Re: Outbound TLS Certificate Verification
Osama Al-Hassani: > > Which Postfix SMTP client implementation matches server certificates > > against server IP addresses? > > We are using 3.2.0 vanilla. > > To clarify, this is when using the "match" attribute with "verify" security > level. I could rephrase the question as to why anything but DNS names are > ignored in the SANs field? > Perhaps because there is no support for IP address matching? Wietse
RE: Outbound TLS Certificate Verification
> Which Postfix SMTP client implementation matches server certificates against > server IP addresses? We are using 3.2.0 vanilla. To clarify, this is when using the "match" attribute with "verify" security level. I could rephrase the question as to why anything but DNS names are ignored in the SANs field? Thanks, Osama -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Wietse Venema Sent: 15 June 2017 21:47 To: Postfix users Subject: Re: Outbound TLS Certificate Verification Osama Al-Hassani: > Yes. And we are using DNS SANs, but in some scenarios we need to verify > against the IP address. > > > We can do this, if the IP address is present in the CN but not SANs. Is > there a reason for the difference in behaviour? > > Thanks, > Osama > > -Original Message- > From: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] On Behalf Of Viktor Dukhovni > Sent: 15 June 2017 01:33 > To: postfix-users@postfix.org > Subject: Re: Outbound TLS Certificate Verification > > On Wed, Jun 14, 2017 at 09:12:20PM +, Osama Al-Hassani wrote: > > > When verifying server certificates on outbound connections, it seems > > we are unable verify the IP addresses part of the SANs field. We are > > able to verify IPs in CNs. > > Email is sent to addresses of the form , where the > "domain-part" is DNS domain, not an IP address. The SMTP server is either an > MX host, or the domain itself, in the absence > of MX records. Bare IP addresses are not valid in MX records. > Most mail systems will not accept email to addresses of the form > (ip-addres domain-literals). > > > What is the reasoning behind this behaviour? > > No useful security results from verifying IP addresses in certificates for > TLS connections to DNS hosts. Certificates with IP addresses are for IPsec, > not for TLS with SMTP. > > Postfix supports DNS subject alternative names: > > https://www.postfix.org/TLS_README.html#client_tls_secure > https://www.postfix.org/TLS_README.html#client_tls_dane Which Postfix SMTP client implementation matches server certificates against server IP addresses? Wietse -- Message Processed by the Clearswift V4 Engineering Dogfood Secure Email Gateway This e-mail and any files transmitted with it are strictly confidential, may be privileged and are intended only for use by the addressee unless otherwise indicated. If you are not the intended recipient any use, dissemination, printing or copying is strictly prohibited and may be unlawful. If you have received this e-mail in error, please delete it immediately and contact the sender as soon as possible. Clearswift cannot be held liable for delays in receipt of an email or any errors in its content. Clearswift accepts no responsibility once an e-mail and any attachments leave us. Unless expressly stated, opinions in this message are those of the individual sender and not of Clearswift. This email message has been inspected by Clearswift for inappropriate content and security threats. To find out more about Clearswift’s solutions please visit www.clearswift.com
Re: Outbound TLS Certificate Verification
Osama Al-Hassani: > Yes. And we are using DNS SANs, but in some scenarios we need to verify > against the IP address. > > > We can do this, if the IP address is present in the CN but not SANs. Is > there a reason for the difference in behaviour? > > Thanks, > Osama > > -Original Message- > From: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] On Behalf Of Viktor Dukhovni > Sent: 15 June 2017 01:33 > To: postfix-users@postfix.org > Subject: Re: Outbound TLS Certificate Verification > > On Wed, Jun 14, 2017 at 09:12:20PM +, Osama Al-Hassani wrote: > > > When verifying server certificates on outbound connections, it seems > > we are unable verify the IP addresses part of the SANs field. We are > > able to verify IPs in CNs. > > Email is sent to addresses of the form , where the > "domain-part" is DNS domain, not an IP address. The SMTP server is either an > MX host, or the domain itself, in the absence > of MX records. Bare IP addresses are not valid in MX records. > Most mail systems will not accept email to addresses of the form > (ip-addres domain-literals). > > > What is the reasoning behind this behaviour? > > No useful security results from verifying IP addresses in certificates for > TLS connections to DNS hosts. Certificates with IP addresses are for IPsec, > not for TLS with SMTP. > > Postfix supports DNS subject alternative names: > > https://www.postfix.org/TLS_README.html#client_tls_secure > https://www.postfix.org/TLS_README.html#client_tls_dane Which Postfix SMTP client implementation matches server certificates against server IP addresses? Wietse
