Loading ...
Sorry, an error occurred while loading the content.

submission by cert verification only

Expand Messages
  • Dan Langille
    I managed to get this running tonight and I m looking for sanity checking, in case I m completely missing something. Thanks. I wish to allow incoming mail
    Message 1 of 9 , Oct 6, 2013
    • 0 Attachment
      I managed to get this running tonight and I'm looking for sanity checking, in case I'm completely missing something. Thanks.

      I wish to allow incoming mail from any client with a valid certificate. My master.cf is:

      10.0.0.1:submission inet n - n - - smtpd
      -o smtpd_recipient_restrictions=permit_tls_clientcerts,reject_unauth_destination
      -o smtpd_tls_req_ccert=yes
      -o smtpd_tls_auth_only=no
      -o smtpd_tls_security_level=encrypt
      -o smtpd_tls_cert_file=/usr/local/etc/ssl/server.pem
      -o smtpd_tls_key_file=/usr/local/etc/ssl/supernews.example.org.nopassword.key
      -o relay_clientcerts=hash:/usr/local/etc/postfix-config/main/relay_clientcerts
      -o smtpd_relay_restrictions=permit_tls_clientcerts,reject_unauth_destination
      -o smtpd_tls_ask_ccert=yes
      -o smtp_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
      -o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
      -o smtpd_sender_restrictions=hash:/usr/local/etc/postfix-config/sender_access


      I have some DNS issues (some of these hosts are remote and do not have public DNS entries)

      # cat /usr/local/etc/postfix-config/sender_access
      cliff.example.org OK

      The fingerprint for each each incoming client is listed here:

      # cat /usr/local/etc/postfix-config/main/relay_clientcerts
      3A:2E:AB:6A:F1:D4:32:74:C9:C6:DD:2B:8D:2A:87:97 cliff.example.org

      I have this working. It seems to do what I want.

      For what it's worth: This is just for my use, no other users.

      --
      Dan Langille - http://langille.org
    • Noel Jones
      ... You probably want to use reject rather than reject_unauth_destination to prevent outsiders from sending local mail via submission. ... This is OK since
      Message 2 of 9 , Oct 6, 2013
      • 0 Attachment
        On 10/6/2013 7:52 PM, Dan Langille wrote:
        > I managed to get this running tonight and I'm looking for sanity checking, in case I'm completely missing something. Thanks.
        >
        > I wish to allow incoming mail from any client with a valid certificate. My master.cf is:
        >
        > 10.0.0.1:submission inet n - n - - smtpd
        > -o smtpd_recipient_restrictions=permit_tls_clientcerts,reject_unauth_destination

        You probably want to use "reject" rather than
        "reject_unauth_destination" to prevent outsiders from sending local
        mail via submission.


        > -o smtpd_tls_req_ccert=yes
        > -o smtpd_tls_auth_only=no
        > -o smtpd_tls_security_level=encrypt
        > -o smtpd_tls_cert_file=/usr/local/etc/ssl/server.pem
        > -o smtpd_tls_key_file=/usr/local/etc/ssl/supernews.example.org.nopassword.key
        > -o relay_clientcerts=hash:/usr/local/etc/postfix-config/main/relay_clientcerts
        > -o smtpd_relay_restrictions=permit_tls_clientcerts,reject_unauth_destination

        This is OK since it fulfills the intended function of preventing
        unauthorized relaying, but for consistency and simplicity you might
        want to change it to match your -o smtpd_recipient_restrictions.

        > -o smtpd_tls_ask_ccert=yes
        > -o smtp_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
        > -o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
        > -o smtpd_sender_restrictions=hash:/usr/local/etc/postfix-config/sender_access

        Your sender_access file has no effect right now. To restrict
        submission to a single sender domain, use something like:
        # main.cf
        submission_sender_restrictions =
        check_sender_access hash:/usr/local/etc/postfix-config/sender_access
        reject

        # master.cf
        10.0.0.1:submission ...
        ...
        -o smtpd_sender_restrictions=$submission_sender_restrictions


        Also, remember that any other smtpd_*_restrictions settings you have
        in main.cf will be inherited by your master.cf submission service.
        Some people find it useful to explicitly set unused restrictions
        empty to prevent surprises.
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_data_restrictions=



