diff -r 4c723152d46f -r 58360ee9c913 postfix/postfix.txt --- a/postfix/postfix.txt Mon Apr 20 19:27:54 2009 +0200 +++ b/postfix/postfix.txt Mon Apr 20 20:16:01 2009 +0200 @@ -24,7 +24,7 @@ T_ALIASES = aliases T_CLIENTS = clients T_SENDERS = senders -T_FINGERP = fingerprints +T_CLICRT = clicrt # dependency tracking TIMESTAMP = .up-to-date @@ -43,7 +43,7 @@ $(T_ALIASES).db \ $(T_CLIENTS).db \ $(T_SENDERS).db \ - $(T_FINGERP).db + $(T_CLICRT).db # default target all: $(TABLES) $(TIMESTAMP) @@ -77,8 +77,8 @@ $(POSTMAP) hash:$(T_CLIENTS) $(T_SENDERS).db: $(T_SENDERS) $(MAKEFILE) $(POSTMAP) hash:$(T_SENDERS) -$(T_FINGERP).db: $(T_FINGERP) $(MAKEFILE) - $(POSTMAP) hash:$(T_FINGERP) +$(T_CLICRT).db: $(T_CLICRT) $(MAKEFILE) + $(POSTMAP) hash:$(T_CLICRT) # cleanup target clean: @@ -168,6 +168,7 @@ #mydestination = $myhostname, localhost.$mydomain #relay_domains = $mydestination, # hash:@l_prefix@/etc/postfix/access +#relay_clientcerts = hash:@l_prefix@/etc//postfix/clicrt #smtpd_recipient_restrictions = permit_mynetworks, # check_client_access hash:@l_prefix@/etc/postfix/access, # reject_unauth_destination @@ -351,9 +352,71 @@ # | .example.com smtp:mail.example.com - + ## -## @l_prefix@/etc/postfix/fingerprints -- user identity verification +## @l_prefix@/etc/postfix/clients -- control for relaying clients +## +## Searched for both the client (hostname, parent domains, IP address, +## networks obtained by stripping least significant octets from IP +## address) and destination address (resolved destination address, +## parent domain, or localpart@) in order to allow relaying. Rejects +## the request if the result is REJECT or "[45]XX text". Permits the +## request if the result is OK or RELAY or all-numerical. +## + +# Syntax (see postmap(5)): +# | user@domain action +# | domain action +# | user@ action +# | net.work.addr.ess action +# | net.work.addr action +# | net.work action +# | net action +# where "action" is one of: +# "[45]NN text", "REJECT", "OK", "restriction..." +# +# Examples: +# | mail.example.com OK +# | example.com REJECT +# | 192.168.0.1 OK +# | 192.168 REJECT +# | postmaster@ OK + + + +## +## @l_prefix@/etc/postfix/senders -- control for relaying senders +## +## Searched for both the client (hostname, parent domains, IP address, +## networks obtained by stripping least significant octets from IP +## address) and destination address (resolved destination address, +## parent domain, or localpart@) in order to allow relaying. Rejects +## the request if the result is REJECT or "[45]XX text". Permits the +## request if the result is OK or RELAY or all-numerical. +## + +# Syntax (see access(5)): +# | user@domain action +# | domain action +# | user@ action +# | net.work.addr.ess action +# | net.work.addr action +# | net.work action +# | net action +# where "action" is one of: +# "[45]NN text", "REJECT", "OK", "restriction..." +# +# Examples: +# | mail.example.com OK +# | example.com REJECT +# | 192.168.0.1 OK +# | 192.168 REJECT +# | postmaster@ OK + + + +## +## @l_prefix@/etc/postfix/clicrt -- user identity verification ## ## Searched for user names matching TLS certificate fingerprints ## when a client responding to the MTA's client certificate request @@ -363,8 +426,11 @@ ## @l_prefix@/bin/openssl x509 -noout -fingerprint -sha1 -in certfile.pem ## +# Syntax (fingerprint according to smtpd_tls_fingerprint_digest): +# | fingerprint arbitrary-value +# # Examples: -# | B8:B8:A8:AE:B8:2A:2B:74:EC:43:FF:4F:B2:B2:AC:1E:B4:CE:26:1D -# | 18:81:F5:22:18:BA:EB:15:FF:40:30:00:EA:C0:B4:2E:EC:AE:86:8E +# | B8:B8:A8:AE:B8:2A:2B:74:EC:43:FF:4F:B2:B2:AC:1E:B4:CE:26:1D user1 +# | 18:81:F5:22:18:BA:EB:15:FF:40:30:00:EA:C0:B4:2E:EC:AE:86:8E user2