On Sun, Feb 23, 2014 at 02:28:07PM +0100, Dirk St?cker wrote:
> And whatever I do I'm unable to get any of these three to show a
> trusted connection to any of the others. It trusts Google and GMX
> and whatever, but not my own servers. That's disturbing.
>
> Here the configs I use essentially
Essentially, or actually?
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_security_level = may
> smtpd_tls_cert_file = ...cert file include cert and all related ca's...
> smtpd_tls_key_file = ...key...
> smtpd_tls_CApath = /etc/ssl/certs/
>
> smtp_tls_loglevel = 1
> smtp_tls_security_level = may
> smtpd_tls_CApath = /etc/ssl/certs/
Notice anything funny about the last line?
> also says that certificate chain is complete and valid. But Postfix
> tells me "Untrusted" when sending a mail to one of the others.
> Always. It's disturbing.
With opportunistic TLS, it really makes little difference, since
mail is delivered regardless of the verification status. You do
need to have the appropriate issuing CA in either smtp_tls_CAfile
(easier to get this right) or in smtp_tls_CApath (in which case
you need to run c_rehash from the same OpenSSL release as Postfix
is linked with).
> Using a higher loglevel for TLS it seems that the other servers like
> Google send the certificates in initial connection of TLS, but my
> Postfix instances don't do this. And due to "may" Postfix sender
> seems not to ask.
When both sides are Postfix, and the client is opportunistic, the
server and client typically agree to a cipher-suite without any
certificates. Why bother, if the client does not check anyway.
> But even if it is not necessary to have a valid certificate
> installed for sending, I at least want to have the status correct in
> the logfile, so I can see a MITM attack in the log afterwards.
If this is important to you, set:
smtp_tls_exclude_ciphers=aNULL
for the transport that delivers mail between your internal systems.
> Any ideas what's wrong with my setup or how I can bring Postfix to
> log the correct trust status even if "may" is used?
>
> Two of the servers are the one for this mail: mail.stoecker.eu and
> another one with a valid cert: josm.openstreetmap.de in case it
> helps to have a look.
$ posttls-finger -c -Lsummary -lmay "[josm.openstreetmap.de]"
posttls-finger: Untrusted TLS connection established to
josm.openstreetmap.de[78.47.52.148]:25: TLSv1.1 with cipher AECDH-AES256-SHA
(256/256 bits)
This highlights a minor defect in the Postfix SMTP client TLS status
logging, it never actually logs the "Anonymous" case, that's only
done in the SMTP server.
PATCH:
diff --git a/src/tls/tls_client.c b/src/tls/tls_client.c
--- a/src/tls/tls_client.c
+++ b/src/tls/tls_client.c
@@ -1045,7 +1045,9 @@ TLS_SESS_STATE *tls_client_start(const
TLS_CLIENT_START_PROPS *props)
*/
if (log_mask & TLS_LOG_SUMMARY)
msg_info("%s TLS connection established to %s: %s with cipher %s "
- "(%d/%d bits)", TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
+ "(%d/%d bits)",
+ !TLS_CERT_IS_PRESENT(TLScontext) ? "Anonymous" :
+ TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted",
props->namaddr, TLScontext->protocol, TLScontext->cipher_name,
TLScontext->cipher_usebits, TLScontext->cipher_algbits);
With the patch I get:
$ posttls-finger -c -Lsummary -lmay "[josm.openstreetmap.de]"
posttls-finger: Anonymous TLS connection established to
josm.openstreetmap.de[78.47.52.148]:25: TLSv1.2 with cipher AECDH-AES256-SHA
(256/256 bits)
--
Viktor.