        -- Noel Jones

        >
        >
        > I have some DNS issues (some of these hosts are remote and do not have public DNS entries)
        >
        > # cat /usr/local/etc/postfix-config/sender_access
        > cliff.example.org OK
        >
        > The fingerprint for each each incoming client is listed here:
        >
        > # cat /usr/local/etc/postfix-config/main/relay_clientcerts
        > 3A:2E:AB:6A:F1:D4:32:74:C9:C6:DD:2B:8D:2A:87:97 cliff.example.org
        >
        > I have this working. It seems to do what I want.
        >
        > For what it's worth: This is just for my use, no other users.
        >
      • Viktor Dukhovni
        On Sun, Oct 06, 2013 at 08:52:06PM -0400, Dan Langille wrote: [ What Noel said, plus see below. ] ... Fine. ... This seems silly. Since authentication gets
        Message 3 of 9 , Oct 6, 2013
        • 0 Attachment
          On Sun, Oct 06, 2013 at 08:52:06PM -0400, Dan Langille wrote:

          [ What Noel said, plus see below. ]

          > 10.0.0.1:submission inet n - n - - smtpd
          > -o smtpd_tls_req_ccert=yes

          Fine.

          > -o smtpd_tls_auth_only=no

          This seems silly. Since authentication gets them nowhere, why
          allow plaintext password leaks? Just disable SASL period.

          > -o smtpd_tls_ask_ccert=yes

          This is implied by req_ccert.

          > -o smtp_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt

          This is an SMTP client parameter that serves no purpose here.

          > -o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt

          This is a bad idea. Instead set this to an empty file. The list
          of all the CA DNs from this file is sent to the client, but your
          clients probably don't need CA hints. Otherwise make this is a
          small list of one or two suitable CAs that issue the certificates
          which are admitted via the relay certs file. You should your digest
          algorithm explicitly (sha1 or better if available as with OpenSSL
          1.0.0 or later or the most recent Postfix patches that make sha256
          available with older OpenSSL releases).

          > # cat /usr/local/etc/postfix-config/main/relay_clientcerts
          > 3A:2E:AB:6A:F1:D4:32:74:C9:C6:DD:2B:8D:2A:87:97 cliff.example.org

          This looks like md5, and while still largely resistant to 2nd
          preimage attacks, you should still avoid it.

          --
          Viktor.
        • Dan Langille
          ... All done. Thank you. ... At first, I thought this will be a global setting affecting all services specified in master.cf. I don t want that. Then I
          Message 4 of 9 , Oct 7, 2013
          • 0 Attachment
            On 2013-10-06 22:40, Noel Jones wrote:
            > On 10/6/2013 7:52 PM, Dan Langille wrote:
            > I managed to get this running tonight and I'm looking for sanity
            > checking, in case I'm completely missing something. Thanks.
            >
            > I wish to allow incoming mail from any client with a valid certificate.
            > My master.cf is:
            >
            > 10.0.0.1:submission inet n - n - - smtpd
            > -o
            > smtpd_recipient_restrictions=permit_tls_clientcerts,reject_unauth_destination
            >
            > You probably want to use "reject" rather than
            > "reject_unauth_destination" to prevent outsiders from sending local
            > mail via submission.
            >
            >
            > -o smtpd_tls_req_ccert=yes
            > -o smtpd_tls_auth_only=no
            > -o smtpd_tls_security_level=encrypt
            > -o smtpd_tls_cert_file=/usr/local/etc/ssl/server.pem
            > -o
            > smtpd_tls_key_file=/usr/local/etc/ssl/supernews.example.org.nopassword.key
            > -o
            > relay_clientcerts=hash:/usr/local/etc/postfix-config/main/relay_clientcerts
            > -o
            > smtpd_relay_restrictions=permit_tls_clientcerts,reject_unauth_destination
            >
            > This is OK since it fulfills the intended function of preventing
            > unauthorized relaying, but for consistency and simplicity you might
            > want to change it to match your -o smtpd_recipient_restrictions.

            All done. Thank you.

            > -o smtpd_tls_ask_ccert=yes
            > -o smtp_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
            > -o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
            > -o
            > smtpd_sender_restrictions=hash:/usr/local/etc/postfix-config/sender_access
            >
            > Your sender_access file has no effect right now. To restrict
            > submission to a single sender domain, use something like:
            > # main.cf
            > submission_sender_restrictions =
            > check_sender_access hash:/usr/local/etc/postfix-config/sender_access
            > reject
            >
            > # master.cf
            > 10.0.0.1:submission ...
            > ...
            > -o smtpd_sender_restrictions=$submission_sender_restrictions

            At first, I thought this will be a global setting affecting all services
            specified in master.cf.
            I don't want that.

