On Tue, Jun 09, 2015 at 04:36:35PM -0700, PGNd wrote:
> I'm forwarding specific mail from a remote Postfix instance to a local one.
>
> I'm switching from SASL auth to high-encryption tls cert auth'd connection.
>
> It works to the extent that
>
> (1) connections without the TLS cert in place are rejected
> (2) a Trusted TLS connection is established at the server
> (3) mail's received
Sounds good so far.
> On receipt, log on local
>
> Jun 9 14:08:40 local010 postfix/relay-local/smtpd[14395]: Trusted TLS
> connection established from internal.remote016.DDDD.com[10.1.1.16]: TLSv1.2
> with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
The client certificate is issued by a CA trusted by the server.
> Jun 9 14:08:40 remote016 postfix/relay-remote/smtp[31281]:
> internal.local010.DDDD.com[10.128.1.10]:11587:
> subject_CN=relay-local.local010.DDDD.com, issuer_CN=DDDD.com_CA,
> fingerprint=AA:..., pkey_fingerprint=BB:...
This is not normally logged at TLS loglevel 1, and higher log levels
are not recommended for routine use.
> Jun 9 14:08:40 remote016 postfix/relay-remote/smtp[31281]: Untrusted
> TLS connection established to internal.local010.DDDD.com[10.128.1.10]:11587:
> TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
This means that the server's certificate is not issued by a CA
trusted by the client, and the security level is "may", "encrypt" or
perhaps "dane" (and the server has no DNSSEC signed TLSA records).
> Should that be "Untrusted TLS connection", or needs to be modified to be
> a "Trusted TLS connection"?
Your choice. At present the server is not authenticated.
> since there's no Trust until the server auths the connection that this is
> OK as is.
The fact that the server accepts the client identity in no way
confirms the server identity to the client.
> 11587 inet n - n - - smtpd
What about main.cf settings?
> -o alias_database=
> -o alias_maps=
> -o relayhost=
> -o relay_clientcerts=lmdb:/etc/postfix/relay_clientcerts
> -o relay_domains=
> -o relay_transport=relay:[127.0.0.1]:30011
> -o smtp_helo_name=relay-local.DDDD.com
These are not smtpd(8) parameters and can't be set via master.cf
smtpd(8) overrides.
> -o smtpd_enforce_tls=yes
This one is obsolete.
> Also the local's
>
> -o
> smtpd_relay_restrictions=permit_mynetworks,permit_tls_clientcerts,reject_unauth_destination
>
> seems it could safely be
>
> -o smtpd_relay_restrictions=permit_tls_clientcerts,reject
>
> Any reason not to?
Fine either way provided no clients need to be admitted based on
IP address alone.
--
Viktor.
