Configuring client-side certificate authentication

Postfix/TLS uses certificate fingerprints to identify acceptable certificates. A finger- print is a cryptographic hash calculated from a signed certificate. Fingerprints for each certificate are stored in a standard Postfix lookup table (see Chapter 4). When a client presents a certificate, Postfix/TLS calculates the fingerprint from the certificate and compares it to those listed in its lookup table. If it finds a match, it permits the client to relay.

You need to calculate a fingerprint for each client certificate that you will accept. Many email clients can produce a fingerprint for you, or if you created the certifi- cate, you can easily calculate a fingerprint with the openssl x509 command:

$ openssl x509 -fingerprint -noout -in kdent_signed_cert.pem \
| cut -d= -f2
57:8E:95:63:67:CD:2B:96:7C:0A:3A:61:46:A5:95:EA

To continue the calculation:

1.Obtain a list of fingerprints for each of your users’ client certificates. You can generate them as described above or obtain them from your users if they can get them from their email clients.

2.Create a file to store all of the client certificate fingerprints. For this example, you’ll create a file called /etc/postfix/clientcerts

3.Edit the clientcerts file to add each fingerprint. Since this is a standard Postfix lookup table, you must also add a righthand value for each fingerprint, even though that value is not used. Use a value that will help you to identify the fin- gerprint in the future. Your resultant file should contain entries like the follow- ing for each of your users:

57:8E:95:63:67:CD:2B:96:7C:0A:3A:61:46:A5:95:EA [email protected]

4.Execute postmap against the clientcerts file:

# postmap /etc/postfix/clientcerts