On 19/05/2023 09:44 EEST Sean Gallagher sean@teletech.com.au wrote:
What is your use-case for validation here? Did you mean submission? It has actual authentication and can do client cert name validation with auth_ssl_username_from_cert.
I've been pulling apart an old monolithic server and putting various systems into dedicated containers. To this end I have put Dovecot and the user mailboxes into it's their own container and set up a LMTPS link between the MSA container (Postfix) and the MDA container (Dovcot). Mail submissions go directly to the MSA. Both the MSA and MDA independently connect back to an LDAP database (in another container) for authentication/validation. All the containers have valid public certificates which I would like to use throughout but Dovecot is the standout exception. It can't check the MSA's certificate.
In short, I want to check that all deliveries come from the MSA container, with stronger checks than IP addresses alone. On the monolithic server, the deliveries flowed over an IPC socket. I'd like a similar level of security.
I've created a single-use CA and used it to sign a certificate for the MSA to connect with over LMTP, but the arrangement is a bit of an embarrassment. All for the sake of a few lines of code to check the name on the certificate.
Mail redirects (from sieve scrips) flow back in the other direction over SMTPS. This uses the regular PKI infrastructure.
As a side note, It would be nice to be able to specify the bind address of the SMTP client. The interfaces tend to have several IPv6 addresses. It's hard to predict which one the operating system will choose.
At least now I know I have taken it as far as I can.
Regards
Sean
Seems there indeed is no way to require SSL cert for LMTP client connection. This seems to be a bug. I'll put this into our tracker.
Aki