Loading ...
Sorry, an error occurred while loading the content.

SMTP+TLS and Mail.app

Expand Messages
  • Steve Finkelstein
    Hi all, This probably applies more to some OS/X forum, and if so, I sincerely apologize. I just figured someone active in the Postfix community has dealt with
    Message 1 of 5 , Mar 1, 2008
    • 0 Attachment
      Hi all,

      This probably applies more to some OS/X forum, and if so, I sincerely
      apologize. I just figured someone active in the Postfix community has
      dealt with the same issue as I'm dealing with now. I'm running a
      postfix based MTA, and enforce TLS over SMTP for authentication with
      SASL. Works wonderful with all MUAs including Thunderbird, etc. I'm
      having a ton of trouble with Mail.app. For one odd reason or another,
      it doesn't wish to deal with self-signed certificates. I'm going to be
      purchasing a GoDaddy certificate shortly, but regardless, this is kind
      of silly of Mail.app.

      Here's how the SSL logs:

      Mar 1 21:52:41 catalyst postfix/smtpd[26513]: SSL_accept:SSLv3 flush data
      Mar 1 21:52:41 catalyst postfix/smtpd[26513]: read from 080D6CF8
      [080E0408] (5 bytes => -1 (0xFFFFFFFF))
      Mar 1 21:52:41 catalyst postfix/smtpd[26513]: SSL_accept:error in
      SSLv3 read client certificate A
      Mar 1 21:52:41 catalyst postfix/smtpd[26513]: SSL_accept error from
      ool-44c19145.dyn.optonline.net[68.193.145.69]: -1

      Here are my TLS settings:

      root@catalyst:/etc/postfix# postconf -n | grep -i tls
      smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
      smtpd_tls_CAfile = /etc/postfix/ca-bundle.crt
      smtpd_tls_ask_ccert = no
      smtpd_tls_auth_only = yes
      smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
      smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
      smtpd_tls_loglevel = 9
      smtpd_tls_received_header = yes
      smtpd_tls_req_ccert = no
      smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
      smtpd_use_tls = yes
      tls_random_source = dev:/dev/urandom

      Thanks for taking a look!

      /sf
    • Steve Finkelstein
      By the way, hate to follow up on my own post. But I did make one finding. When I set the following: smtpd_tls_auth_only = no Mail.app is able to relay using
      Message 2 of 5 , Mar 1, 2008
      • 0 Attachment
        By the way, hate to follow up on my own post. But I did make one finding.

        When I set the following:

        smtpd_tls_auth_only = no

        Mail.app is able to relay using my server. Unfortunately this also
        means passwords being sent over in cleartext, so I'd like to figure
        out a way to get the client working with TLS enabled auth.

        Thanks again all.

        /sf

        On 3/1/08, Steve Finkelstein <sf@...> wrote:
        > Hi all,
        >
        > This probably applies more to some OS/X forum, and if so, I sincerely
        > apologize. I just figured someone active in the Postfix community has
        > dealt with the same issue as I'm dealing with now. I'm running a
        > postfix based MTA, and enforce TLS over SMTP for authentication with
        > SASL. Works wonderful with all MUAs including Thunderbird, etc. I'm
        > having a ton of trouble with Mail.app. For one odd reason or another,
        > it doesn't wish to deal with self-signed certificates. I'm going to be
        > purchasing a GoDaddy certificate shortly, but regardless, this is kind
        > of silly of Mail.app.
        >
        > Here's how the SSL logs:
        >
        > Mar 1 21:52:41 catalyst postfix/smtpd[26513]: SSL_accept:SSLv3 flush data
        > Mar 1 21:52:41 catalyst postfix/smtpd[26513]: read from 080D6CF8
        > [080E0408] (5 bytes => -1 (0xFFFFFFFF))
        > Mar 1 21:52:41 catalyst postfix/smtpd[26513]: SSL_accept:error in
        > SSLv3 read client certificate A
        > Mar 1 21:52:41 catalyst postfix/smtpd[26513]: SSL_accept error from
        > ool-44c19145.dyn.optonline.net[68.193.145.69]: -1
        >
        > Here are my TLS settings:
        >
        > root@catalyst:/etc/postfix# postconf -n | grep -i tls
        > smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
        > smtpd_tls_CAfile = /etc/postfix/ca-bundle.crt
        > smtpd_tls_ask_ccert = no
        > smtpd_tls_auth_only = yes
        > smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
        > smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
        > smtpd_tls_loglevel = 9
        > smtpd_tls_received_header = yes
        > smtpd_tls_req_ccert = no
        > smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
        > smtpd_use_tls = yes
        > tls_random_source = dev:/dev/urandom
        >
        > Thanks for taking a look!
        >
        >
        > /sf
        >
      • Robin Helgelin
        ... I don t have any problems using self-signed certificates with Mail.app. Currently I m using a certificate from cacert.org without problems. -- regards,
        Message 3 of 5 , Mar 2, 2008
        • 0 Attachment
          On Sun, Mar 2, 2008 at 4:02 AM, Steve Finkelstein <sf@...> wrote:
          > Hi all,
          >
          > This probably applies more to some OS/X forum, and if so, I sincerely
          > apologize. I just figured someone active in the Postfix community has
          > dealt with the same issue as I'm dealing with now. I'm running a
          > postfix based MTA, and enforce TLS over SMTP for authentication with
          > SASL. Works wonderful with all MUAs including Thunderbird, etc. I'm
          > having a ton of trouble with Mail.app. For one odd reason or another,
          > it doesn't wish to deal with self-signed certificates. I'm going to be
          > purchasing a GoDaddy certificate shortly, but regardless, this is kind
          > of silly of Mail.app.

