Loading ...
Sorry, an error occurred while loading the content.

Re: submission by cert verification only

Expand Messages
  • Noel Jones
    ... You probably want to use reject rather than reject_unauth_destination to prevent outsiders from sending local mail via submission. ... This is OK since
    Message 1 of 9 , Oct 6, 2013
    • 0 Attachment
      On 10/6/2013 7:52 PM, Dan Langille wrote:
      > I managed to get this running tonight and I'm looking for sanity checking, in case I'm completely missing something. Thanks.
      >
      > I wish to allow incoming mail from any client with a valid certificate. My master.cf is:
      >
      > 10.0.0.1:submission inet n - n - - smtpd
      > -o smtpd_recipient_restrictions=permit_tls_clientcerts,reject_unauth_destination

      You probably want to use "reject" rather than
      "reject_unauth_destination" to prevent outsiders from sending local
      mail via submission.


      > -o smtpd_tls_req_ccert=yes
      > -o smtpd_tls_auth_only=no
      > -o smtpd_tls_security_level=encrypt
      > -o smtpd_tls_cert_file=/usr/local/etc/ssl/server.pem
      > -o smtpd_tls_key_file=/usr/local/etc/ssl/supernews.example.org.nopassword.key
      > -o relay_clientcerts=hash:/usr/local/etc/postfix-config/main/relay_clientcerts
      > -o smtpd_relay_restrictions=permit_tls_clientcerts,reject_unauth_destination

      This is OK since it fulfills the intended function of preventing
      unauthorized relaying, but for consistency and simplicity you might
      want to change it to match your -o smtpd_recipient_restrictions.

      > -o smtpd_tls_ask_ccert=yes
      > -o smtp_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
      > -o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
      > -o smtpd_sender_restrictions=hash:/usr/local/etc/postfix-config/sender_access

      Your sender_access file has no effect right now. To restrict
      submission to a single sender domain, use something like:
      # main.cf
      submission_sender_restrictions =
      check_sender_access hash:/usr/local/etc/postfix-config/sender_access
      reject

      # master.cf
      10.0.0.1:submission ...
      ...
      -o smtpd_sender_restrictions=$submission_sender_restrictions


      Also, remember that any other smtpd_*_restrictions settings you have
      in main.cf will be inherited by your master.cf submission service.
      Some people find it useful to explicitly set unused restrictions
      empty to prevent surprises.
      -o smtpd_client_restrictions=
      -o smtpd_helo_restrictions=
      -o smtpd_data_restrictions=



      -- Noel Jones

      >
      >
      > I have some DNS issues (some of these hosts are remote and do not have public DNS entries)
      >
      > # cat /usr/local/etc/postfix-config/sender_access
      > cliff.example.org OK
      >
      > The fingerprint for each each incoming client is listed here:
      >
      > # cat /usr/local/etc/postfix-config/main/relay_clientcerts
      > 3A:2E:AB:6A:F1:D4:32:74:C9:C6:DD:2B:8D:2A:87:97 cliff.example.org
      >
      > I have this working. It seems to do what I want.
      >
      > For what it's worth: This is just for my use, no other users.
      >
    • Viktor Dukhovni
      On Sun, Oct 06, 2013 at 08:52:06PM -0400, Dan Langille wrote: [ What Noel said, plus see below. ] ... Fine. ... This seems silly. Since authentication gets
      Message 2 of 9 , Oct 6, 2013
      • 0 Attachment
        On Sun, Oct 06, 2013 at 08:52:06PM -0400, Dan Langille wrote:

        [ What Noel said, plus see below. ]

        > 10.0.0.1:submission inet n - n - - smtpd
        > -o smtpd_tls_req_ccert=yes

        Fine.

        > -o smtpd_tls_auth_only=no

        This seems silly. Since authentication gets them nowhere, why
        allow plaintext password leaks? Just disable SASL period.

        > -o smtpd_tls_ask_ccert=yes

        This is implied by req_ccert.

