Thanks Noel, I double checked and even reran postmap on the tls_per_site file and did a "postfix stop" "postfix start" just to make sure that "MUST_NOPEERMATCH" was specified and everything was getting reset, but it is still giving me a result of (TLS-failure: Could not verify certificate) when I attempt to send to the destination e-mail address.
-----Original Message----- From: Noel Jones [mailto:[EMAIL PROTECTED] Sent: Friday, August 22, 2008 12:02 PM To: Darrell A. Sullivan, II; postfix-users@postfix.org Subject: Re: Questions concerning TLS Darrell A. Sullivan, II wrote: > I am trying to implement TLS on our server for a client requirement. I > believe I have the TLS settings correct, but I am not certain about > what I am seeing in the logs and I am uncertain as to how to know if a > message was delivered using TLS. > > Is there anything in the message headers that would indicate that it > was delivered using TLS? The receiving system may indicate in a header if the message was received via TLS, but there is no requirement to do so. Some mailers follow RFC3848 or add a comment to indicate use of TLS in the Received header. When *sending* mail, postfix does not add anything to the message indicating use of TLS, and it's unclear how postfix might be able to indicate this in a header. When *receiving* mail, you can request postfix add TLS information to the Received header by setting "smtpd_tls_received_header = yes" Version 2.5 and newer postfix also add RFC3848 support, indicating "with ESTMPS" in the Received header if TLS is used. > > I have the below log entries on some outgoing messages. I am certain > that the first one is a failure since the group's server is setup with > the entry "somecomp.com MUST_NOPEERMATCH" is specified in > tls_per_site and consequently the message is not delivered when TLS > fails. Is this because they have a self signed certificate and we do > not have the CA certificate for their root? Are you still using postfix 2.2? I hope not; TLS support was significantly improved in postfix 2.3, and again in 2.4, with further refinements in 2.5. If you're using postfix 2.3 or later, use the newer and more flexible smtp_tls_policy_maps parameter instead. > > In the second set of log entries, I am not certain if the message is > delivered over the TLS connection or not. Is there some entry I can > search my logs for to find out if any messages are being successfully > transmitted over TLS? > > TLS logging is hard to read at a high log level. I would suggest starting with smtp_tls_loglevel = 1 And only increase if you need further debugging information. > > ---------------------- > Known Failure > ---------------------- > Aug 22 13:11:45 mail postfix/smtp[7593]: Peer verification: CommonName > in certificate does not match: thistle.somecomp.com != > mail.somecomp.com OK, looks like the hostname doesn't match what is in the certificate. Postfix contacted "mail.somecomp.com" but the name in the certificate is "thistle.somecomp.com". > Aug 22 13:11:45 mail postfix/smtp[7593]: Unverified: > subject_CN=thistle.somecomp.com, issuer=thistle.somecomp.com I think the mismatched name is the reason this certificate could not be verified. > Aug 22 13:11:45 mail postfix/smtp[7593]: TLS connection established to > mail.somecomp.com: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) TLS is established. > Aug 22 13:11:45 mail postfix/smtp[7593]: Peer certficate could not be > verified Aug 22 13:11:45 mail postfix/smtp[7593]: 85F4F504254: > to=<[EMAIL PROTECTED]>, relay=mail.somecomp.com[xxx.yyy.zzz.aaa], > delay=2, status=deferred (TLS-failure: Could not verify certificate) You told postfix to fail if it couldn't verify the certificate, so it failed. This looks as if you've specified MUST in your tls_per_site table. Using the newer smtp_tls_policy_maps, you probably want to specify a level of "encrypt", or you may want to use "secure match=thistle.somecomp.com" > ---------------------- > Did this work or not? > ---------------------- > /C=US/ST=SC/L=NCHARLESTON/O=somecomp2/CN=Certificate Manager Aug 21 > 22:16:28 mail postfix/smtp[28731]: verify error:num=19:self signed > certificate in certificate chain They use a self-signed certificate. Generally self-signed certificates are fine for mail unless you need to verify the client identity. > Aug 21 22:16:28 mail postfix/smtp[28731]: Unverified: > subject_CN=mail.somecomp2.com, issuer=Certificate Manager Aug 21 > 22:16:28 mail postfix/smtp[28731]: TLS connection established to > mail.somecomp2.com: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 > bits) Aug 21 22:16:28 mail postfix/smtp[28731]: Peer certficate could > not be verified TLS is established. Postfix can't verify /who/ it's talking to, but it's encrypted. > Aug 21 22:18:10 mail postfix/smtp[28731]: 8D05D501C3C: > to=<[EMAIL PROTECTED]>, relay=mail.somecomp2.com[xxx.yyy.zzz.aaa], > delay=8898, status=sent (250 2.0.0 m7LMVud8002947 Message accepted for > delivery) Mail is sent over the established TLS channel. -- Noel Jones