            Then I realized submission_sender_restrictions is a macro, ready for
            inclusion elsewhere.

            > Also, remember that any other smtpd_*_restrictions settings you have
            > in main.cf will be inherited by your master.cf submission service.
            > Some people find it useful to explicitly set unused restrictions
            > empty to prevent surprises.
            > -o smtpd_client_restrictions=
            > -o smtpd_helo_restrictions=
            > -o smtpd_data_restrictions=

            Done.

            What I have now is:

            10.0.0.1:submission inet n - n - - smtpd
            -o smtpd_recipient_restrictions=permit_tls_clientcerts,reject
            -o smtpd_tls_req_ccert=yes
            -o smtpd_tls_auth_only=no
            -o smtpd_tls_security_level=encrypt
            -o smtpd_tls_cert_file=/usr/local/etc/ssl/server.pem
            -o
            smtpd_tls_key_file=/usr/local/etc/ssl/supernews.example.org.nopassword.key
            -o
            relay_clientcerts=hash:/usr/local/etc/postfix-config/main/relay_clientcerts
            -o smtpd_relay_restrictions=permit_tls_clientcerts,reject
            -o smtpd_tls_ask_ccert=yes
            -o smtp_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
            -o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
            -o smtpd_sender_restrictions=$submission_sender_restrictions
            -o smtpd_client_restrictions=
            -o smtpd_helo_restrictions=
            -o smtpd_data_restrictions=


            Thank you Noel.

            >
            >
            >
            > -- Noel Jones
            >
            >
            >
            > I have some DNS issues (some of these hosts are remote and do not have
            > public DNS entries)
            >
            > # cat /usr/local/etc/postfix-config/sender_access
            > cliff.example.org OK
            >
            > The fingerprint for each each incoming client is listed here:
            >
            > # cat /usr/local/etc/postfix-config/main/relay_clientcerts
            > 3A:2E:AB:6A:F1:D4:32:74:C9:C6:DD:2B:8D:2A:87:97 cliff.example.org
            >
            > I have this working. It seems to do what I want.
            >
            > For what it's worth: This is just for my use, no other users.
            >


            --
            Dan Langille - http://langille.org/
          • Dan Langille
            ... I am not using SASL at all. ... Removed. ... Removed. ... FYI: this is the bundle from the CA which issued the certificate in question. Prior attempts
            Message 5 of 9 , Oct 7, 2013
            • 0 Attachment
              On 2013-10-06 23:13, Viktor Dukhovni wrote:
              > On Sun, Oct 06, 2013 at 08:52:06PM -0400, Dan Langille wrote:
              >
              > [ What Noel said, plus see below. ]
              >
              > 10.0.0.1:submission inet n - n - - smtpd
              > -o smtpd_tls_req_ccert=yes
              >
              > Fine.
              >
              > -o smtpd_tls_auth_only=no
              >
              > This seems silly. Since authentication gets them nowhere, why
              > allow plaintext password leaks? Just disable SASL period.

              I am not using SASL at all.

              > -o smtpd_tls_ask_ccert=yes
              >
              > This is implied by req_ccert.

              Removed.

              > -o smtp_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
              >
              > This is an SMTP client parameter that serves no purpose here.

              Removed.

              > -o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
              >
              > This is a bad idea. Instead set this to an empty file. The list
              > of all the CA DNs from this file is sent to the client, but your
              > clients probably don't need CA hints. Otherwise make this is a
              > small list of one or two suitable CAs that issue the certificates
              > which are admitted via the relay certs file. You should your digest
              > algorithm explicitly (sha1 or better if available as with OpenSSL
              > 1.0.0 or later or the most recent Postfix patches that make sha256
              > available with older OpenSSL releases).

              FYI: this is the bundle from the CA which issued the certificate in
              question. Prior attempts with a smaller list failed.

              > # cat /usr/local/etc/postfix-config/main/relay_clientcerts
              > 3A:2E:AB:6A:F1:D4:32:74:C9:C6:DD:2B:8D:2A:87:97 cliff.example.org
              >
              > This looks like md5, and while still largely resistant to 2nd
              > preimage attacks, you should still avoid it.

