M
M
mib2016-12-09 16:10:50
postfix
mib, 2016-12-09 16:10:50

How to disable authorization in postfix if there was an Anonymous TLS connection?

Hello ,
I set up a dovecot + postfix bundle ( according to this guide ) and I want to send mail only if the mail client knows not only the username and password, but also has a certificate that was signed on the server with postfix.
In dovecot it works - I can't pick up mail if I don't have a certificate or it wasn't signed on my server
. And in postfix I went through a bunch of settings - the absence of a certificate is ignored and the mail is sent.
master.cfg:
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_security_level=encrypt
smtpd_tls_ask_ccert = yes
or The -o -o smtpd_reject_unlisted_recipient = the no
-o smtpd_recipient_restrictions = permit_tls_clientcerts, permit_sasl_authenticated, the reject
-o smtpd_relay_restrictions = permit_tls_clientcerts, permit_sasl_authenticated, the reject
-o milter_macro_daemon_name = Originating
I took an imprint (fingerprint) from a client certificate zaheshiroval 's
configuration (excerpt) main .cf
smtpd_recipient_restrictions = reject_unknown_recipient_domain, permit_mynetworks, reject_non_fqdn_recipient, permit_tls_clientcerts, permit_sasl_authenticated, reject_unauth_destination, reject_unverified_recipient, permit
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/ssl/certs/mail.crt
smtpd_tls_key_file = /etc/ssl/private/mail.key
smtpd_tls_CAfile = /etc/ssl/ca.crt
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
21 = yes
relay_clientcerts = hash:/etc/postfix/fingerprints
smtpd_tls_fingerprint_digest = sha1
smtpd_relay_restrictions =
check_recipient_access hash:$config_directory/access,
permit_tls_clientcerts,
permit_sasl_authenticated, permit_mynetworks
,
reject_unauth_destination
postfix/submission/smtpd[7765]: Trusted TLS connection established from ...
dovecot: auth: Debug: auth client connected (pid=0) and then correct login and sending mail
without a certificate -
postfix/submission/smtpd[7836]: Anonymous TLS connection established from ...
dovecot: auth: Debug: auth client connected (pid=0) and then also correct login and sending mail
, but in both cases allows further sasl authorization. How to disable authorization if there was an Anonymous TLS connection?
Thanks

Answer the question

In order to leave comments, you need to log in

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question