Full Mail Server Solution w/ Virtual Domains & Users (Debian Etch, Postfix, Mysql, Dovecot, DSpam, ClamAV, Postgrey, RBL) - Page 13
C. CA Signed client and server certificates
If you want to use CA-signed client certificates, you will need to take further steps, both in Postfix and in Dovecot to make this work. If you want the user names to be taken from the certificate itself, you currently must set the common name to the user name, for example email@example.com, which has been used in this document.
1. Telling Postfix about the Certificates
In Postfix, you can either use a directory of CA certificates, or a composite file with all the certificates concatenated together. We're going to use the concatinated form, since that is what Dovecot is expecting.
# postconf -e 'smtpd_tls_CAfile = /etc/ssl/example.com/ca/all.pem'
2. Telling Dovecot about the Certificates
In Dovecot, you must have the CRL together with the certificate for the authentication to work. The directives themselves are the following.
ssl_ca_file = /etc/ssl/example.com/ca/all.pem
ssl_verify_client_cert = yes
ssl_require_client_cert = yes
ssl_username_from_cert = yes
NOTE: You will also need to change the password_query to the commented one in /etc/dovecot/dovecot-sql.conf
Warning: If you are running Dovecot release candidate 28 or older, the server will not send out the list of accepted CA names, which could make clients with multiple client certificates unable to connect. Please upgrade or install this patch.
3. Concatinating files
If you have several CAs and CRLs, it could be difficult to concatenate them each time, so a small script was created which will do that for you. Just stick it in your /etc/ssl/example.com/ca/ directory and run it. It will create an all.pem with all certificates and all CRLs.
rm all.pem 2> /dev/null
cat *.pem *.crl > all.pem
4. Postfix TLS settings
Like I said before, there are some settings in Postfix that need to be changed as well, so let's modify main.cf:
# postconf -e 'smtpd_tls_ask_ccert = yes'
# postconf -e 'smtpd_tls_req_ccert = no'
# postconf -e 'smtpd_recipient_restrictions = permit_tls_all_clientcerts, reject'
Now you should have an enterprise ready email server with client certificates.