summaryrefslogtreecommitdiff
path: root/content/blog/2020/email-server-extras.md
diff options
context:
space:
mode:
authorPrefetch2020-04-29 16:51:39 +0200
committerPrefetch2020-04-29 16:51:39 +0200
commitc575a00216d78f3b7668c25206fcebf1edaee759 (patch)
treee6331824ba6eded16f5ce8c0f2119cb17e2a5cfc /content/blog/2020/email-server-extras.md
parent331ca51b7082d1837a584f8da75e5237c59c0b9e (diff)
Fix mistakes with OpenSMTPD client certificates
Diffstat (limited to 'content/blog/2020/email-server-extras.md')
-rw-r--r--content/blog/2020/email-server-extras.md25
1 files changed, 6 insertions, 19 deletions
diff --git a/content/blog/2020/email-server-extras.md b/content/blog/2020/email-server-extras.md
index cf3b597..9e18f34 100644
--- a/content/blog/2020/email-server-extras.md
+++ b/content/blog/2020/email-server-extras.md
@@ -8,7 +8,7 @@ This sequel to my earlier [guide](/blog/2020/email-server/) discusses
extra tips and tricks to extend your email setup.
This page will be updated continuously as I come up with ideas.
-Last updated 2020-04-27.
+Last updated 2020-04-29.
## General
@@ -114,17 +114,10 @@ and will conclude that the recipient is invalid.
## OpenSMTPD
-### Client certificates
+### Client certificates (in addition to passwords)
You can configure OpenSMTPD to request a client certificate
-for sending emails, in addition to or as a subsitute for passwords.
-In this guide I'll use it for subsitution.
-
-This is especially useful if you created a catch-all inbox,
-since this approach allows you to send messages from arbitrary names,
-as long as the client can present a valid certificate.
-It also allows you to get rid of the awkward duplication
-of user credentials between Dovecot and OpenSMTPD.
+for sending emails, as a second factor for authentication.
#### Creating certificates
@@ -187,19 +180,15 @@ and declare it to OpenSMTPD by adding this near the top of the file:
ca "mailca" cert "/etc/smtpd/mailca.crt"
```
Then replace the entire configuration for outbound mail as follows.
-Note that this removes SMTPS support, leaving only STARTTLS,
-and that it also removes the need to enter a password:
+Note that this removes SMTPS support, leaving only STARTTLS:
```sh
# Outbound
-listen on eth0 port 587 tls-require verify pki "example.com" ca "mailca" filter "rspamd" tag "VALID"
+listen on eth0 port 587 tls-require verify pki "example.com" ca "mailca" auth <passwds> filter "rspamd"
action "SEND" relay srs
-match from any tag "VALID" for any action "SEND"
+match from any auth for any action "SEND"
```
The magic word here is "`verify`", which tells OpenSMTPD
to ask for a client certificate and to verify it using the given CA.
-The `tag "VALID"` at the end is to clarify that all emails
-that successfully pass through the first line are from trusted senders,
-because they presented a valid client certificate.
#### Client configuration
@@ -221,5 +210,3 @@ $ openssl pkcs12 -export -in mailclient.crt -inkey mailclient.key \
OpenSSL will ask you to set a password, which you'll need to
enter again when importing the certificate into the client.
-
-