Full Mail Server Solution w/ Virtual Domains & Users (Debian Etch, Postfix, Mysql, Dovecot, DSpam, ClamAV, Postgrey, RBL) - Page 13

C. CA Signed client and server certificates

If you want to use CA-signed client certificates, you will need to take further steps, both in Postfix and in Dovecot to make this work. If you want the user names to be taken from the certificate itself, you currently must set the common name to the user name, for example user@example.com, which has been used in this document.

1. Telling Postfix about the Certificates

In Postfix, you can either use a directory of CA certificates, or a composite file with all the certificates concatenated together. We're going to use the concatinated form, since that is what Dovecot is expecting.

# postconf -e 'smtpd_tls_CAfile = /etc/ssl/example.com/ca/all.pem'

2. Telling Dovecot about the Certificates

In Dovecot, you must have the CRL together with the certificate for the authentication to work. The directives themselves are the following.


ssl_ca_file = /etc/ssl/example.com/ca/all.pem
ssl_verify_client_cert = yes
ssl_require_client_cert = yes
ssl_username_from_cert = yes

NOTE: You will also need to change the password_query to the commented one in /etc/dovecot/dovecot-sql.conf

Warning: If you are running Dovecot release candidate 28 or older, the server will not send out the list of accepted CA names, which could make clients with multiple client certificates unable to connect. Please upgrade or install this patch.

3. Concatinating files

If you have several CAs and CRLs, it could be difficult to concatenate them each time, so a small script was created which will do that for you. Just stick it in your /etc/ssl/example.com/ca/ directory and run it. It will create an all.pem with all certificates and all CRLs.


rm all.pem 2> /dev/null
cat *.pem *.crl > all.pem

4. Postfix TLS settings

Like I said before, there are some settings in Postfix that need to be changed as well, so let's modify main.cf:

# postconf -e 'smtpd_tls_ask_ccert = yes'
# postconf -e 'smtpd_tls_req_ccert = no'
# postconf -e 'smtpd_recipient_restrictions = permit_tls_all_clientcerts, reject'

Now you should have an enterprise ready email server with client certificates.

Share this page:

Sub pages

5 Comment(s)

Add comment


From: at: 2008-03-27 06:06:28

Hi Vector,

I would just like to know how the mail gets transferred from the MX's to the delivery server (postman). I'm trying to understand how this full mail server setup works because I would like to implement something similar to this but using centos and ldap users.  

From: Stefan at: 2008-11-01 18:07:49

There is no explanation on how the mail is actually transfered from the MX server to the Mail Delivery Server. Using the steps in the guide will make the MX server try to deliver the mail directory into the NFS shared vmail folder, which isn't the desired behaviour.

From: Matt at: 2009-06-15 13:16:16

"NOTE: This is a temporary setup, just because we hadn't finished the DSPAM virtual user install prior to writing this guide. Ideally, you'd want DSPAM looking at the same virtual user table as Postfix in order to get all the token information stored correctly. I'll update the guide as soon as we've completed that change-over."

 Has this been updated anywhere? can anyone shed some light on what changes should be made?


From: mbsouth at: 2009-09-10 10:02:01

Would be nice to have an updated howto (based an this one) with Debian Lenny, Postfix 2.5(6), Dovecot 1.1(2) on three nodes (2xSMTP Postfix, 1x Dovecot IMAP/POP3)


From: at: 2007-11-15 20:55:15

Heads up when using the configuration examples for the mailbox path. Since maildir:/vmail/%d/%u is used in dovecot.conf, you should do the same in dovecot-sql.conf.

Such as:

# Get the mailbox
user_query = SELECT '/vmail/%d/%u' AS home, 'maildir:/vmail/%d/%u' AS mail, 150 AS uid, 8 AS gid, CONCAT('dirsize:storage=', quota) AS quota FROM mailbox WHERE username = '%u' AND active = '1'
# Get the password
password_query = SELECT username AS user, password, '/vmail/%d/%u' AS userdb_home, 'maildir:/vmail/%d/%u' AS userdb_mail, 150 AS userdb_uid, 8 AS userdb_gid FROM mailbox WHERE username = '%u' AND active = '1'

Otherwise mail is delivered to /vmail/domain/user@domain and then IMAP checks /vmail/domain/user

Or change dovecot.conf to maildir:/vmail/%d/%n if you prefer the latter.