On Mon, Nov 20, 2023 at 04:01:05PM +0100, Marc Dierksen via Postfix-users wrote:
> For the domain 'shieldersme.com' outbound TLS is configured via this entry
> in the TLS policy map:
>
> shieldersme.com verify match=hostname:nexthop:dot-nexthop ciphers=high
> protocols=>=TLSv1.2
>
> When trying to send mail I am getting the following error:
>
> Nov 17 12:23:50 postfix-outbound/smtp[11269]: server certificate
> verification failed for shieldersme.com[5.79.80.155]:25: num=62:hostname
> mismatch
This is easily reproducible:
$ posttls-finger -c -Lsummary -lsecure "shieldersme.com" hostname nexthop
dot-nexthop
posttls-finger: server certificate verification failed for
shieldersme.com[5.79.80.155]:25: num=62:hostname mismatch
posttls-finger: Untrusted TLS connection established to
shieldersme.com[5.79.80.155]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
And expected (i.e. works as indended and specified in all relevant RFCs):
$ posttls-finger -cC -Lsummary -lsecure "shieldersme.com" hostname nexthop
dot-nexthop 2>&1 |
openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
openssl pkcs7 -print_certs -text |
grep -E 'Subject:|DNS:'
Subject: CN=liger.hibridmena.com
DNS:liger.hibridmena.com
Subject: C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc.
Certification Authority
Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA
Limited, CN=COMODO RSA Certification Authority
The actual certificate presented to Postfix is for:
liger.hibridmena.com
Your tests with "openssl s_client" sent a default SNI etension, but
Postfix does not by default. With SMTP, it is unclear, in general, what
the SNI should be, and sending the "wrong" SNI can sometimes cause
connection aborts. Therefore, if you want to solicit a particular
certificate, you have to configure the SNI explicitly.
$ posttls-finger -cC -s shieldersme.com -Lsummary -lsecure
"shieldersme.com" hostname nexthop dot-nexthop 2>&1 |
openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
openssl pkcs7 -print_certs -text |
grep -E 'Subject:|DNS:'
Subject: CN=*.shieldersme.com
DNS:*.shieldersme.com, DNS:shieldersme.com
Subject: C=US, O=Let's Encrypt, CN=R3
Subject: C=US, O=Internet Security Research Group, CN=ISRG Root X1
Relevant documentation:
posttls-finger(1):
-s servername
The server name to send with the TLS Server Name Indication
(SNI) extension. When the server has DANE TLSA records, this
parameter is ignored and the TLSA base domain is used instead.
Otherwise, SNI is not used by default, but can be enabled by
specifying the desired value with this option.
postconf(5):
may Opportunistic TLS. Since sending in the clear is acceptable,
demanding stronger than default TLS security merely reduces
interoperability. The optional "ciphers", "exclude", and
"protocols" attributes (available for opportunistic TLS with
Postfix >= 2.6) and "connection_reuse" attribute (Postfix >=
3.4) override the "smtp_tls_ciphers",
"smtp_tls_exclude_ciphers", "smtp_tls_protocols", and
"smtp_tls_connection_reuse" configuration parameters. In the
policy table, multiple ciphers, protocols or excluded ciphers
must be separated by colons, as attribute values may not contain
----> whitespace or commas. At this level and higher, the optional
----> "servername" attribute (available with Postfix >= 3.4) overrides
----> the global "smtp_tls_servername" parameter, enabling
----> per-destination configuration of the SNI extension sent to the
----> remote SMTP server. The optional "enable_rpk" attribute
(Postfix >= 3.9) overrides the main.cf smtp_tls_enable_rpk
parameter. When opportunistic TLS handshakes fail, Postfix
retries the connection with TLS disabled. This allows mail
delivery to sites with non-interoperable TLS implementations.
You need to add "servername=shieldersme.com" to the policy table entry.
Also, in this case, using "hostname" is a bad idea, it means you'd trust
insecurely obtained forged MX records to tell the client what name to
match, so any active attacker can compromise the connection by sending
a suitably crafted MX response. The match pattern you want here is
nexthop:dot-nexthop
*without* "hostname". Or (less fungible) even just "nexthop", if by
mutual agreement with the receiving system, you're sure that the cert
will "always" include the domain.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
