I used OpenSSL to create a private key and self-signed public certificate. I then created a Certificate Authority file that contains both the private key and public certificate (mail.example.com.pem). On a client computer in the LAN, I use OpenSSL to connect to Postfix on port 587 (SMTP), and I tell OpenSSL to use the Certificate Authority file (mail.example.com.pem).
openssl s_client -connect mail.example.com:587 -starttls smtp -CAfile /etc/pki/tls/private/mail.example.com.pem
This produces quite a bit of output. Included in the output is the public certificate from the Certificate Authority file.
After all of the TLS, certificate, and other security information, I have a flashing cursor, so I attempt to say Hello to Postfix.
This command produces “no client certificate presented.”
This is strange, because I can literally see the public certificate in the previous output. I have a feeling I am missing something conceptual here. For example, do I need to tell the client to send or use the public certificate? Is the public certificate on the Postfix server different from a client certificate?
Goal: My overall objective is to configure Postfix to encrypt emails instead of sending emails without encryption.
Here is the output of the postconf -n command:
data_directory = /var/lib/postfix home_mailbox = Maildir/ inet_interfaces = all inet_protocols = all mail_owner = postfix mailbox_command = mydestination = example.com, localhost.example.com, localhost mynetworks_style = host queue_directory = /var/spool/postfix smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination smtpd_sasl_auth_enable = no smtpd_sasl_path = private/auth smtpd_tls_CAfile = /etc/pki/tls/mail.example.com.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/pki/tls/mail.example.com.crt smtpd_tls_key_file = /etc/pki/tls/mail.example.com.key smtpd_tls_loglevel = 3 smtpd_tls_req_ccert = yes smtpd_tls_security_level = encrypt smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache smtpd_tls_session_cache_timeout = 3600s tls_random_exchange_name = /var/lib/postfix/prng_exch tls_random_source = dev:/dev/urandom
You have set
smtpd_tls_req_ccert in your Postfix configuration.
This directive requires that all clients have a client certificate issued by you to that specific client. Incoming SMTP connections to your server are then only allowed from preapproved hosts.
This is plainly not what you want. You are trying to receive mail from the whole Internet, and you can’t possibly issue client certificates to every SMTP server in the world.
First, remove that directive, and try again. You might have other issues, but this is the one causing the immediate problem.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.