Re: TLS Logging

Wed, 19 Nov 2008 05:24:26 -0800 

Mark Watts wrote:

I'm in the process of setting up TLS on a number of servers.
I have two servers, both running Postfix, one an smtp client and the other an 
smtpd server, using a self-signed SSL certificate.

Sending messages, I get the following in the log on the sender:

Nov 19 10:05:01 mailr postfix/smtp[22688]: setting up TLS connection to 
mail.linux-corner.info
Nov 19 16:05:01 mailr postfix/smtp[22688]: TLS connection established to 
mail.linux-corner.info: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
When receiving mail, a client certificate is not requested. As a result, the connection is considered "Anonymous". You can control this with smtpd_tls_ask_ccert, but some mail clients have trouble when this is set to "yes", so the sensible default is "no". 
http://www.postfix.org/postconf.5.html#smtpd_tls_ask_ccert


However, the same server sending to another TLS-enabled server (I believe its 
qmail), I get this:

Nov 19 10:09:09 mailr postfix/smtp[25134]: setting up TLS connection to 
burn.qinetiq.com
Nov 19 10:09:09 mailr postfix/smtp[25134]: certificate verification failed for 
burn.qinetiq.com: num=18:self signed certificate
Nov 19 10:09:09 mailr postfix/smtp[25134]: Unverified: 
subject_CN=burn.qinetiq.com, issuer=burn.qinetiq.com
Nov 19 10:09:09 mailr postfix/smtp[25113]: TLS connection established to 
burn.qinetiq.com: TLSv1 with cipher AES256-SHA (256/256 bits)
When sending mail, the server certificate is always received and verified. There are various smtp_tls_* options that allow you to control what happens next; the sensible default behavior is to ignore verification errors and continue. 
http://www.postfix.org/TLS_README.html



Why do I not get any verification messages from the remote postfix server, yet 
I do with the remote (qmail) one, when both are usiong self-signed certificates?

Mark.
Virtually all MTA to MTA smtp tls is opportunistic encryption - it's nice but not required. In this context, it doesn't matter if the certificate is verified since you are willing to accept unencrypted connections from the same client.
If you're establishing a secure channel between sites with encryption and verification required, there are options discussed in the TLS_README to allow this. 

--
Noel Jones

Reply via email to