        > -o smtp_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt

        This is an SMTP client parameter that serves no purpose here.

        > -o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt

        This is a bad idea. Instead set this to an empty file. The list
        of all the CA DNs from this file is sent to the client, but your
        clients probably don't need CA hints. Otherwise make this is a
        small list of one or two suitable CAs that issue the certificates
        which are admitted via the relay certs file. You should your digest
        algorithm explicitly (sha1 or better if available as with OpenSSL
        1.0.0 or later or the most recent Postfix patches that make sha256
        available with older OpenSSL releases).

        > # cat /usr/local/etc/postfix-config/main/relay_clientcerts
        > 3A:2E:AB:6A:F1:D4:32:74:C9:C6:DD:2B:8D:2A:87:97 cliff.example.org

        This looks like md5, and while still largely resistant to 2nd
        preimage attacks, you should still avoid it.

        --
        Viktor.
      • Dan Langille
        ... All done. Thank you. ... At first, I thought this will be a global setting affecting all services specified in master.cf. I don t want that. Then I
        Message 3 of 9 , Oct 7, 2013
        • 0 Attachment
          On 2013-10-06 22:40, Noel Jones wrote:
          > On 10/6/2013 7:52 PM, Dan Langille wrote:
          > I managed to get this running tonight and I'm looking for sanity
          > checking, in case I'm completely missing something. Thanks.
          >
          > I wish to allow incoming mail from any client with a valid certificate.
          > My master.cf is:
          >
          > 10.0.0.1:submission inet n - n - - smtpd
          > -o
          > smtpd_recipient_restrictions=permit_tls_clientcerts,reject_unauth_destination
          >
          > You probably want to use "reject" rather than
          > "reject_unauth_destination" to prevent outsiders from sending local
          > mail via submission.
          >
          >
          > -o smtpd_tls_req_ccert=yes
          > -o smtpd_tls_auth_only=no
          > -o smtpd_tls_security_level=encrypt
          > -o smtpd_tls_cert_file=/usr/local/etc/ssl/server.pem
          > -o
          > smtpd_tls_key_file=/usr/local/etc/ssl/supernews.example.org.nopassword.key
          > -o
          > relay_clientcerts=hash:/usr/local/etc/postfix-config/main/relay_clientcerts
          > -o
          > smtpd_relay_restrictions=permit_tls_clientcerts,reject_unauth_destination
          >
          > This is OK since it fulfills the intended function of preventing
          > unauthorized relaying, but for consistency and simplicity you might
          > want to change it to match your -o smtpd_recipient_restrictions.

          All done. Thank you.

          > -o smtpd_tls_ask_ccert=yes
          > -o smtp_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
          > -o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
          > -o
          > smtpd_sender_restrictions=hash:/usr/local/etc/postfix-config/sender_access
          >
          > Your sender_access file has no effect right now. To restrict
          > submission to a single sender domain, use something like:
          > # main.cf
          > submission_sender_restrictions =
          > check_sender_access hash:/usr/local/etc/postfix-config/sender_access
          > reject
          >
          > # master.cf
          > 10.0.0.1:submission ...
          > ...
          > -o smtpd_sender_restrictions=$submission_sender_restrictions

          At first, I thought this will be a global setting affecting all services
          specified in master.cf.
          I don't want that.

          Then I realized submission_sender_restrictions is a macro, ready for
          inclusion elsewhere.

          > Also, remember that any other smtpd_*_restrictions settings you have
          > in main.cf will be inherited by your master.cf submission service.
          > Some people find it useful to explicitly set unused restrictions
          > empty to prevent surprises.
          > -o smtpd_client_restrictions=
          > -o smtpd_helo_restrictions=
          > -o smtpd_data_restrictions=

          Done.

