Loading ...
Sorry, an error occurred while loading the content.
 

Re: SMTP+TLS and Mail.app

Expand Messages
  • Steve Finkelstein
    By the way, hate to follow up on my own post. But I did make one finding. When I set the following: smtpd_tls_auth_only = no Mail.app is able to relay using
    Message 1 of 5 , Mar 1, 2008
      By the way, hate to follow up on my own post. But I did make one finding.

      When I set the following:

      smtpd_tls_auth_only = no

      Mail.app is able to relay using my server. Unfortunately this also
      means passwords being sent over in cleartext, so I'd like to figure
      out a way to get the client working with TLS enabled auth.

      Thanks again all.

      /sf

      On 3/1/08, Steve Finkelstein <sf@...> wrote:
      > Hi all,
      >
      > This probably applies more to some OS/X forum, and if so, I sincerely
      > apologize. I just figured someone active in the Postfix community has
      > dealt with the same issue as I'm dealing with now. I'm running a
      > postfix based MTA, and enforce TLS over SMTP for authentication with
      > SASL. Works wonderful with all MUAs including Thunderbird, etc. I'm
      > having a ton of trouble with Mail.app. For one odd reason or another,
      > it doesn't wish to deal with self-signed certificates. I'm going to be
      > purchasing a GoDaddy certificate shortly, but regardless, this is kind
      > of silly of Mail.app.
      >
      > Here's how the SSL logs:
      >
      > Mar 1 21:52:41 catalyst postfix/smtpd[26513]: SSL_accept:SSLv3 flush data
      > Mar 1 21:52:41 catalyst postfix/smtpd[26513]: read from 080D6CF8
      > [080E0408] (5 bytes => -1 (0xFFFFFFFF))
      > Mar 1 21:52:41 catalyst postfix/smtpd[26513]: SSL_accept:error in
      > SSLv3 read client certificate A
      > Mar 1 21:52:41 catalyst postfix/smtpd[26513]: SSL_accept error from
      > ool-44c19145.dyn.optonline.net[68.193.145.69]: -1
      >
      > Here are my TLS settings:
      >
      > root@catalyst:/etc/postfix# postconf -n | grep -i tls
      > smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
      > smtpd_tls_CAfile = /etc/postfix/ca-bundle.crt
      > smtpd_tls_ask_ccert = no
      > smtpd_tls_auth_only = yes
      > smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
      > smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
      > smtpd_tls_loglevel = 9
      > smtpd_tls_received_header = yes
      > smtpd_tls_req_ccert = no
      > smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
      > smtpd_use_tls = yes
      > tls_random_source = dev:/dev/urandom
      >
      > Thanks for taking a look!
      >
      >
      > /sf
      >
    • Robin Helgelin
      ... I don t have any problems using self-signed certificates with Mail.app. Currently I m using a certificate from cacert.org without problems. -- regards,
      Message 2 of 5 , Mar 2, 2008
        On Sun, Mar 2, 2008 at 4:02 AM, Steve Finkelstein <sf@...> wrote:
        > Hi all,
        >
        > This probably applies more to some OS/X forum, and if so, I sincerely
        > apologize. I just figured someone active in the Postfix community has
        > dealt with the same issue as I'm dealing with now. I'm running a
        > postfix based MTA, and enforce TLS over SMTP for authentication with
        > SASL. Works wonderful with all MUAs including Thunderbird, etc. I'm
        > having a ton of trouble with Mail.app. For one odd reason or another,
        > it doesn't wish to deal with self-signed certificates. I'm going to be
        > purchasing a GoDaddy certificate shortly, but regardless, this is kind
        > of silly of Mail.app.

        I don't have any problems using self-signed certificates with
        Mail.app. Currently I'm using a certificate from cacert.org without
        problems.

        --
        regards,
        Robin
      • Lou Picciano
        Steve! How nice to see another Mac user on the list... Although we re slogging through some other issues with Postfix, we had virtually no trouble setting up
        Message 3 of 5 , Mar 2, 2008
          Steve! How nice to see another Mac user on the list...

          Although we're slogging through some other issues with Postfix, we had virtually no trouble setting up successful TLS sessions originating from Mail.app (Version 3.2 (919/919.2) running on Leopard (10.5.2). We are also using a self-signed cert - at least for testing, having no troubles.

          You will get the 'certificate signed by an unknown authority' message, but this is to be expected.
          Be sure that your 'common name' field matches exactly the name of your server; you've probably already run into this.

          One key gotcha might be the smtpd_tls_security option; note that 'yes' is now deprecated. Use 'encrypt' instead for Postfix 2.3 and later.
          A snippet of our main.cf follows:

          # TLS Support -----------------------------------------------------------
          # --------- TESTING:
          # postconf had reported this NO:
          smtpd_use_tls = yes
          # ------------------
          # smtpd_tls_auth_only = yes
          smtpd_tls_key_file = /path/to/key/mail.key.pem
          smtpd_tls_cert_file = /path/to/certs/mail.cert.pem
          smtpd_tls_CAfile = /path/to/CAcert/SelfSignedCAcert.pem
          # is the CA directory needed?
          smtpd_tls_CApath = /path/to/CAcert
          # smtpd_use_tls = may (COMMAND DEPRECATED by smtpd_tls_security_level in v>2.3)
          # Postfix 2.3 and later: ('yes' is obsolete; 'encrypt' ENFORCES use of TLS for clients):
          smtpd_tls_security_level = encrypt

          smtpd_tls_loglevel = 2
          smtpd_tls_received_header = yes
          smtpd_tls_session_cache_timeout = 3600s
          tls_random_source = dev:/dev/urandom

