diff options
Diffstat (limited to 'content/blog/2020/email-server-extras.md')
-rw-r--r-- | content/blog/2020/email-server-extras.md | 25 |
1 files changed, 6 insertions, 19 deletions
diff --git a/content/blog/2020/email-server-extras.md b/content/blog/2020/email-server-extras.md index cf3b597..9e18f34 100644 --- a/content/blog/2020/email-server-extras.md +++ b/content/blog/2020/email-server-extras.md @@ -8,7 +8,7 @@ This sequel to my earlier [guide](/blog/2020/email-server/) discusses extra tips and tricks to extend your email setup. This page will be updated continuously as I come up with ideas. -Last updated 2020-04-27. +Last updated 2020-04-29. ## General @@ -114,17 +114,10 @@ and will conclude that the recipient is invalid. ## OpenSMTPD -### Client certificates +### Client certificates (in addition to passwords) You can configure OpenSMTPD to request a client certificate -for sending emails, in addition to or as a subsitute for passwords. -In this guide I'll use it for subsitution. - -This is especially useful if you created a catch-all inbox, -since this approach allows you to send messages from arbitrary names, -as long as the client can present a valid certificate. -It also allows you to get rid of the awkward duplication -of user credentials between Dovecot and OpenSMTPD. +for sending emails, as a second factor for authentication. #### Creating certificates @@ -187,19 +180,15 @@ and declare it to OpenSMTPD by adding this near the top of the file: ca "mailca" cert "/etc/smtpd/mailca.crt" ``` Then replace the entire configuration for outbound mail as follows. -Note that this removes SMTPS support, leaving only STARTTLS, -and that it also removes the need to enter a password: +Note that this removes SMTPS support, leaving only STARTTLS: ```sh # Outbound -listen on eth0 port 587 tls-require verify pki "example.com" ca "mailca" filter "rspamd" tag "VALID" +listen on eth0 port 587 tls-require verify pki "example.com" ca "mailca" auth <passwds> filter "rspamd" action "SEND" relay srs -match from any tag "VALID" for any action "SEND" +match from any auth for any action "SEND" ``` The magic word here is "`verify`", which tells OpenSMTPD to ask for a client certificate and to verify it using the given CA. -The `tag "VALID"` at the end is to clarify that all emails -that successfully pass through the first line are from trusted senders, -because they presented a valid client certificate. #### Client configuration @@ -221,5 +210,3 @@ $ openssl pkcs12 -export -in mailclient.crt -inkey mailclient.key \ OpenSSL will ask you to set a password, which you'll need to enter again when importing the certificate into the client. - - |