Loading ...
Sorry, an error occurred while loading the content.

295782Re: submission by cert verification only

Expand Messages
  • Dan Langille
    Oct 7, 2013
      On 2013-10-06 23:13, Viktor Dukhovni wrote:
      > On Sun, Oct 06, 2013 at 08:52:06PM -0400, Dan Langille wrote:
      >
      > [ What Noel said, plus see below. ]
      >
      > 10.0.0.1:submission inet n - n - - smtpd
      > -o smtpd_tls_req_ccert=yes
      >
      > Fine.
      >
      > -o smtpd_tls_auth_only=no
      >
      > This seems silly. Since authentication gets them nowhere, why
      > allow plaintext password leaks? Just disable SASL period.

      I am not using SASL at all.

      > -o smtpd_tls_ask_ccert=yes
      >
      > This is implied by req_ccert.

      Removed.

      > -o smtp_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
      >
      > This is an SMTP client parameter that serves no purpose here.

      Removed.

      > -o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
      >
      > This is a bad idea. Instead set this to an empty file. The list
      > of all the CA DNs from this file is sent to the client, but your
      > clients probably don't need CA hints. Otherwise make this is a
      > small list of one or two suitable CAs that issue the certificates
      > which are admitted via the relay certs file. You should your digest
      > algorithm explicitly (sha1 or better if available as with OpenSSL
      > 1.0.0 or later or the most recent Postfix patches that make sha256
      > available with older OpenSSL releases).

      FYI: this is the bundle from the CA which issued the certificate in
      question. Prior attempts with a smaller list failed.

      > # cat /usr/local/etc/postfix-config/main/relay_clientcerts
      > 3A:2E:AB:6A:F1:D4:32:74:C9:C6:DD:2B:8D:2A:87:97 cliff.example.org
      >
      > This looks like md5, and while still largely resistant to 2nd
      > preimage attacks, you should still avoid it.

      It is indeed MD5. I've changed to sha1 and obtained the new fingerprint
      via:

      openssl x509 -noout -in cliff.example.org.crt -fingerprint

      Thank you. Much appreciated.

      --
      Dan Langille - http://langille.org/
    • Show all 9 messages in this topic