Subject: Re: SASL/TLS *client* authentication with Postfix on NetBSD
To: None <>
From: Steven M. Bellovin <>
List: netbsd-users
Date: 07/09/2004 23:18:36
In message <>, Steve Bellov
in writes:
>I would like to set up my NetBSD laptop's Postfix setup to do SASL-over-TLS 
>authentication -- preferably via client-side certificates -- to a 
>remote site (also running NetBSD+Postfix).  All of the how-to pages I 
>can find concern setting up the server -- does anyone have their 
>Postfix set up to do the client negotiation?  (Actually, guidance on 
>how to do the server-side setup for NetBSD would be useful, too, since 
>Postfix is part of the base system but SASL is in pkgsrc.)

Following up on my own post...  I didn't figure out how to do exactly 
what I wanted, but I have a setup with stunnel (from pkgsrc) that's 
good enough.  I have stunnel listening on my client machines on some 
random port on; they use client-side certificates to 
authenticate to a standing instance of stunnel on the mail server; it 
in turn forwards the connection to  The only other thing 
I have to do is set postfix's relayhost on the client to point to the 
stunnel port.  This isn't a general solution, but it's good enough for 
the few laptops I need to support.

From the man page and the code, stunnel appears to have some code that 
speaks both the client and server part of smtp+starttls.  I tried the 
server side with Eudora on a local Windows box; it didn't work, but I 
haven't tried very hard to figure out why.  I don't have a mail server 
running that supports STARTTLS, so I couldn't test the client side.  
Beyond that, there's no support in stunnel for SMTP AUTH, though with 
client-side certificates that's not nearly as necessary.  If anyone is 
interested, I'll post my stunnel .conf files, but they're not very hard 
to write from scratch.

		--Steve Bellovin,