No sub-articles
Browse articles in this level »
New article next to Setting-up Postfix using X.509 Client Certificates for Authentication New article below Setting-up Postfix using X.509 Client Certificates for Authentication 

  Preface
=======

Being one of the most popular MTA's out there, Postfix is fairly easy to configure and maintain, yet it allows great flexibility. This guide will concentrate on some basic functionality which will demonstrate its use of X.509 client certificates for the authentication.

Software Requirements
=====================

For the purpose of this chapter it is assumed that a server machine has been supplied with pre-installed Debian Squeeze GNU/Linux distribution. During the (network) installation it is assumed that the standard task has been selected. It is also recommended to install the SSH server task for ease of administration.

The Postfix package can be installed with:

```
? root
$ apt-get install postfix
```

During the installation make sure you've selected the *Internet site* configuration. If you've set-up the hostname and domain on the machine properly, the default answers for this configuration should suffice.

Since by default Debian Squeeze comes with the Exim MTA installed, you might want to remove it completely with:

```
? root
$ apt-get --purge remove 'exim4*'
```

Issuing the Certificate
=======================

For the server side it's necessary to issue the following certificate:

```
End Entity Profile: Server
E-mail address: postmaster@example.com
CN, Common name: Example SMTP Server
O, Organization: Example Inc.
C, Country (ISO 3166): RS
DNS Name: mail.example.com
Certificate Profile: Example Server
CA: Example Server CA
Token: PEM file
```

Create the directory which will hold the certificates and keys on the destination server:

```
? root
$ mkdir /etc/postfix/tls/
```

The private key should be placed into the following location:

```
# /etc/postfix/tls/mail.example.com.key
```

Prepare the accompanying certificate file so that you have the server's certificate followed by the Example Server CA and Example Root CA certificates one after the another in the same file. Place the resulting file into location:

```
# /etc/postfix/tls/mail.example.com.crt
```

Now set-up the file permissions:

```
? root
----BEGIN----$
chown -R root.root /etc/postfix/tls/
chmod 755 /etc/postfix/tls/
chmod 644 /etc/postfix/tls/mail.example.com.crt
chmod 640 /etc/postfix/tls/mail.example.com.key
-----END-----$
```

Configuring the Server
======================

Obtain the *Example Root CA* and *Example Person CA* certificates in PEM format, and place them both into a single file:

```
# /etc/postfix/tls/trust_chain.crt
```

Set-up the file permissions:

```
? root
$ chown root.root /etc/postfix/tls/trust_chain.crt
$ chmod 644 /etc/postfix/tls/trust_chain.crt
```

Set-up the server key/certificate configuration:

```
? root
$ postconf -e smtpd_tls_cert_file=/etc/postfix/tls/mail.example.com.crt
$ postconf -e smtpd_tls_key_file=/etc/postfix/tls/mail.example.com.key
```

Now enable requiring the client certificate, specify the trust anchor, and tell Postfix to allow relay for the client if it presents a valid certificate:

```
? root
$ postconf -e smtpd_tls_ask_ccert=yes
$ postconf -e smtpd_tls_CAfile=/etc/postfix/tls/trust_chain.crt
$ postconf -e smtpd_recipient_restrictions=permit_mynetworks,permit_tls_all_clientcerts,reject_unauth_destination
```

Testing the Connection
======================