sendmail: how can I restrict access to clients that only have a valid certificate?

Question

I want to reject all connections that don't present a valid SSL/TLS certificate. First of all is the access db file the correct one to be changing?

I have already tried using the basic rule given in the documentation

CertIssuer:/C=US/ST=California/O=endmail.org/OU=private/CN= Darth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org RELAY

This will obviously need a rule afterward to filter and reject all that don't present the cert? Does anyone have any pointers as to what syntax I should use? wildcards?

lxg

score 0 · Answer 1 · edited Jan 07 '16 at 13:16

0

Think I figured it out.. good old O'Reilly..

I just need to use:

TLS_Clt:                           VERIFY
TLS_Srv:                           VERIFY

Hopefully that will exclude all non valid certificates and all non secure connection attempts.

edited Jan 07 '16 at 13:16

Froggiz

3,043
1
19
30

answered Feb 03 '10 at 11:21

score 0 · Answer 2 · edited Jan 07 '16 at 13:17

http://www.linuxjournal.com/article/4823

Note that it is unwise to force all SMTP clients to use TLS, as it is not yet widespread. The RFC document notes that publicly referenced SMTP servers, such as the MX servers for a domain, must not refuse non-TLS connections. However, restricted access SMTP servers, such as those for a corporate intranet, can use TLS as an access control mechanism.

If you remove PLAIN from sendmail.mc, that should do it:

TRUST_AUTH_MECH('EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define('confAUTH_MECHANISMS', 'EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

then rebuild sendmail.cf with m4.

sendmail: how can I restrict access to clients that only have a valid certificate?

2 Answers2