| J. Pawlowski 2006-10-03, 7:28 pm |
| Hello,
I'd like to authenticate to an Postfix smarthost/relayhost via an SSL
certificate so that the relayhost can allow relaying for my Exchange
server.
QUESTION: In which way Exchange chooses an SSL client certificate when
sending emails though an smarthost/relayhost over TLS and it is
demanded from the smarthost? How can I change the behavoir?
I think maybe I should set some attributes in the metabase database for
the smtpsvc?
Unfortunately I didn't find any (correct/full) documentation of all
attributes for this database trough Google or Microsofts Knowledge
Base... :-/
Ok, the situation in detail:
The Postfix server on the other side is configured for TLS and has a
chain trusted/valid certificate and a list of the MD5 checksums of SSL
client certificates that are able to make the Postfix server to relay
mails from the host. When the Exchange server establishes an connection
to the Postfix server via STARTTLS the Postfix server asks back for an
optional SSL client certificate (smtpd_tls_ask_ccert=yes).
So the normal transort over TLS secured channels already works fine for
a while. But I'd like to switch the relay authentication method from
SMTP-Auth/SASL to client based certificates. One of my own Exchange
servers already works this way and sends a client certificate in behalf
of the recommendation of the Postfix server, the MD5 hash key is
checked towards a mapping list and if it's a known key and the
certification is valid and trusted relaying mail is allowed.
I just thought "thats it" - but failed... :-(
I have another Exchange server on customers side that would be more
important to have cert based authentication. It's an SBS2003-SP2 whose
configuration of Exchange is nearly the same than my own Exchange
server. Encrypted exchange of emails via STARTTLS already works fine
but the exchange never presents a client certificate to the Postfix
server altough the server is asked to do so. The other way, when the
Exchange gets incoming mail from that Postfix server the correct SSL
server certificate is presented to the Postfix client program (the
certificate is able to handle both types, server- and client-based
authentication and authorization). So the certificate really is
installed correctly and present on the Exchange server.
I configured Exchange to use the smarthost over an SMTP connector (I
think this is normal doing and I really need to do it with an connector
because I address my smarthosts via an MX record instead of direkt A
records and Exchange does not check for MX records when configuring the
smarthost directly in the virtual SMTP server).
I did install the specific certificate in the virtual smtp server for
incoming mail transactions. But I can't do this to an SMTP connector
for outgoing mails client certificate nor I have another option in the
virtual smtp server options to do so. I also just tested if the client
certificate would be taken when I would configure the smarthost
directly in the virtual smtp server but this also didn't work out :-(
As far as I can see the only difference between the first and the
second Exchange server is that the first one has an official static IP
address and therefore a static reverse DNS lookup that has a matching
common name in the SSL certificate. The second Exchange is connected
through ADSL broadband with a dynamic assigned IP address and a NAT
router. I use DynDNS.org to address this server, the corresponding SSL
certificate has been created to match the DynDNS domain name address
and works fine for OWA and incoming mails.
BUT let me also say that I have two different SSL certificate installed
on my server (one for HTTPS-OWA and the other one for SMTP). I don't
know why but the first working Exchange always takes the other
certificate for client authentification altough there is a better
matching certificate present with exactly the right reverse lookup in
the common name...
I would really appreciate ANY answer of you guys, I'm helpless at the
moment :-(
Regards from Stuttgart,
Julian
|