I am expanding a number of single-tenant servers, each with a unique FQDN and its own copy of Postfix. These computers do not have reverse DNS / PTR records and must therefore forward their emails through a central relay server.
When I add the CIDRs for this client server
$mynetworks Variable in
main.cf Everything works as expected on the relay server and the emails are forwarded and delivered properly. However, to ensure greater security and to easily revoke access to a compromised server, each client server must have a unique client certificate signed by a private certificate authority that is managed on the relay server.
NB: The relay server is an older box, CentOS7 with Postfix v2.6, while the client servers are CentOS8 and Postfix v3.3.
I used the following command list to generate the certification authority on the relay server …
openssl genrsa -des3 -out /etc/ssl/CA/my_ca.key 2048
openssl req -x509 -new -nodes -key /etc/ssl/CA/my_ca.key -sha256 -days 365 -out /etc/ssl/CA/my_ca.pem
If I am not missing anything, this went as expected.
Next I created the first certificate, CSR and signed certificate, for one of my client servers …
openssl genrsa -out /etc/ssl/clients/client1.key 2048
openssl req -new -key /etc/ssl/clients/client1.key -out /etc/ssl/clients/client1.csr
openssl x509 -req -in /etc/ssl/clients/client1.csr -CA /etc/ssl/CA/my_ca.pem -CAkey /etc/ssl/CA/my_ca.key -CAcreateserial -out /etc/ssl/clients/client1.crt -days 365 -sha256
main.cf on my relay server is as follows:
(Ignore the SASL stuff, that is, for older connections within the private subnet where the client servers are not.)
inet_interfaces = all
inet_protocols = all
myhostname = relayserver.my.domain
mydomain = my.domain
myorigin = $myhostname
mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks = 10.0.0.0/8, ....
in_flow_delay = 0
unknown_local_recipient_reject_code = 550
luser_relay = root
alias_maps = hash:/etc/aliases
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_tls_cert_file = /etc/postfix/my.domain.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
pwcheck_method = saslauthd
mech_list = PLAIN LOGIN
saslauthd_path = /var/run/saslauthd/mux
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/CA/my_ca.pem
tls_append_default_CA = no
smtpd_relay_restrictions = permit_sasl_authenticated, permit_tls_all_clientcerts
I copied the signed certificate from the relay server on which it was generated and signed with my certification authority to the client server and added the appropriate settings
# Mail Relay
smtp_tls_cert_file = /etc/postfix/client1.crt
smtp_tls_key_file = /etc/postfix/client1.key
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
relayhost = (relayserver.my.domain):587
(If you need to see other settings, let me know and I'll deploy them just to remove static.)
With this setup and the proper restart of all services on both computers, the client computer does what it should, connects to the relay server, tries to authenticate, and then receives one
sender non-delivery notification.
The following errors are displayed on the relay server side:
postfix/smtpd(23830): connect from client.domain.tld(xx.xx.xx.xx)
postfix/smtpd(23830): certificate verification failed for client.domain.tld(xx.xx.xx.xx): untrusted issuer /C=CA/ST=Here/L=There/O=MyCo/OU=OPS/CN=mydomain.tld/emailAddressfirstname.lastname@example.org
My understanding was that by hiring the
smtp_tls_CAfile with my CAs
.pem however, that all client certificates are validated and signed by them should they authenticate themselves. But the specific mistake
untrusted issuer doesn't make sense since it shouldn't validate the CA just that it signed the client certificate … am I wrong here?
Any help would be appreciated!