          # --------- TESTING:
          # this command was apparently unnecessary
          #smtpd_tls_note_starttls = yes
          # ------------------
          # This would only maintain compatibility with non-TLS clients:
          # smtpd_tls_auth_only = yes

          LOG OUTPUT:
          Mar 2 13:20:14 <servername> postfix/smtpd[17193]: [ID 197553 mail.info] SSL_accept:SSLv3 write finished A
          Mar 2 13:20:14 <servername> postfix/smtpd[17193]: [ID 197553 mail.info] SSL_accept:SSLv3 flush data
          Mar 2 13:20:14 <servername> postfix/smtpd[17193]: [ID 197553 mail.info] Anonymous TLS connection established from unknown[internal IP Address]: TLSv1 with cipher AES128-SHA (128/128 bits)

          Hope this helps - please keep me posted! Lou


          -------------- Original message ----------------------
          From: "Steve Finkelstein" <sf@...>
          > By the way, hate to follow up on my own post. But I did make one finding.
          >
          > When I set the following:
          >
          > smtpd_tls_auth_only = no
          >
          > Mail.app is able to relay using my server. Unfortunately this also
          > means passwords being sent over in cleartext, so I'd like to figure
          > out a way to get the client working with TLS enabled auth.
          >
          > Thanks again all.
          >
          > /sf
          >
          > On 3/1/08, Steve Finkelstein <sf@...> wrote:
          > > Hi all,
          > >
          > > This probably applies more to some OS/X forum, and if so, I sincerely
          > > apologize. I just figured someone active in the Postfix community has
          > > dealt with the same issue as I'm dealing with now. I'm running a
          > > postfix based MTA, and enforce TLS over SMTP for authentication with
          > > SASL. Works wonderful with all MUAs including Thunderbird, etc. I'm
          > > having a ton of trouble with Mail.app. For one odd reason or another,
          > > it doesn't wish to deal with self-signed certificates. I'm going to be
          > > purchasing a GoDaddy certificate shortly, but regardless, this is kind
          > > of silly of Mail.app.
          > >
          > > Here's how the SSL logs:
          > >
          > > Mar 1 21:52:41 catalyst postfix/smtpd[26513]: SSL_accept:SSLv3 flush data
          > > Mar 1 21:52:41 catalyst postfix/smtpd[26513]: read from 080D6CF8
          > > [080E0408] (5 bytes => -1 (0xFFFFFFFF))
          > > Mar 1 21:52:41 catalyst postfix/smtpd[26513]: SSL_accept:error in
          > > SSLv3 read client certificate A
          > > Mar 1 21:52:41 catalyst postfix/smtpd[26513]: SSL_accept error from
          > > ool-44c19145.dyn.optonline.net[68.193.145.69]: -1
          > >
          > > Here are my TLS settings:
          > >
          > > root@catalyst:/etc/postfix# postconf -n | grep -i tls
          > > smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
          > > smtpd_tls_CAfile = /etc/postfix/ca-bundle.crt
          > > smtpd_tls_ask_ccert = no
          > > smtpd_tls_auth_only = yes
          > > smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
          > > smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
          > > smtpd_tls_loglevel = 9
          > > smtpd_tls_received_header = yes
          > > smtpd_tls_req_ccert = no
          > > smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
          > > smtpd_use_tls = yes
          > > tls_random_source = dev:/dev/urandom
          > >
          > > Thanks for taking a look!
          > >
          > >
          > > /sf
          > >
        • Kevin Stevens
          ... Same here. In fact, there s an Apple kbase article on how to accept a certificate, and it uses a self-signed cert as an example. I do agree you probably
          Message 4 of 5 , Mar 2, 2008
            On Sun, 2 Mar 2008, Robin Helgelin wrote:

            > On Sun, Mar 2, 2008 at 4:02 AM, Steve Finkelstein <sf@...> wrote:
            >> Hi all,
            >>
            >> This probably applies more to some OS/X forum, and if so, I sincerely
            >> apologize. I just figured someone active in the Postfix community has
            >> dealt with the same issue as I'm dealing with now. I'm running a
            >> postfix based MTA, and enforce TLS over SMTP for authentication with
            >> SASL. Works wonderful with all MUAs including Thunderbird, etc. I'm
            >> having a ton of trouble with Mail.app. For one odd reason or another,
            >> it doesn't wish to deal with self-signed certificates. I'm going to be
            >> purchasing a GoDaddy certificate shortly, but regardless, this is kind
            >> of silly of Mail.app.
            >
            > I don't have any problems using self-signed certificates with
            > Mail.app. Currently I'm using a certificate from cacert.org without
            > problems.

            Same here. In fact, there's an Apple kbase article on how to accept a
            certificate, and it uses a self-signed cert as an example. I do agree you
            probably need to take your issue to an OS X forum, though. Have you tried
            the Apple Support user forums? An less interactive alternative would be
            macosxhints.com

            KeS
          Your message has been successfully submitted and would be delivered to recipients shortly.