How can I enable client cert validation, so remote MTA can verify?

jassonmc

Hello there

We have a secure mail provider here in Switzerland called IncaMail.
They require us to have our MTA provide a client certificate to their receiving MTA when we send mails to them.
You can easily check it by sending a mail to mta@check.incamail.ch, which sends back its findings about receiving and sending capabilities of your own MTA, grommunio in that case, of course.

The first part of the answer, which is sending from grommunio to the MTA of check.incamail.ch, tells me that there is no client certificate.

The second part is the other way around, where MTA from check.incamail.ch is sending a mail to grommunio, which works as it should.

How can I provide a client certificate to the MTA of check.incamail.ch?

I've read, that enabling "smtpd_tls_ask_ccert = yes" should not be used in general, as it could break legitimate mail transfer with sendmail MTAs.

Would there be a solution around "smtp_tls_policy_maps"?
If yes, how should that policy map look like?

Thanks for any hint 🙂

mwilliams

Using the grommunio Appliance already provides the required configurations for opportunistic encryption active:

smtp_tls_CAfile = /etc/grommunio-common/ssl/server-bundle.pem
smtp_tls_cert_file = /etc/grommunio-common/ssl/server-bundle.pem
smtp_tls_key_file = /etc/grommunio-common/ssl/server.key
smtp_tls_security_level = may
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3
smtp_tls_note_starttls_offer = yes

This way, if the peer supports it, it would negotiate a TLS channel to communicate encrypted like here:

Dec 20 20:23:24 mail postfix/smtp[28711]: Untrusted TLS connection established to mail-as9pr07cu00302.inbound.protection.outlook.com[52.101.73.2]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

"Untrusted" TLS connection comes from the peers certificate not being in the directly trusted chain, which is completely normal in an opportunistic encryption world.

The documentation you are looking for is here: https://www.postfix.org/TLS_README.html#client_tls -> As you can see, may is our default.

Using smtp_tls_policy_maps is an alternative approach which is also an endavour you can move forward to, however this might get challenging with forced settings (such as encrypt) as unfortunately, even in 2023, there are still many out there which do not work if you force TLS by hard.

jassonmc

@mwilliams
Thanks for the details, sounds quite like that what is necessary and already there 🙂

We are currently using an OPNsense as mail gateway in front of grommunio and also tried to get this setup there, but no luck so far.
Is there a way to circumvent the OPNsense smart host for just a single domain?
I've seen, that a transport map could probabaly be used for mail routing specials.

How would I configure that in the grommunio appliance?

mwilliams

jassonmc

Sure, like:

#/etc/postfix/transport
check.incamail.ch smtp:gw1.incamail.com:25

Don't forget postmap /etc/postfix/transport