diff options
author | Prefetch | 2020-04-29 16:51:39 +0200 |
---|---|---|
committer | Prefetch | 2020-04-29 16:51:39 +0200 |
commit | c575a00216d78f3b7668c25206fcebf1edaee759 (patch) | |
tree | e6331824ba6eded16f5ce8c0f2119cb17e2a5cfc | |
parent | 331ca51b7082d1837a584f8da75e5237c59c0b9e (diff) |
Fix mistakes with OpenSMTPD client certificates
-rw-r--r-- | content/blog/2020/email-server-extras.md | 25 | ||||
-rw-r--r-- | content/blog/2020/email-server.md | 4 |
2 files changed, 9 insertions, 20 deletions
diff --git a/content/blog/2020/email-server-extras.md b/content/blog/2020/email-server-extras.md index cf3b597..9e18f34 100644 --- a/content/blog/2020/email-server-extras.md +++ b/content/blog/2020/email-server-extras.md @@ -8,7 +8,7 @@ This sequel to my earlier [guide](/blog/2020/email-server/) discusses extra tips and tricks to extend your email setup. This page will be updated continuously as I come up with ideas. -Last updated 2020-04-27. +Last updated 2020-04-29. ## General @@ -114,17 +114,10 @@ and will conclude that the recipient is invalid. ## OpenSMTPD -### Client certificates +### Client certificates (in addition to passwords) You can configure OpenSMTPD to request a client certificate -for sending emails, in addition to or as a subsitute for passwords. -In this guide I'll use it for subsitution. - -This is especially useful if you created a catch-all inbox, -since this approach allows you to send messages from arbitrary names, -as long as the client can present a valid certificate. -It also allows you to get rid of the awkward duplication -of user credentials between Dovecot and OpenSMTPD. +for sending emails, as a second factor for authentication. #### Creating certificates @@ -187,19 +180,15 @@ and declare it to OpenSMTPD by adding this near the top of the file: ca "mailca" cert "/etc/smtpd/mailca.crt" ``` Then replace the entire configuration for outbound mail as follows. -Note that this removes SMTPS support, leaving only STARTTLS, -and that it also removes the need to enter a password: +Note that this removes SMTPS support, leaving only STARTTLS: ```sh # Outbound -listen on eth0 port 587 tls-require verify pki "example.com" ca "mailca" filter "rspamd" tag "VALID" +listen on eth0 port 587 tls-require verify pki "example.com" ca "mailca" auth <passwds> filter "rspamd" action "SEND" relay srs -match from any tag "VALID" for any action "SEND" +match from any auth for any action "SEND" ``` The magic word here is "`verify`", which tells OpenSMTPD to ask for a client certificate and to verify it using the given CA. -The `tag "VALID"` at the end is to clarify that all emails -that successfully pass through the first line are from trusted senders, -because they presented a valid client certificate. #### Client configuration @@ -221,5 +210,3 @@ $ openssl pkcs12 -export -in mailclient.crt -inkey mailclient.key \ OpenSSL will ask you to set a password, which you'll need to enter again when importing the certificate into the client. - - diff --git a/content/blog/2020/email-server.md b/content/blog/2020/email-server.md index 4eb043a..b7c6aaf 100644 --- a/content/blog/2020/email-server.md +++ b/content/blog/2020/email-server.md @@ -24,7 +24,7 @@ When you're done, take a look at the [sequel](/blog/2020/email-server-extras/) for ideas to extend your setup. -Last updated 2020-04-27. +Last updated 2020-04-29. @@ -685,6 +685,8 @@ so nobody will be able to steal it. Next, to test sending and receiving messages, use the aptly-named [Is my email working?](https://ismyemailworking.com/) website. +After that, specifically test that SPF, DKIM an DMARC +are working correctly using the [DKIM validator](https://dkimvalidator.com/). If everything is good so far, congratulations! Now comes the big scary final test: |