TLS - Certificate not Trusted

2010-01-11 Thread Dennis Putnam 
I'm just getting started with version 2.5.5 and TLS is different that my 
previous version. I have everything thing working except some email will not go 
out because of the error "delivery temporarily suspended: Server certificate 
not trusted." What parameter do I have wrong that requires trusted 
certificates? I want to enforce TLS but I don't care what certificate the 
receiver uses. Thanks.

Dennis Putnam
Sr. IT Systems Administrator

AIM Systems, Inc.
11675 Rainwater Dr., Suite 200
Alpharetta, GA  30009
Phone: 678-240-4112
Main Phone: 678-297-0700
FAX: 678-297-2666 or 770-576-1000
The information contained in this e-mail and any attachments is strictly 
confidential. If you are not the intended recipient, any use, dissemination, 
distribution, or duplication of any part of this e-mail or any attachment is 
prohibited. If you are not the intended recipient, please notify the sender by 
return e-mail and delete all copies, including the attachments.

Re: TLS - Certificate not Trusted

2010-01-11 Thread Christoph Anton Mitterer 
On Mon, 2010-01-11 at 11:04 -0500, Dennis Putnam wrote:
> I want to enforce TLS but I don't care what certificate the receiver
> uses. Thanks.
Apart from the fact that enforcing TLS with SMTP is usually a bad idea,
setting the
smtp_tls_security_level = encrypt
should usually do what you mean, enforce TLS with the remote SMTP
server, but accept untrusted certs or even those with a wrong name.


> The information contained in this e-mail and any attachments is
> strictly confidential. If you are not the intended recipient, any use,
> dissemination, distribution, or duplication of any part of this e-mail
> or any attachment is prohibited. If you are not the intended
> recipient, please notify the sender by return e-mail and delete all
> copies, including the attachments.
There is (at least in most countries) no legal ground for so called
"disclaimers" and they're quite stupid and annoying when sending
them to public mailing lists.



Cheers,
Chris.


smime.p7s
Description: S/MIME cryptographic signature

Re: TLS - Certificate not Trusted

2010-01-11 Thread Dennis Putnam 
Hi Chris,

Thanks for the reply. Please see embedded comments.

On Jan 11, 2010, at 11:11 AM, Christoph Anton Mitterer wrote:

> On Mon, 2010-01-11 at 11:04 -0500, Dennis Putnam wrote:
>> I want to enforce TLS but I don't care what certificate the receiver
>> uses. Thanks.
> Apart from the fact that enforcing TLS with SMTP is usually a bad idea,
> setting the
> smtp_tls_security_level = encrypt
> should usually do what you mean, enforce TLS with the remote SMTP
> server, but accept untrusted certs or even those with a wrong name.

I don't get to choose, I just have to do it. How these parameters work is still 
a little confusing to me. I have smtpd and smtp security levels set to 'may.' 
What I am trying to do it set up opportunistic TLS except for specific hosts 
that I need to enforce (smtp_tls_per_site). What I noticed is that this one 
site was using Thawte as the signing authority. I tried adding their root 
certificate to my config and now the error has changed to a warning about 
untrusted TLS connection but the mail seems to be moving now. Did I stumble on 
to a fix or am I still missing something?

> 
> 
>> The information contained in this e-mail and any attachments is
>> strictly confidential. If you are not the intended recipient, any use,
>> dissemination, distribution, or duplication of any part of this e-mail
>> or any attachment is prohibited. If you are not the intended
>> recipient, please notify the sender by return e-mail and delete all
>> copies, including the attachments.
> There is (at least in most countries) no legal ground for so called
> "disclaimers" and they're quite stupid and annoying when sending
> them to public mailing lists.

I am quite familiar with the arguments but again it is not my choice. If you 
want, I can give you the number of our corporate lawyers and you can try to 
convince them. Perhaps you will have better luck than me. :-)

> 
> 
> 
> Cheers,
> Chris.



Dennis Putnam
Sr. IT Systems Administrator

AIM Systems, Inc.
11675 Rainwater Dr., Suite 200
Alpharetta, GA  30009
Phone: 678-240-4112
Main Phone: 678-297-0700
FAX: 678-297-2666 or 770-576-1000
The information contained in this e-mail and any attachments is strictly 
confidential. If you are not the intended recipient, any use, dissemination, 
distribution, or duplication of any part of this e-mail or any attachment is 
prohibited. If you are not the intended recipient, please notify the sender by 
return e-mail and delete all copies, including the attachments.

Re: TLS - Certificate not Trusted

2010-01-11 Thread Dennis Putnam 
Upon further investigation, apparently mail is not moving. There seems to be 2 
domains associated with this site but I was only asked to enforce TLS on one of 
them. That is why it appeared to be working. Getting back to Chris' comments, I 
think setting the security level to 'encrypt' forces everything to be TLS and 
that will not work. I need it to work as I previously described.