          I don't have any problems using self-signed certificates with
          Mail.app. Currently I'm using a certificate from cacert.org without
          problems.

          --
          regards,
          Robin
        • Lou Picciano
          Steve! How nice to see another Mac user on the list... Although we re slogging through some other issues with Postfix, we had virtually no trouble setting up
          Message 4 of 5 , Mar 2, 2008
          • 0 Attachment
            Steve! How nice to see another Mac user on the list...

            Although we're slogging through some other issues with Postfix, we had virtually no trouble setting up successful TLS sessions originating from Mail.app (Version 3.2 (919/919.2) running on Leopard (10.5.2). We are also using a self-signed cert - at least for testing, having no troubles.

            You will get the 'certificate signed by an unknown authority' message, but this is to be expected.
            Be sure that your 'common name' field matches exactly the name of your server; you've probably already run into this.

            One key gotcha might be the smtpd_tls_security option; note that 'yes' is now deprecated. Use 'encrypt' instead for Postfix 2.3 and later.
            A snippet of our main.cf follows:

            # TLS Support -----------------------------------------------------------
            # --------- TESTING:
            # postconf had reported this NO:
            smtpd_use_tls = yes
            # ------------------
            # smtpd_tls_auth_only = yes
            smtpd_tls_key_file = /path/to/key/mail.key.pem
            smtpd_tls_cert_file = /path/to/certs/mail.cert.pem
            smtpd_tls_CAfile = /path/to/CAcert/SelfSignedCAcert.pem
            # is the CA directory needed?
            smtpd_tls_CApath = /path/to/CAcert
            # smtpd_use_tls = may (COMMAND DEPRECATED by smtpd_tls_security_level in v>2.3)
            # Postfix 2.3 and later: ('yes' is obsolete; 'encrypt' ENFORCES use of TLS for clients):
            smtpd_tls_security_level = encrypt

            smtpd_tls_loglevel = 2
            smtpd_tls_received_header = yes
            smtpd_tls_session_cache_timeout = 3600s
            tls_random_source = dev:/dev/urandom

            # --------- TESTING:
            # this command was apparently unnecessary
            #smtpd_tls_note_starttls = yes
            # ------------------
            # This would only maintain compatibility with non-TLS clients:
            # smtpd_tls_auth_only = yes

            LOG OUTPUT:
            Mar 2 13:20:14 <servername> postfix/smtpd[17193]: [ID 197553 mail.info] SSL_accept:SSLv3 write finished A
            Mar 2 13:20:14 <servername> postfix/smtpd[17193]: [ID 197553 mail.info] SSL_accept:SSLv3 flush data
            Mar 2 13:20:14 <servername> postfix/smtpd[17193]: [ID 197553 mail.info] Anonymous TLS connection established from unknown[internal IP Address]: TLSv1 with cipher AES128-SHA (128/128 bits)

