On Mon, Sep 11, 2023 at 09:59:55AM +0200, François Patte via Postfix-users
wrote:
> > If you continue to treat the hostname of your ISP's (FAI's) SMTP relay
> > as restricted sensitive information, the help you'll receive will also
> > be restricted to vague generalities.
>
> My new main.cf :
>
> relayhost = [smtp.gmx.com]:465
That's much better, thanks. Given comments below, secure connections to
this server under the name "mail.gmx.com" (that's the only DNS SAN in
the certificate) pass certificate verification at the "secure" level, as
demonstrated below:
$ posttls-finger -w -lsecure -F /etc/ssl/cert.pem "[mail.gmx.com]:465"
posttls-finger: mail.gmx.com[212.227.17.184]:465: matched peername:
mail.gmx.com
posttls-finger: mail.gmx.com[212.227.17.184]:465: subject_CN=mail.gmx.com,
issuer=GeoTrust TLS RSA CA G1, cert
fingerprint=76:81:79:C2:6A:B1:1D:F8:EE:81:69:36:EA:9D:0C:4C:B0:F3:8F:22:8F:48:D7:7C:63:BF:22:0F:60:F4:60:9D,
pkey
fingerprint=4C:23:2B:C8:10:CC:0C:F4:9B:77:78:FE:4E:00:32:2F:1D:B8:CB:33:09:72:9A:2A:55:92:E1:57:F7:DA:8F:F8
posttls-finger: Verified TLS connection established to
mail.gmx.com[212.227.17.184]:465: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384
(256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
server-digest SHA256
You'll need to change the "relayhost" setting to:
relayhost = [mail.gmx.com]:465
which, if performed correctly, will resolve the "name mismatch errors"
you reported.
> smtp_sasl_auth_enable = yes
> smtp_sasl_mechanism_filter = plain, login
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_sasl_security_options =
> smtp_sasl_tls_security_options = noanonymous
> smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
> smtp_tls_CApath = /etc/pki/tls/certs
> smtp_tls_loglevel = 1
> smtp_tls_secure_cert_match = smtp.gmx.com
But, of course, you'll also need to change the above. Most
robust choice is to just use the special "strategy":
smtp_tls_secure_cert_match = nexthop
as documented in postconf(5) under "smtp_tls_verify_cert_match"
and "smtp_tls_secure_cert_match".
> smtp_tls_security_level = encrypt
And then change this to "secure" (in fact, "verify" is equivalent, when
the relay is enclosed in "[]", which avoids MX lookups, or the match
criteria do not include "hostname").
> smtp_tls_verify_cert_match = pingala.fqdn
This is nonsense. The SMTP client is matching *remote* hostnames
in their presented certificates, this should be the *same* as the
"smtp_tls_secure_cert_match" parameter above:
smtp_tls_verify_cert_match = nexthop
> smtpd_tls_CApath = /etc/pki/tls/certs
You don't need this. Your server does not request client certificates,
so the CA file and path are pointless for "smtpd". Delete this setting
from main.cf.
> smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
> smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
> smtpd_tls_req_ccert =
Also delete this, which defaults to "no".
> unknown_local_recipient_reject_code = 550
> > And updated the security level to "secure".
>
> If I turn this to "secure", I get in maillog file:
>
> server certificate verification failed for
> smtp.gmx.com[212.227.17.174]:465: num=62:hostname mismatch
See above.
> > > > > smtpd_tls_security_level = encrypt
> > > >
> > > > Nor this, except on the submission services in master.cf.
>
> Suppressed (I don't understand : "except on the submission services in
> master.cf" I did not change anything in master.cf)
You would change master.cf, if you wanted to support SMTP submission
over TLS with SASL. Otherwise, you don't need these at all.
> > And turn off SASL AUTH on your inbound port 25.
>
> I don't understand this...
In main.cf, don't leave "smtpd_sasl_auth_enable" at its default "no"
setting (by not mentioning it in main.cf).
> > returns the expected result. (The "cat -etv" should highlight
> > any unexpected invisible characters).
>
> I made an error in password_maps : the relayhost wanted my full email
> address as my user name. Corrected.
You're almost done. All that remains is fixing the server name
settings, and setting the security level to "secure" (or "verify").
> > Is your server supposed to receive any mail from outside? Or
> > is it a "send-only" server?
>
> A "send-only" server.
Not much point in SASL for a server that only accepts mail on the
loopback interface.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