          What I have now is:

          10.0.0.1:submission inet n - n - - smtpd
          -o smtpd_recipient_restrictions=permit_tls_clientcerts,reject
          -o smtpd_tls_req_ccert=yes
          -o smtpd_tls_auth_only=no
          -o smtpd_tls_security_level=encrypt
          -o smtpd_tls_cert_file=/usr/local/etc/ssl/server.pem
          -o
          smtpd_tls_key_file=/usr/local/etc/ssl/supernews.example.org.nopassword.key
          -o
          relay_clientcerts=hash:/usr/local/etc/postfix-config/main/relay_clientcerts
          -o smtpd_relay_restrictions=permit_tls_clientcerts,reject
          -o smtpd_tls_ask_ccert=yes
          -o smtp_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
          -o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
          -o smtpd_sender_restrictions=$submission_sender_restrictions
          -o smtpd_client_restrictions=
          -o smtpd_helo_restrictions=
          -o smtpd_data_restrictions=


          Thank you Noel.

          >
          >
          >
          > -- Noel Jones
          >
          >
          >
          > I have some DNS issues (some of these hosts are remote and do not have
          > public DNS entries)
          >
          > # cat /usr/local/etc/postfix-config/sender_access
          > cliff.example.org OK
          >
          > The fingerprint for each each incoming client is listed here:
          >
          > # cat /usr/local/etc/postfix-config/main/relay_clientcerts
          > 3A:2E:AB:6A:F1:D4:32:74:C9:C6:DD:2B:8D:2A:87:97 cliff.example.org
          >
          > I have this working. It seems to do what I want.
          >
          > For what it's worth: This is just for my use, no other users.
          >


          --
          Dan Langille - http://langille.org/
        • Dan Langille
          ... I am not using SASL at all. ... Removed. ... Removed. ... FYI: this is the bundle from the CA which issued the certificate in question. Prior attempts
          Message 4 of 9 , Oct 7, 2013
          • 0 Attachment
            On 2013-10-06 23:13, Viktor Dukhovni wrote:
            > On Sun, Oct 06, 2013 at 08:52:06PM -0400, Dan Langille wrote:
            >
            > [ What Noel said, plus see below. ]
            >
            > 10.0.0.1:submission inet n - n - - smtpd
            > -o smtpd_tls_req_ccert=yes
            >
            > Fine.
            >
            > -o smtpd_tls_auth_only=no
            >
            > This seems silly. Since authentication gets them nowhere, why
            > allow plaintext password leaks? Just disable SASL period.

            I am not using SASL at all.

            > -o smtpd_tls_ask_ccert=yes
            >
            > This is implied by req_ccert.

            Removed.

            > -o smtp_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
            >
            > This is an SMTP client parameter that serves no purpose here.

            Removed.

            > -o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
            >
            > This is a bad idea. Instead set this to an empty file. The list
            > of all the CA DNs from this file is sent to the client, but your
            > clients probably don't need CA hints. Otherwise make this is a
            > small list of one or two suitable CAs that issue the certificates
            > which are admitted via the relay certs file. You should your digest
            > algorithm explicitly (sha1 or better if available as with OpenSSL
            > 1.0.0 or later or the most recent Postfix patches that make sha256
            > available with older OpenSSL releases).

            FYI: this is the bundle from the CA which issued the certificate in
            question. Prior attempts with a smaller list failed.

            > # cat /usr/local/etc/postfix-config/main/relay_clientcerts
            > 3A:2E:AB:6A:F1:D4:32:74:C9:C6:DD:2B:8D:2A:87:97 cliff.example.org
            >
            > This looks like md5, and while still largely resistant to 2nd
            > preimage attacks, you should still avoid it.

            It is indeed MD5. I've changed to sha1 and obtained the new fingerprint
            via:

            openssl x509 -noout -in cliff.example.org.crt -fingerprint

            Thank you. Much appreciated.

