Postfix can act as a client to a master mail server. This is where SSL/TLS becomes really useful...
In a large domain, many mail servers may be used for each department. Linking these servers
up can be accomplished by giving the Postfix system a default host to relay mail to.
You can then force the Postfix client to authenticate against the master server using a
client certificate.
Using certificates to authenticate to an SMTP server allows you to setup a
secure mail relaying system for clients. This becomes very beneficial when you are dealing
with "road warriors", as relaying based on an IP address is not possible due to the fact that
the IP address of the client machine changes every time the user dials into their ISP.
Using a client certificate will allow you to authenticate against the mail server to
allow realying. And benificial side effect of this is that all communication to the mail server
is encrypted for the duration of the session.
As is familiar to most thing in Postfix, the server uses a hash table for lookups of the client authentication data. Using The way the Postfix implementation of TLS works with regards to relaying is based on a fingerprint of the client certificate. This allows the server to use a lookup map to see if a fingerprint of the client certificate offered is in the map. If it is, the client is allowed to relay mail. If the fin-gerprint is not found, the client is given the usual "Relay access denied" message from the server. The location of the fingerprint hash table file is /etc/postfix/relay_clients. The format of the file is:
fingerprint value
The "value" key above is anything you want. Postfix needs to have a hash pair to be able to convert the hash to a map. It is best to use the hostname of the client machine, to be able to distinguish the owner of the certificate fingerprint.
To generate the fingerprint of the certificate, run the following command:
openssl x509 -fingerprint -in ./certificate.pem
This will produce the MD5 fingerprint of the key. Copy the fingerprint to the file /etc/postfix/relay_clients (create it if it doesn't exist). You should have something like this:
95:B4:G5:87:D7:34:CA:C4:27:B0:F3:8F:66:8A:77:8D zen.suse.co.uk
Once this has been done, convert the file to a map:
postmap /etc/postfix/relay_clientcerts