3

I am really confused about the postfix TLS settings. There are in each case settings for private keys and public keys.

smtpd_tls_cert_file = 
smtpd_tls_key_file = 
smtpd_*

And

smtp_tls_cert_file = 
smtp_tls_key_file = 
smtp_*

What is their difference.

I know of three different TLS cases:

  1. User authenticates on MTA in oder to sent mails
  2. MTA wants to send an email encrypted to another MTA
  3. MTA receives an email encrypted from another MTA

Do they relate to the above settings? Are there any other cases that require TLS? Which of the cases belong to what postfix configuration directive?

Update

Thanks to @Michael Hampton, I got most of it now. What still remains is the client part:

What is the reason/use-case for setting postfix client certificate/key (smtp_tls_cert and smtp_tls_key). Why would I need this and what benefits do I have?

cytopia
  • 177
  • 1
  • 12

1 Answers1

3

Postfix directives that start with smtpd_ refer to when Postfix is acting as an SMTP server, receiving mail from other hosts.

Postfix directives that start with smtp_ refer to when Postfix is acting as an SMTP client, sending mail to other hosts.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Which part is for: *"The user logs on to the smtp daemon over an encrypted channel"*? And for the `smtpd_` part... why would it need a cert and a key when it simply receives? As an analogy, when my browser receives a website over https, only the other part needs a key and a cert. – cytopia Mar 13 '17 at 20:41
  • @cytopia Think about which side is initiating the connection. – Michael Hampton Mar 13 '17 at 20:41
  • very good hint! I got the `smtp_` part now and why it requires tls certs. However now I am confused about why the `smtp_` (client) would require an cert and key... – cytopia Mar 13 '17 at 20:48
  • @cytopia The client usually doesn't need a certificate and key, unless that's being used for authentication. Your SMTP service provider would have given these to you if this is the case. – Michael Hampton Mar 13 '17 at 20:55
  • So I need a cert/key for `receiving mails` and for a client to `log in into smtpd`. Both happens (afaik) on port 25. Why can I have two different certificates for it and how does the server know that one session is for `receive` (so it gives me cert-A) and another session is for login (so it gives me cert-B)? – cytopia Mar 13 '17 at 21:06
  • @cytopia Because those happen on different ports (25 and 587 respectively). And I don't know where you got the idea that you need different certificates for smtp and submission. You can certainly use the same certificate. – Michael Hampton Mar 13 '17 at 21:08
  • HI Michael, thanks for the patience so far. Btw I did not write that the two would **need** different cert, I was wondering why they **can have** different certs. If I understand your last comment correctly, each port will offer different certs (only if different certs have been set of course)? – cytopia Mar 14 '17 at 07:37