can easily check it by sending a mail to mta@check.incamail.ch, which sends back its findings about receiving and sending capabilities of your own MTA, the OPNsense in that case, of course.
The first part of the answer, which is sending from the OPNsense to the MTA of check.incamail.ch, tells me that there is no client certificate.
The second part is the other way around, where MTA from check.incamail.ch is sending a mail to the OPNsense, which works as it should.
How can I provide a client certificate to the MTA of check.incamail.ch?
I've read, that enabling "smtpd_tls_ask_ccert = yes" should not be used in general, as it could break legitimate mail transfer with sendmail MTAs.
Would there be a solution around "smtp_tls_policy_maps"?
If yes, how should that policy map look like and how can I tell OPNsense to use it, as it probably is a bad idea to directly modify postfix main.cf
Thanks for any hint
I'm using OPNsense with the Postfix plugin as a mail gateway.
We have a secure mail provider here in Switzerland called IncaMail.
They require us to have our MTA provide a client certificate to their receiving MTA when we send mails to them.
You can easily check it by sending a mail to mta@check.incamail.ch, which sends back its findings about receiving and sending capabilities of your own MTA, the OPNsense in that case, of course.
The first part of the answer, which is sending from the OPNsense to the MTA of check.incamail.ch, tells me that there is no client certificate.
The second part is the other way around, where MTA from check.incamail.ch is sending a mail to the OPNsense, which works as it should.
How can I provide a client certificate to the MTA of check.incamail.ch?
I've read, that enabling "smtpd_tls_ask_ccert = yes" should not be used in general, as it could break legitimate mail transfer with sendmail MTAs.
Would there be a solution around "smtp_tls_policy_maps"?
If yes, how should that policy map look like and how can I tell OPNsense to use it, as it probably is a bad idea to directly modify postfix main.cf
Thanks for any hint