              It is indeed MD5. I've changed to sha1 and obtained the new fingerprint
              via:

              openssl x509 -noout -in cliff.example.org.crt -fingerprint

              Thank you. Much appreciated.

              --
              Dan Langille - http://langille.org/
            • Viktor Dukhovni
              ... Don t forget: main.cf: smtpd_tls_fingerprint_digest = sha1 -- Viktor.
              Message 6 of 9 , Oct 7, 2013
              • 0 Attachment
                On Mon, Oct 07, 2013 at 09:06:09AM -0400, Dan Langille wrote:

                > ># cat /usr/local/etc/postfix-config/main/relay_clientcerts
                > >3A:2E:AB:6A:F1:D4:32:74:C9:C6:DD:2B:8D:2A:87:97 cliff.example.org
                > >
                > >This looks like md5, and while still largely resistant to 2nd
                > >preimage attacks, you should still avoid it.
                >
                > It is indeed MD5. I've changed to sha1 and obtained the new
                > fingerprint via:
                >
                > openssl x509 -noout -in cliff.example.org.crt -fingerprint
                >

                Don't forget:

                main.cf:
                smtpd_tls_fingerprint_digest = sha1

                --
                Viktor.
              • Dan Langille
                ... Does that have to be in main.cf? I added it to master.cf. -- Dan Langille - http://langille.org
                Message 7 of 9 , Oct 9, 2013
                • 0 Attachment
                  On Oct 7, 2013, at 11:01 AM, Viktor Dukhovni wrote:

                  > On Mon, Oct 07, 2013 at 09:06:09AM -0400, Dan Langille wrote:
                  >
                  >>> # cat /usr/local/etc/postfix-config/main/relay_clientcerts
                  >>> 3A:2E:AB:6A:F1:D4:32:74:C9:C6:DD:2B:8D:2A:87:97 cliff.example.org
                  >>>
                  >>> This looks like md5, and while still largely resistant to 2nd
                  >>> preimage attacks, you should still avoid it.
                  >>
                  >> It is indeed MD5. I've changed to sha1 and obtained the new
                  >> fingerprint via:
                  >>
                  >> openssl x509 -noout -in cliff.example.org.crt -fingerprint
                  >>
                  >
                  > Don't forget:
                  >
                  > main.cf:
                  > smtpd_tls_fingerprint_digest = sha1


                  Does that have to be in main.cf? I added it to master.cf.

                  --
                  Dan Langille - http://langille.org
                • Viktor Dukhovni
                  ... Generally, keeping settings in main.cf is better. Use master.cf only when settings need to vary between instances of the same service type. In this case,
                  Message 8 of 9 , Oct 9, 2013
                  • 0 Attachment
                    On Wed, Oct 09, 2013 at 09:21:36PM -0400, Dan Langille wrote:

                    > > Don't forget:
                    > >
                    > > main.cf:
                    > > smtpd_tls_fingerprint_digest = sha1
                    >
                    >
                    > Does that have to be in main.cf? I added it to master.cf.

                    Generally, keeping settings in main.cf is better. Use master.cf
                    only when settings need to vary between instances of the same
                    service type. In this case, it is hard to imagine why you'd
                    want md5 for some smtpd services and sha1 for others, but you
                    know your own needs better than I.

                    --
                    Viktor.
                  • Dan Langille
                    ... Thank you. I understand now. -- Dan Langille - http://langille.org
                    Message 9 of 9 , Oct 9, 2013
                    • 0 Attachment
                      On Oct 9, 2013, at 9:26 PM, Viktor Dukhovni wrote:

                      > On Wed, Oct 09, 2013 at 09:21:36PM -0400, Dan Langille wrote:
                      >
                      >>> Don't forget:
                      >>>
                      >>> main.cf:
                      >>> smtpd_tls_fingerprint_digest = sha1
                      >>
                      >>
                      >> Does that have to be in main.cf? I added it to master.cf.
                      >
                      > Generally, keeping settings in main.cf is better. Use master.cf
                      > only when settings need to vary between instances of the same
                      > service type. In this case, it is hard to imagine why you'd
                      > want md5 for some smtpd services and sha1 for others, but you
                      > know your own needs better than I.


                      Thank you. I understand now.

                      --
                      Dan Langille - http://langille.org
                    Your message has been successfully submitted and would be delivered to recipients shortly.