OpenSSL No Client Certificate Presented (SMTP, Postfix)

JeremyCanfield asked:

I used OpenSSL to create a private key and self-signed public certificate. I then created a Certificate Authority file that contains both the private key and public certificate (mail.example.com.pem). On a client computer in the LAN, I use OpenSSL to connect to Postfix on port 587 (SMTP), and I tell OpenSSL to use the Certificate Authority file (mail.example.com.pem).

openssl s_client -connect mail.example.com:587 -starttls smtp -CAfile /etc/pki/tls/private/mail.example.com.pem

This produces quite a bit of output. Included in the output is the public certificate from the Certificate Authority file.

enter image description here

After all of the TLS, certificate, and other security information, I have a flashing cursor, so I attempt to say Hello to Postfix.

EHLO mail.example.com

This command produces “no client certificate presented.”

enter image description here

This is strange, because I can literally see the public certificate in the previous output. I have a feeling I am missing something conceptual here. For example, do I need to tell the client to send or use the public certificate? Is the public certificate on the Postfix server different from a client certificate?

Goal: My overall objective is to configure Postfix to encrypt emails instead of sending emails without encryption.

Here is the output of the postconf -n command:

data_directory = /var/lib/postfix
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_command =
mydestination = example.com, localhost.example.com, localhost
mynetworks_style = host
queue_directory = /var/spool/postfix
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sasl_path = private/auth
smtpd_tls_CAfile = /etc/pki/tls/mail.example.com.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/mail.example.com.crt
smtpd_tls_key_file = /etc/pki/tls/mail.example.com.key
smtpd_tls_loglevel = 3
smtpd_tls_req_ccert = yes
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache
smtpd_tls_session_cache_timeout = 3600s
tls_random_exchange_name = /var/lib/postfix/prng_exch
tls_random_source = dev:/dev/urandom

My answer:


You have set smtpd_tls_req_ccert in your Postfix configuration.

This directive requires that all clients have a client certificate issued by you to that specific client. Incoming SMTP connections to your server are then only allowed from preapproved hosts.

This is plainly not what you want. You are trying to receive mail from the whole Internet, and you can’t possibly issue client certificates to every SMTP server in the world.

First, remove that directive, and try again. You might have other issues, but this is the one causing the immediate problem.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.