?I've a dovecot instance setup with submission proxy, protocols = imap lmtp submission sieve hostname = internal.mx.example.com submission_relay_host = internal.mx.example.com submission_relay_port = 465 submission_relay_trusted = yes submission_relay_ssl = smtps submission_relay_ssl_verify = yes service submission-login { inet_listener submission { address = 10.2.2.10, 127.0.0.1 port = 50465 ssl = yes } } protocol submission { ssl_cert = < /sec/vmail/mx.example.com.server.EC.crt.pem ssl_key = < /sec/vmail/mx.example.com.server.EC.key.pem ssl_verify_client_cert = no } It submits to a postfix instance, atm on the same host, [internal.mx.example.com]:465 inet n - n - - smtpd -o smtpd_tls_req_ccert=no with that setup, all works as expected. If I turn ON required client cert verification @ postfix, - -o smtpd_tls_req_ccert=no + -o smtpd_tls_req_ccert=yes with that add'l req't, postfix log reports "no client certificate presented" Jul 18 14:52:38 mx postfix/submit-from-dovecot/smtpd[37133]: connect from internal.mx.example.com[10.2.2.10] Jul 18 14:52:39 mx postfix/submit-from-dovecot/smtpd[37133]: Anonymous TLS connection established from internal.mx.example.com[10.2.2.10]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 Jul 18 14:52:39 mx postfix/submit-from-dovecot/smtpd[37133]: NOQUEUE: abort: TLS from internal.mx.example.com[10.2.2.10]: No client certificate presented Jul 18 14:53:09 mx postfix/submit-from-dovecot/smtpd[37133]: disconnect from internal.mx.example.com[10.2.2.10] commands=0/0 Clearly, I'm missing config. What in my dovecot submission config^^ do I need to change/add to get it to 'present' a client cert to the postfix relay for client cert verification?
Siavash Tavakoli
2020-Jul-20 11:42 UTC
submission proxy -- where to config/present client cert?
On 19/07/2020 18:18, PGNet Dev wrote:> > What in my dovecot submission config^^ do I need to change/add to get it to 'present' a client cert to the postfix relay for client cert verification? >Submission uses the global outgoing ssl settings: https://doc.dovecot.org/settings/core/#ssl-client-cert https://doc.dovecot.org/settings/core/#ssl-client-key
On 7/20/20 4:42 AM, Siavash Tavakoli wrote:>> On 19/07/2020 18:18, PGNet Dev wrote:>>>> What in my dovecot submission config^^ do I need to change/add to get it to 'present' a client cert to the postfix relay for client cert verification?>>>> Submission uses the global outgoing ssl settings:>> https://doc.dovecot.org/settings/core/#ssl-client-cert> https://doc.dovecot.org/settings/core/#ssl-client-keywell _that_ should have been obvious ... sigh. works perfectly. thx! it might be useful to have those client cert/key mentioned in the 'example' 10-ssl.conf, grep ssl_client conf.d/10-ssl.conf # RedHat-based systems. Note that ssl_client_ca_file isn't recommended with #ssl_client_ca_dir #ssl_client_ca_file #ssl_client_require_valid_cert = yes and, a minor typo @ https://doc.dovecot.org/settings/core/#ssl-client-key ssl_client_key Default: <empty> Client certificate private key used in outgoing SSL connections. Example Setting: ssl_client_cert = </etc/dovecot/dovecot-client.crt should be - ssl_client_cert = </etc/dovecot/dovecot-client.crt + ssl_client_key = </etc/dovecot/dovecot-client.key thanks again!
Reasonably Related Threads
- submission proxy -- where to config/present client cert?
- BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."
- dovecot warns (non-fatal) "invalid EHLO response line: Unexpected character in EHLO keyword" connecting to submission relay ?
- BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."
- BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."