RE: Outbound TLS Certificate Verification
Yes. And we are using DNS SANs, but in some scenarios we need to verify against the IP address. We can do this, if the IP address is present in the CN but not SANs. Is there a reason for the difference in behaviour? Thanks, Osama -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Viktor Dukhovni Sent: 15 June 2017 01:33 To: postfix-users@postfix.org Subject: Re: Outbound TLS Certificate Verification On Wed, Jun 14, 2017 at 09:12:20PM +, Osama Al-Hassani wrote: > When verifying server certificates on outbound connections, it seems > we are unable verify the IP addresses part of the SANs field. We are > able to verify IPs in CNs. Email is sent to addresses of the form , where the "domain-part" is DNS domain, not an IP address. The SMTP server is either an MX host, or the domain itself, in the absence of MX records. Bare IP addresses are not valid in MX records. Most mail systems will not accept email to addresses of the form (ip-addres domain-literals). > What is the reasoning behind this behaviour? No useful security results from verifying IP addresses in certificates for TLS connections to DNS hosts. Certificates with IP addresses are for IPsec, not for TLS with SMTP. Postfix supports DNS subject alternative names: https://www.postfix.org/TLS_README.html#client_tls_secure https://www.postfix.org/TLS_README.html#client_tls_dane -- Viktor. -- Message Processed by the Clearswift V4 Engineering Dogfood Secure Email Gateway This e-mail and any files transmitted with it are strictly confidential, may be privileged and are intended only for use by the addressee unless otherwise indicated. If you are not the intended recipient any use, dissemination, printing or copying is strictly prohibited and may be unlawful. If you have received this e-mail in error, please delete it immediately and contact the sender as soon as possible. Clearswift cannot be held liable for delays in receipt of an email or any errors in its content. Clearswift accepts no responsibility once an e-mail and any attachments leave us. Unless expressly stated, opinions in this message are those of the individual sender and not of Clearswift. This email message has been inspected by Clearswift for inappropriate content and security threats. To find out more about Clearswift’s solutions please visit www.clearswift.com
Re: Outbound TLS Certificate Verification
On Wed, Jun 14, 2017 at 09:12:20PM +, Osama Al-Hassani wrote: > When verifying server certificates on outbound connections, it seems we > are unable verify the IP addresses part of the SANs field. We are able to > verify IPs in CNs. Email is sent to addresses of the form , where the "domain-part" is DNS domain, not an IP address. The SMTP server is either an MX host, or the domain itself, in the absence of MX records. Bare IP addresses are not valid in MX records. Most mail systems will not accept email to addresses of the form (ip-addres domain-literals). > What is the reasoning behind this behaviour? No useful security results from verifying IP addresses in certificates for TLS connections to DNS hosts. Certificates with IP addresses are for IPsec, not for TLS with SMTP. Postfix supports DNS subject alternative names: https://www.postfix.org/TLS_README.html#client_tls_secure https://www.postfix.org/TLS_README.html#client_tls_dane -- Viktor.
Re: Outbound TLS
Viktor Dukhovni: > On Sat, Feb 20, 2016 at 08:32:31AM -0500, Wietse Venema wrote: > > > > Creating a separate hash file with following content like below solved my > > > issue but doing the same for all domain will not be acceptable solution > > > ... > > > > If you want to encrypt mail to all domains: > > > > /etc/postfix/main.cf > >smtp_tls_security_level = encrypt > > > > But I would not recommend this. > > If the OP just wants to use TLS with domains that offer STARTTLS, > then: > > smtp_tls_security_level = may > > may be most appropriate. This does not prevent cleartext fallback > in case of trouble, but there are enough domains that advertise > non-working STARTTLS to make cleartext fallback the sensible choice > at present. Opportunistic TLS is a counter-measure to passive > monitoring, not active attacks. The fanatics can disable fallback to plaintext with the example in http://www.postfix.org/postconf.5.html#default_delivery_status_filter (available in Postfix 3.0 and later). Wietse
Re: Outbound TLS
On Sat, Feb 20, 2016 at 08:32:31AM -0500, Wietse Venema wrote: > > Creating a separate hash file with following content like below solved my > > issue but doing the same for all domain will not be acceptable solution ... > > If you want to encrypt mail to all domains: > > /etc/postfix/main.cf >smtp_tls_security_level = encrypt > > But I would not recommend this. If the OP just wants to use TLS with domains that offer STARTTLS, then: smtp_tls_security_level = may may be most appropriate. This does not prevent cleartext fallback in case of trouble, but there are enough domains that advertise non-working STARTTLS to make cleartext fallback the sensible choice at present. Opportunistic TLS is a counter-measure to passive monitoring, not active attacks. -- Viktor.