On Jan 11, 2010, at 11:27 AM, Dennis Putnam wrote:

> Hi Chris,
> 
> Thanks for the reply. Please see embedded comments.
> 
> On Jan 11, 2010, at 11:11 AM, Christoph Anton Mitterer wrote:
> 
>> On Mon, 2010-01-11 at 11:04 -0500, Dennis Putnam wrote:
>>> I want to enforce TLS but I don't care what certificate the receiver
>>> uses. Thanks.
>> Apart from the fact that enforcing TLS with SMTP is usually a bad idea,
>> setting the
>> smtp_tls_security_level = encrypt
>> should usually do what you mean, enforce TLS with the remote SMTP
>> server, but accept untrusted certs or even those with a wrong name.
> 
> I don't get to choose, I just have to do it. How these parameters work is 
> still a little confusing to me. I have smtpd and smtp security levels set to 
> 'may.' What I am trying to do it set up opportunistic TLS except for specific 
> hosts that I need to enforce (smtp_tls_per_site). What I noticed is that this 
> one site was using Thawte as the signing authority. I tried adding their root 
> certificate to my config and now the error has changed to a warning about 
> untrusted TLS connection but the mail seems to be moving now. Did I stumble 
> on to a fix or am I still missing something?
> 
>> 
>> 
>>> The information contained in this e-mail and any attachments is
>>> strictly confidential. If you are not the intended recipient, any use,
>>> dissemination, distribution, or duplication of any part of this e-mail
>>> or any attachment is prohibited. If you are not the intended
>>> recipient, please notify the sender by return e-mail and delete all
>>> copies, including the attachments.
>> There is (at least in most countries) no legal ground for so called
>> "disclaimers" and they're quite stupid and annoying when sending
>> them to public mailing lists.
> 
> I am quite familiar with the arguments but again it is not my choice. If you 
> want, I can give you the number of our corporate lawyers and you can try to 
> convince them. Perhaps you will have better luck than me. :-)
> 
>> 
>> 
>> 
>> Cheers,
>> Chris.
> 
> 
> 
> Dennis Putnam
> Sr. IT Systems Administrator
> 
> AIM Systems, Inc.
> 11675 Rainwater Dr., Suite 200
> Alpharetta, GA  30009
> Phone: 678-240-4112
> Main Phone: 678-297-0700
> FAX: 678-297-2666 or 770-576-1000
> The information contained in this e-mail and any attachments is strictly 
> confidential. If you are not the intended recipient, any use, dissemination, 
> distribution, or duplication of any part of this e-mail or any attachment is 
> prohibited. If you are not the intended recipient, please notify the sender 
> by return e-mail and delete all copies, including the attachments.
> 
> 
> 



Dennis Putnam
Sr. IT Systems Administrator

AIM Systems, Inc.
11675 Rainwater Dr., Suite 200
Alpharetta, GA  30009
Phone: 678-240-4112
Main Phone: 678-297-0700
FAX: 678-297-2666 or 770-576-1000
The information contained in this e-mail and any attachments is strictly 
confidential. If you are not the intended recipient, any use, dissemination, 
distribution, or duplication of any part of this e-mail or any attachment is 
prohibited. If you are not the intended recipient, please notify the sender by 
return e-mail and delete all copies, including the attachments.

Re: TLS - Certificate not Trusted

2010-01-11 Thread Noah Sheppard 
> >> On Mon, 2010-01-11 at 11:04 -0500, Dennis Putnam wrote:
> >>> I want to enforce TLS but I don't care what certificate the receiver
> >>> uses. Thanks.
> >> Apart from the fact that enforcing TLS with SMTP is usually a bad idea,
> >> [..]

Why is TLS w/ SMTP a bad idea?

-- 
Noah Sheppard
Assistant Computer Resource Manager
Taylor University CSE Department
nshep...@cse.taylor.edu

Re: TLS - Certificate not Trusted

2010-01-11 Thread /dev/rob0 
On Mon, Jan 11, 2010 at 11:53:35AM -0500, Noah Sheppard wrote:
[attribution to Chris is missing]
> > >> On Mon, 2010-01-11 at 11:04 -0500, Dennis Putnam wrote:
> > >>> I want to enforce TLS but I don't care what certificate the 
> > >>> receiver uses. Thanks.
> > >> Apart from the fact that enforcing TLS with SMTP is usually a 
> > >> bad idea, [..]
> 
> Why is TLS w/ SMTP a bad idea?

TLS with SMTP is a fine idea.

*Enforcing* TLS with SMTP is usually a bad idea. Many sites might not
support it, and if you require TLS, you cannot get their mail nor
send to them.
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Re: TLS - Certificate not Trusted

2010-01-11 Thread Noel Jones 

On 1/11/2010 10:38 AM, Dennis Putnam wrote:

Upon further investigation, apparently mail is not moving. There seems
to be 2 domains associated with this site but I was only asked to
enforce TLS on one of them. That is why it appeared to be working.
Getting back to Chris' comments, I think setting the security level to
'encrypt' forces everything to be TLS and that will not work. I need it
to work as I previously described.


Postfix client TLS settings are described in
http://www.postfix.org/TLS_README.html#client_tls

For a general-purpose MTA the main.cf setting should be "none" 
or "may".  To force encryption for a specific recipient 
domain, see

http://www.postfix.org/TLS_README.html#client_tls_policy

If your mail is deferred due to certificate errors, this 
implies you're using a security level above "encrypt".  Don't 
do that unless you have the proper root certificates installed.



