Loading ...
Sorry, an error occurred while loading the content.

295318Re: TLS Encription and server verification

Expand Messages
  • Viktor Dukhovni
    Sep 8, 2013
    • 0 Attachment
      On Sun, Sep 08, 2013 at 11:56:32AM +0200, Luigi Rosa wrote:

      > Per http://www.postfix.org/postconf.5.html#smtpd_tls_policy_maps if I use
      > fingerprint in smtp_tls_policy_maps "there are no trusted certificate
      > authorities. The certificate trust chain, expiration date, ...
      > are not checked"

      Yes, but you do have to configure Postfix correctly.

      > So I generated the keys on both servers and configured them in both Postfix
      > with smtpd_tls_key_file and smtpd_tls_cert_file.


      > On the originating server I have:
      > smtp_tls_security_level = may
      > smtp_tls_note_starttls_offer = yes
      > smtp_tls_fingerprint_digest = sha1
      > smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
      > smtp_tls_loglevel = 1
      > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
      > smtp_tls_session_cache_timeout = 3600s

      You have failed to mention any related transport(5) settings. The
      SMTP TLS policy table lookup key is the transport nexthop.

      > tls policy is:
      > domain.com fingerprint
      > match=09:e6:21:1b:92:86:67:f1:56:6b:a5:06:7f:00:7e:ab:c7:43:68:6d
      > mail.domain.com fingerprint
      > match=09:e6:21:1b:92:86:67:f1:56:6b:a5:06:7f:00:7e:ab:c7:43:68:6d

      Always good to check that the table actually returns these values
      when queried with the right lookup keys. Are these in fact the
      sha1 fingerprints of the *peer* certificate? How were they computed?

      > When I try to send an email on the originatig server I have this log entries:
      > postfix/smtp[5360]: setting up TLS connection to xxxx[x.x.x.x]:25

      > Untrusted TLS connection established to mail.domain.com[x.x.x.x]:25: TLSv1
      > with cipher DHE-RSA-AES256-SHA (256/256 bits)
      > postfix/smtp[5360]: A4A6320004D: Server certificate not verified

      These log messages have been to heavily redacted. If you crank the log
      level to 2, Postfix will log the certificate and public key fingerprint
      of the remote server. You need to also post the relevant transport
      messages, and more complete log entries. Finally the version of Postfix.

      On Sun, Sep 08, 2013 at 12:17:55PM +0200, Patrick Ben Koetter wrote:
      > You don't tell Postfix where to find the CA file that holds all CAs you trust.
      > Without a CA cert Postfix cannot verify a server cert.

      Irrelevant at the fingerprint security level.

    • Show all 8 messages in this topic