Re: Outbound TLS
Joy: > Creating a separate hash file with following content like below solved my > issue but doing the same for all domain will not be acceptable solution ... If you want to encrypt mail to all domains: /etc/postfix/main.cf smtp_tls_security_level = encrypt But I would not recommend this. Wietse
Re: Outbound TLS
Creating a separate hash file with following content like below solved my issue but doing the same for all domain will not be acceptable solution ... In case any other solution exist which i may be missing just let me know. smtp_tls_policy_maps = hash:/etc/postfix/tls_policy gmail.com encrypt .gmail.com encrypt On Sat, Feb 13, 2016 at 6:12 PM, Wietse Venema wrote: > Christian Kivalo: > > > > > > Am 13. Februar 2016 11:10:25 MEZ, schrieb Joy : > > >May i know how can i force postfix to use TLS if remote MTA advertises > > >STARTTLS on port 25 to connect to remote server ? > > > > > >I am already using TLS and connecting from outlook is working > > >perfectly, > > >but when sending mail to google it now says TLS fail. > > Take a look at http://www.postfix.org/DEBUG_README.html#mail and > provide all necessary information > > > > At least postconf -n / postconf -Mf and log output of the tls fail to > google > > Indeed. google.com MX hosts support STARTTLS on port 25. If you > must verify certificates issued from third-party issuers, see: > > http://www.postfix.org/postconf.5.html#tls_append_default_CA > > Wietse > > $ posttls-finger google.com > posttls-finger: Connected to aspmx.l.google.com[2607:f8b0:400d:c07::1b]:25 > posttls-finger: < 220 mx.google.com ESMTP 207si21470864qhw.106 - gsmtp > posttls-finger: > EHLO tail.porcupine.org > posttls-finger: < 250-mx.google.com at your service, [2604:8d00:189::3] > posttls-finger: < 250-SIZE 35882577 > posttls-finger: < 250-8BITMIME > posttls-finger: < 250-STARTTLS > posttls-finger: < 250-ENHANCEDSTATUSCODES > posttls-finger: < 250-PIPELINING > posttls-finger: < 250-CHUNKING > posttls-finger: < 250 SMTPUTF8 > posttls-finger: > STARTTLS > posttls-finger: < 220 2.0.0 Ready to start TLS > ..lotsa stuff.. > posttls-finger: certificate verification failed for > aspmx.l.google.com[2607:f8b0:400d:c07::1b]:25: > untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority > posttls-finger: aspmx.l.google.com[2607:f8b0:400d:c07::1b]:25: subject_CN= > aspmx.l.google.com, issuer_CN=Google Internet Authority G2, > fingerprint=17:C3:E9:B6:EB:1C:7E:BB:95:67:BE:EA:E6:48:43:90:E0:24:95:03, > pkey_fingerprint=AD:4B:02:AC:67:0F:96:F3:D1:85:C9:3D:E3:A2:04:B3:9A:0F:36:17 > posttls-finger: Untrusted TLS connection established to > aspmx.l.google.com[2607:f8b0:400d:c07::1b]:25: > TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) > posttls-finger: > EHLO tail.porcupine.org > posttls-finger: < 250-mx.google.com at your service, [2604:8d00:189::3] > posttls-finger: < 250-SIZE 35882577 > posttls-finger: < 250-8BITMIME > posttls-finger: < 250-ENHANCEDSTATUSCODES > posttls-finger: < 250-PIPELINING > posttls-finger: < 250-CHUNKING > posttls-finger: < 250 SMTPUTF8 > posttls-finger: > QUIT > posttls-finger: < 221 2.0.0 closing connection 207si21470864qhw.106 - gsmtp > >
Re: Outbound TLS
