From 6987dcbd64f3d4b3c3c43a8fd96a03a0ce5b56eb Mon Sep 17 00:00:00 2001 From: Prefetch Date: Mon, 12 Sep 2022 21:46:01 +0200 Subject: Post "Revisiting my email server in 2022" --- content/blog/2020/email-server-extras.md | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) (limited to 'content/blog/2020/email-server-extras.md') diff --git a/content/blog/2020/email-server-extras.md b/content/blog/2020/email-server-extras.md index 72299c9..5a72a84 100644 --- a/content/blog/2020/email-server-extras.md +++ b/content/blog/2020/email-server-extras.md @@ -7,11 +7,13 @@ draft: false # -This sequel to my earlier [guide](/blog/2020/email-server/) discusses -extra tips and tricks to extend your email setup. -This page will be updated continuously as I come up with ideas. +This sequel to my post +"[Setting up an email server in 2020 with OpenSMTPD and Dovecot](/blog/2020/email-server/)" +gives extra tips and tricks to extend your email setup. +See also the sequel's sequel, +"[Revisiting my email server in 2022](/blog/2022/email-server-revisited/)". -Last updated 2020-04-29. +Last updated on 2022-09-12. ## General @@ -220,6 +222,13 @@ but I recommend against that for private servers: take a look at [this](https:// You can configure OpenSMTPD to request a client certificate for sending emails, as a second factor for authentication. +UPDATE: When I wrote this two years ago, it worked, +but now it doesn't anymore, and I can't figure out why. +It seems OpenSMTPD always rejects the client certificates for being self-signed, +even if they can manually be verified for our CA using the `openssl` tool. +I'm leaving this tutorial here for anyone who's interested, +but it's unlikely I'll fix it anytime soon. + #### Certificates @@ -314,7 +323,17 @@ enter again when importing the certificate into the client. -### Client certificates (instead of passwords) +### ~~Client certificates (instead of passwords)~~ + +UPDATE: Don't do this. +As said above, OpenSMTPD's certificate verification is a mystery, +so for all I know, if you follow the instructions in this subsection, +you might find yourself running an *open* SMTP relay! +That would be bad, because anyone on the Internet +could send emails through your server with zero authentication. +In theory, the client certificates act as authentication, +but, again, the verification process is mysterious, +so I'm just not confident enough to say. If you really want to, you can use the client certificates as a substitute for passwords. This is especially useful -- cgit v1.2.3