Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.7 Legacy Series
»
Postifx logs warning about "smtpd_tls_ask_ccert = no"
« previous
next »
Print
Pages: [
1
]
Author
Topic: Postifx logs warning about "smtpd_tls_ask_ccert = no" (Read 5258 times)
jassonmc
Newbie
Posts: 24
Karma: 0
Postifx logs warning about "smtpd_tls_ask_ccert = no"
«
on:
August 26, 2020, 11:32:16 am »
Hi all
My setup:
OPNsense 20.7.1 running as Hyper-V vm
Installed plug ins:
- acme-client v1.35
- c-icap v1.7
- clam-av v1.7
- haproxy v2.23
- postfix v1.15
- redis v1.1
- rspamd v1.9
Postfix is configured as MX for several domains.
Postifx logs the following warning when selected smtp servers connect:
warning: permit_tls_clientcerts is requested, but "smtpd_tls_ask_ccert = no"
The warning does therefore not come up with all smtp inbound connections, but with some.
Is this something I should worry?
Cheers
Juri
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: Postifx logs warning about "smtpd_tls_ask_ccert = no"
«
Reply #1 on:
August 26, 2020, 12:14:23 pm »
http://www.postfix.org/postconf.5.html#permit_tls_clientcerts
permit_tls_clientcerts
Permit the request when the remote SMTP client certificate fingerprint or public key fingerprint (Postfix 2.9 and later) is listed in $relay_clientcerts. The fingerprint digest algorithm is configurable via the smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to Postfix version 2.5).
This feature requires "smtpd_tls_ask_ccert = yes"
and is available with Postfix version 2.2 and later.
So its up to you and depends on your requirements for certificate based mail relaying
Logged
jassonmc
Newbie
Posts: 24
Karma: 0
Re: Postifx logs warning about "smtpd_tls_ask_ccert = no"
«
Reply #2 on:
August 27, 2020, 02:49:51 pm »
@Fright
Thanks for info.
I've read it and still didn't understand it.
Does that setting define the possibility for a mutual 2-way certificate check?
As it is right now, the mail transfer is allready encrypted via STARTTLS, but of course the other party is not cryptographycally verified and could be anyboday.
Is that the point?
If yes, is there a way to enable that setting in the postfix plugin?
Thanks for clarification.
Cheers
Juri
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: Postifx logs warning about "smtpd_tls_ask_ccert = no"
«
Reply #3 on:
August 27, 2020, 03:09:39 pm »
if postfix want to receive client cert, postfix must explicitly ASK (but not require) for one.
so smtpd_tls_ask_ccert shoud be "yes"
or if you want to REQUIRE client cert:
smtpd_tls_req_ccert yes
better read
http://www.postfix.org/TLS_README.html
enabling client certs may be painful
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
20.7 Legacy Series
»
Postifx logs warning about "smtpd_tls_ask_ccert = no"