            Hope this helps - please keep me posted! Lou


            -------------- Original message ----------------------
            From: "Steve Finkelstein" <sf@...>
            > By the way, hate to follow up on my own post. But I did make one finding.
            >
            > When I set the following:
            >
            > smtpd_tls_auth_only = no
            >
            > Mail.app is able to relay using my server. Unfortunately this also
            > means passwords being sent over in cleartext, so I'd like to figure
            > out a way to get the client working with TLS enabled auth.
            >
            > Thanks again all.
            >
            > /sf
            >
            > On 3/1/08, Steve Finkelstein <sf@...> wrote:
            > > Hi all,
            > >
            > > This probably applies more to some OS/X forum, and if so, I sincerely
            > > apologize. I just figured someone active in the Postfix community has
            > > dealt with the same issue as I'm dealing with now. I'm running a
            > > postfix based MTA, and enforce TLS over SMTP for authentication with
            > > SASL. Works wonderful with all MUAs including Thunderbird, etc. I'm
            > > having a ton of trouble with Mail.app. For one odd reason or another,
            > > it doesn't wish to deal with self-signed certificates. I'm going to be
            > > purchasing a GoDaddy certificate shortly, but regardless, this is kind
            > > of silly of Mail.app.
            > >
            > > Here's how the SSL logs:
            > >
            > > Mar 1 21:52:41 catalyst postfix/smtpd[26513]: SSL_accept:SSLv3 flush data
            > > Mar 1 21:52:41 catalyst postfix/smtpd[26513]: read from 080D6CF8
            > > [080E0408] (5 bytes => -1 (0xFFFFFFFF))
            > > Mar 1 21:52:41 catalyst postfix/smtpd[26513]: SSL_accept:error in
            > > SSLv3 read client certificate A
            > > Mar 1 21:52:41 catalyst postfix/smtpd[26513]: SSL_accept error from
            > > ool-44c19145.dyn.optonline.net[68.193.145.69]: -1
            > >
            > > Here are my TLS settings:
            > >
            > > root@catalyst:/etc/postfix# postconf -n | grep -i tls
            > > smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
            > > smtpd_tls_CAfile = /etc/postfix/ca-bundle.crt
            > > smtpd_tls_ask_ccert = no
            > > smtpd_tls_auth_only = yes
            > > smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
            > > smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
            > > smtpd_tls_loglevel = 9
            > > smtpd_tls_received_header = yes
            > > smtpd_tls_req_ccert = no
            > > smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
            > > smtpd_use_tls = yes
            > > tls_random_source = dev:/dev/urandom
            > >
            > > Thanks for taking a look!
            > >
            > >
            > > /sf
            > >
          • Kevin Stevens
            ... Same here. In fact, there s an Apple kbase article on how to accept a certificate, and it uses a self-signed cert as an example. I do agree you probably
            Message 5 of 5 , Mar 2, 2008
            • 0 Attachment
              On Sun, 2 Mar 2008, Robin Helgelin wrote:

              > On Sun, Mar 2, 2008 at 4:02 AM, Steve Finkelstein <sf@...> wrote:
              >> Hi all,
              >>
              >> This probably applies more to some OS/X forum, and if so, I sincerely
              >> apologize. I just figured someone active in the Postfix community has
              >> dealt with the same issue as I'm dealing with now. I'm running a
              >> postfix based MTA, and enforce TLS over SMTP for authentication with
              >> SASL. Works wonderful with all MUAs including Thunderbird, etc. I'm
              >> having a ton of trouble with Mail.app. For one odd reason or another,
              >> it doesn't wish to deal with self-signed certificates. I'm going to be
              >> purchasing a GoDaddy certificate shortly, but regardless, this is kind
              >> of silly of Mail.app.
              >
              > I don't have any problems using self-signed certificates with
              > Mail.app. Currently I'm using a certificate from cacert.org without
              > problems.

              Same here. In fact, there's an Apple kbase article on how to accept a
              certificate, and it uses a self-signed cert as an example. I do agree you
              probably need to take your issue to an OS X forum, though. Have you tried
              the Apple Support user forums? An less interactive alternative would be
              macosxhints.com

              KeS
            Your message has been successfully submitted and would be delivered to recipients shortly.