On Mon, Nov 20, 2023 at 04:01:05PM +0100, Marc Dierksen via Postfix-users wrote:
> For the domain 'shieldersme.com' outbound TLS is configured via this entry > in the TLS policy map: > > shieldersme.com verify match=hostname:nexthop:dot-nexthop ciphers=high > protocols=>=TLSv1.2 > > When trying to send mail I am getting the following error: > > Nov 17 12:23:50 postfix-outbound/smtp[11269]: server certificate > verification failed for shieldersme.com[5.79.80.155]:25: num=62:hostname > mismatch This is easily reproducible: $ posttls-finger -c -Lsummary -lsecure "shieldersme.com" hostname nexthop dot-nexthop posttls-finger: server certificate verification failed for shieldersme.com[5.79.80.155]:25: num=62:hostname mismatch posttls-finger: Untrusted TLS connection established to shieldersme.com[5.79.80.155]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) And expected (i.e. works as indended and specified in all relevant RFCs): $ posttls-finger -cC -Lsummary -lsecure "shieldersme.com" hostname nexthop dot-nexthop 2>&1 | openssl crl2pkcs7 -nocrl -certfile /dev/stdin | openssl pkcs7 -print_certs -text | grep -E 'Subject:|DNS:' Subject: CN=liger.hibridmena.com DNS:liger.hibridmena.com Subject: C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority The actual certificate presented to Postfix is for: liger.hibridmena.com Your tests with "openssl s_client" sent a default SNI etension, but Postfix does not by default. With SMTP, it is unclear, in general, what the SNI should be, and sending the "wrong" SNI can sometimes cause connection aborts. Therefore, if you want to solicit a particular certificate, you have to configure the SNI explicitly. $ posttls-finger -cC -s shieldersme.com -Lsummary -lsecure "shieldersme.com" hostname nexthop dot-nexthop 2>&1 | openssl crl2pkcs7 -nocrl -certfile /dev/stdin | openssl pkcs7 -print_certs -text | grep -E 'Subject:|DNS:' Subject: CN=*.shieldersme.com DNS:*.shieldersme.com, DNS:shieldersme.com Subject: C=US, O=Let's Encrypt, CN=R3 Subject: C=US, O=Internet Security Research Group, CN=ISRG Root X1 Relevant documentation: posttls-finger(1): -s servername The server name to send with the TLS Server Name Indication (SNI) extension. When the server has DANE TLSA records, this parameter is ignored and the TLSA base domain is used instead. Otherwise, SNI is not used by default, but can be enabled by specifying the desired value with this option. postconf(5): may Opportunistic TLS. Since sending in the clear is acceptable, demanding stronger than default TLS security merely reduces interoperability. The optional "ciphers", "exclude", and "protocols" attributes (available for opportunistic TLS with Postfix >= 2.6) and "connection_reuse" attribute (Postfix >= 3.4) override the "smtp_tls_ciphers", "smtp_tls_exclude_ciphers", "smtp_tls_protocols", and "smtp_tls_connection_reuse" configuration parameters. In the policy table, multiple ciphers, protocols or excluded ciphers must be separated by colons, as attribute values may not contain ----> whitespace or commas. At this level and higher, the optional ----> "servername" attribute (available with Postfix >= 3.4) overrides ----> the global "smtp_tls_servername" parameter, enabling ----> per-destination configuration of the SNI extension sent to the ----> remote SMTP server. The optional "enable_rpk" attribute (Postfix >= 3.9) overrides the main.cf smtp_tls_enable_rpk parameter. When opportunistic TLS handshakes fail, Postfix retries the connection with TLS disabled. This allows mail delivery to sites with non-interoperable TLS implementations. You need to add "servername=shieldersme.com" to the policy table entry. Also, in this case, using "hostname" is a bad idea, it means you'd trust insecurely obtained forged MX records to tell the client what name to match, so any active attacker can compromise the connection by sending a suitably crafted MX response. The match pattern you want here is nexthop:dot-nexthop *without* "hostname". Or (less fungible) even just "nexthop", if by mutual agreement with the receiving system, you're sure that the cert will "always" include the domain. -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org