Christian Kivalo: > > > Am 13. Februar 2016 11:10:25 MEZ, schrieb Joy : > >May i know how can i force postfix to use TLS if remote MTA advertises > >STARTTLS on port 25 to connect to remote server ? > > > >I am already using TLS and connecting from outlook is working > >perfectly, > >but when sending mail to google it now says TLS fail. > Take a look at http://www.postfix.org/DEBUG_README.html#mail and provide all > necessary information > > At least postconf -n / postconf -Mf and log output of the tls fail to google Indeed. google.com MX hosts support STARTTLS on port 25. If you must verify certificates issued from third-party issuers, see: http://www.postfix.org/postconf.5.html#tls_append_default_CA Wietse $ posttls-finger google.com posttls-finger: Connected to aspmx.l.google.com[2607:f8b0:400d:c07::1b]:25 posttls-finger: < 220 mx.google.com ESMTP 207si21470864qhw.106 - gsmtp posttls-finger: > EHLO tail.porcupine.org posttls-finger: < 250-mx.google.com at your service, [2604:8d00:189::3] posttls-finger: < 250-SIZE 35882577 posttls-finger: < 250-8BITMIME posttls-finger: < 250-STARTTLS posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-PIPELINING posttls-finger: < 250-CHUNKING posttls-finger: < 250 SMTPUTF8 posttls-finger: > STARTTLS posttls-finger: < 220 2.0.0 Ready to start TLS ..lotsa stuff.. posttls-finger: certificate verification failed for aspmx.l.google.com[2607:f8b0:400d:c07::1b]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority posttls-finger: aspmx.l.google.com[2607:f8b0:400d:c07::1b]:25: subject_CN=aspmx.l.google.com, issuer_CN=Google Internet Authority G2, fingerprint=17:C3:E9:B6:EB:1C:7E:BB:95:67:BE:EA:E6:48:43:90:E0:24:95:03, pkey_fingerprint=AD:4B:02:AC:67:0F:96:F3:D1:85:C9:3D:E3:A2:04:B3:9A:0F:36:17 posttls-finger: Untrusted TLS connection established to aspmx.l.google.com[2607:f8b0:400d:c07::1b]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) posttls-finger: > EHLO tail.porcupine.org posttls-finger: < 250-mx.google.com at your service, [2604:8d00:189::3] posttls-finger: < 250-SIZE 35882577 posttls-finger: < 250-8BITMIME posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-PIPELINING posttls-finger: < 250-CHUNKING posttls-finger: < 250 SMTPUTF8 posttls-finger: > QUIT posttls-finger: < 221 2.0.0 closing connection 207si21470864qhw.106 - gsmtp
Re: Outbound TLS
As far as I know Google use STARTTLS on port 587 and not port 25. Have a look at https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_howtos_smtp_authentication_to_isp to see how to set up relaying via STARTTLS. A word of caution though. I believe Google rewrites the from header or reply-to header to the user name you use to authenticate. This means if you are sending for multiple users with different gmail accounts, you may need to investigate smtp_sender_dependent_authentication and sender_dependent_relayhost_maps. Nick On 13/02/2016 11:49, Christian Kivalo wrote: Am 13. Februar 2016 11:10:25 MEZ, schrieb Joy : May i know how can i force postfix to use TLS if remote MTA advertises STARTTLS on port 25 to connect to remote server ? I am already using TLS and connecting from outlook is working perfectly, but when sending mail to google it now says TLS fail. Take a look at http://www.postfix.org/DEBUG_README.html#mail and provide all necessary information At least postconf -n / postconf -Mf and log output of the tls fail to google - Christian
Re: Outbound TLS
Am 13. Februar 2016 11:10:25 MEZ, schrieb Joy : >May i know how can i force postfix to use TLS if remote MTA advertises >STARTTLS on port 25 to connect to remote server ? > >I am already using TLS and connecting from outlook is working >perfectly, >but when sending mail to google it now says TLS fail. Take a look at http://www.postfix.org/DEBUG_README.html#mail and provide all necessary information At least postconf -n / postconf -Mf and log output of the tls fail to google - Christian