If you need more help, please refer to
http://www.postfix.org/DEBUG_README.html#mail
and show us your "postconf -n" output, any related policy map 
contents, and related logging.


   -- Noel Jones

Re: TLS - Certificate not Trusted

2010-01-11 Thread Dennis Putnam 
Hi Noel,

Thanks. I thing you pointed me in the right direction. Am I correct that the 
per_site table is different under 2.5.5 than pre 2.3? I had trouble getting 
that to work on the old server so I didn't change it for the migration. What I 
have is:

.somedomain.com  MUST

I think it now can be a hash and should look like:

[somedomain.com] encrypt

Is that correct? I guessing the old 'MUST' is being interpreted as 'secure' in 
this version.

On Jan 11, 2010, at 12:02 PM, Noel Jones wrote:

> On 1/11/2010 10:38 AM, Dennis Putnam wrote:
>> Upon further investigation, apparently mail is not moving. There seems
>> to be 2 domains associated with this site but I was only asked to
>> enforce TLS on one of them. That is why it appeared to be working.
>> Getting back to Chris' comments, I think setting the security level to
>> 'encrypt' forces everything to be TLS and that will not work. I need it
>> to work as I previously described.
> 
> Postfix client TLS settings are described in
> http://www.postfix.org/TLS_README.html#client_tls
> 
> For a general-purpose MTA the main.cf setting should be "none" or "may".  To 
> force encryption for a specific recipient domain, see
> http://www.postfix.org/TLS_README.html#client_tls_policy
> 
> If your mail is deferred due to certificate errors, this implies you're using 
> a security level above "encrypt".  Don't do that unless you have the proper 
> root certificates installed.
> 
> 
> If you need more help, please refer to
> http://www.postfix.org/DEBUG_README.html#mail
> and show us your "postconf -n" output, any related policy map contents, and 
> related logging.
> 
>   -- Noel Jones
> 



Dennis Putnam
Sr. IT Systems Administrator

AIM Systems, Inc.
11675 Rainwater Dr., Suite 200
Alpharetta, GA  30009
Phone: 678-240-4112
Main Phone: 678-297-0700
FAX: 678-297-2666 or 770-576-1000
The information contained in this e-mail and any attachments is strictly 
confidential. If you are not the intended recipient, any use, dissemination, 
distribution, or duplication of any part of this e-mail or any attachment is 
prohibited. If you are not the intended recipient, please notify the sender by 
return e-mail and delete all copies, including the attachments.

Re: TLS - Certificate not Trusted

2010-01-11 Thread Noel Jones 

On 1/11/2010 11:16 AM, Dennis Putnam wrote:

Hi Noel,

Thanks. I thing you pointed me in the right direction. Am I correct that
the per_site table is different under 2.5.5 than pre 2.3? I had trouble
getting that to work on the old server so I didn't change it for the
migration. What I have is:

.somedomain.com MUST

I think it now can be a hash and should look like:

[somedomain.com ] encrypt

Is that correct? I guessing the old 'MUST' is being interpreted as
'secure' in this version.



According to the example in
http://www.postfix.org/TLS_README.html#client_tls_policy
the policy table should contain

somedomain.tld encrypt

To include subdomains of somedomain.tld also include
.somedomain.tld encrypt

  -- Noel Jones

Re: TLS - Certificate not Trusted

2010-01-11 Thread Victor Duchovni 
On Mon, Jan 11, 2010 at 11:36:42AM -0600, Noel Jones wrote:

> According to the example in
> http://www.postfix.org/TLS_README.html#client_tls_policy
> the policy table should contain
>
>   somedomain.tld encrypt
>
> To include subdomains of somedomain.tld also include
>
>   .somedomain.tld encrypt

And only when one's transport table or relayhost specifies a
nexthop of the form:

[gateway.example.com]

does the TLS policy table need an entry of the same form:

[gateway.example.com]   encrypt|secure|fingerprint ...

For "[gateway]" nexthops there is no real difference between "secure"
and "verify", both test for the same nexthop address, unless "match"
values are specified explicitly.

In retrospect, it an interface design error to provide both levels,
just one would have been enough, with backwards compatibility for
tls_per_site provided via different "match" values for "verify" not a
different security level.  Both, verify certificates using a slightly
different default set of match values. :-( The "damage" is fairly minor...

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: TLS - Certificate not Trusted

2010-01-11 Thread LuKreme 
On 11-Jan-2010, at 09:27, Dennis Putnam wrote:
> I am quite familiar with the arguments but again it is not my choice. If you 
> want, I can give you the number of our corporate lawyers and you can try to 
> convince them. Perhaps you will have better luck than me. :-)


I will be happy to email them daily links to publicly accessible web pages 
containing emails sent from that domain to a mailing list with that 
'disclaimer' attached.

I will use, disseminate, distribute, and republish any post with a disclaimer 
on it as a matter of course.

-- 
INDIAN BURNS ARE NOT OUR CULTURAL HERITAGE
Bart chalkboard Ep. 3F05