            --
            Dan Langille - http://langille.org/
          • Viktor Dukhovni
            ... Don t forget: main.cf: smtpd_tls_fingerprint_digest = sha1 -- Viktor.
            Message 5 of 9 , Oct 7, 2013
            • 0 Attachment
              On Mon, Oct 07, 2013 at 09:06:09AM -0400, Dan Langille wrote:

              > ># cat /usr/local/etc/postfix-config/main/relay_clientcerts
              > >3A:2E:AB:6A:F1:D4:32:74:C9:C6:DD:2B:8D:2A:87:97 cliff.example.org
              > >
              > >This looks like md5, and while still largely resistant to 2nd
              > >preimage attacks, you should still avoid it.
              >
              > It is indeed MD5. I've changed to sha1 and obtained the new
              > fingerprint via:
              >
              > openssl x509 -noout -in cliff.example.org.crt -fingerprint
              >

              Don't forget:

              main.cf:
              smtpd_tls_fingerprint_digest = sha1

              --
              Viktor.
            • Dan Langille
              ... Does that have to be in main.cf? I added it to master.cf. -- Dan Langille - http://langille.org
              Message 6 of 9 , Oct 9, 2013
              • 0 Attachment
                On Oct 7, 2013, at 11:01 AM, Viktor Dukhovni wrote:

                > On Mon, Oct 07, 2013 at 09:06:09AM -0400, Dan Langille wrote:
                >
                >>> # cat /usr/local/etc/postfix-config/main/relay_clientcerts
                >>> 3A:2E:AB:6A:F1:D4:32:74:C9:C6:DD:2B:8D:2A:87:97 cliff.example.org
                >>>
                >>> This looks like md5, and while still largely resistant to 2nd
                >>> preimage attacks, you should still avoid it.
                >>
                >> It is indeed MD5. I've changed to sha1 and obtained the new
                >> fingerprint via:
                >>
                >> openssl x509 -noout -in cliff.example.org.crt -fingerprint
                >>
                >
                > Don't forget:
                >
                > main.cf:
                > smtpd_tls_fingerprint_digest = sha1


                Does that have to be in main.cf? I added it to master.cf.

                --
                Dan Langille - http://langille.org
              • Viktor Dukhovni
                ... Generally, keeping settings in main.cf is better. Use master.cf only when settings need to vary between instances of the same service type. In this case,
                Message 7 of 9 , Oct 9, 2013
                • 0 Attachment
                  On Wed, Oct 09, 2013 at 09:21:36PM -0400, Dan Langille wrote:

                  > > Don't forget:
                  > >
                  > > main.cf:
                  > > smtpd_tls_fingerprint_digest = sha1
                  >
                  >
                  > Does that have to be in main.cf? I added it to master.cf.

                  Generally, keeping settings in main.cf is better. Use master.cf
                  only when settings need to vary between instances of the same
                  service type. In this case, it is hard to imagine why you'd
                  want md5 for some smtpd services and sha1 for others, but you
                  know your own needs better than I.

                  --
                  Viktor.
                • Dan Langille
                  ... Thank you. I understand now. -- Dan Langille - http://langille.org
                  Message 8 of 9 , Oct 9, 2013
                  • 0 Attachment
                    On Oct 9, 2013, at 9:26 PM, Viktor Dukhovni wrote:

                    > On Wed, Oct 09, 2013 at 09:21:36PM -0400, Dan Langille wrote:
                    >
                    >>> Don't forget:
                    >>>
                    >>> main.cf:
                    >>> smtpd_tls_fingerprint_digest = sha1
                    >>
                    >>
                    >> Does that have to be in main.cf? I added it to master.cf.
                    >
                    > Generally, keeping settings in main.cf is better. Use master.cf
                    > only when settings need to vary between instances of the same
                    > service type. In this case, it is hard to imagine why you'd
                    > want md5 for some smtpd services and sha1 for others, but you
                    > know your own needs better than I.


                    Thank you. I understand now.

                    --
                    Dan Langille - http://langille.org
                  Your message has been successfully submitted and would be delivered to recipients shortly.