On 11/20/23 19:57, Viktor Dukhovni via Postfix-users wrote:
#### This mail comes from external sender! ####
On Mon, Nov 20, 2023 at 04:01:05PM +0100, Marc Dierksen via Postfix-users wrote:
For the domain 'shieldersme.com' outbound TLS is configured via this entry
in the TLS policy map:
shieldersme.com verify match=hostname:nexthop:dot-nexthop ciphers=high
protocols=>=TLSv1.2
When trying to send mail I am getting the following error:
Nov 17 12:23:50 postfix-outbound/smtp[11269]: server certificate
verification failed for shieldersme.com[5.79.80.155]:25: num=62:hostname
mismatch
This is easily reproducible:
$ posttls-finger -c -Lsummary -lsecure "shieldersme.com" hostname nexthop
dot-nexthop
posttls-finger: server certificate verification failed for
shieldersme.com[5.79.80.155]:25: num=62:hostname mismatch
posttls-finger: Untrusted TLS connection established to
shieldersme.com[5.79.80.155]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
And expected (i.e. works as indended and specified in all relevant RFCs):
$ posttls-finger -cC -Lsummary -lsecure "shieldersme.com" hostname nexthop
dot-nexthop 2>&1 |
openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
openssl pkcs7 -print_certs -text |
grep -E 'Subject:|DNS:'
Subject: CN=liger.hibridmena.com
DNS:liger.hibridmena.com
Subject: C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc.
Certification Authority
Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA
Limited, CN=COMODO RSA Certification Authority
The actual certificate presented to Postfix is for:
liger.hibridmena.com
Your tests with "openssl s_client" sent a default SNI etension, but
Postfix does not by default. With SMTP, it is unclear, in general, what
the SNI should be, and sending the "wrong" SNI can sometimes cause
connection aborts. Therefore, if you want to solicit a particular
certificate, you have to configure the SNI explicitly.
$ posttls-finger -cC -s shieldersme.com -Lsummary -lsecure "shieldersme.com"
hostname nexthop dot-nexthop 2>&1 |
openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
openssl pkcs7 -print_certs -text |
grep -E 'Subject:|DNS:'
Subject: CN=*.shieldersme.com
DNS:*.shieldersme.com, DNS:shieldersme.com
Subject: C=US, O=Let's Encrypt, CN=R3
Subject: C=US, O=Internet Security Research Group, CN=ISRG Root X1
Relevant documentation:
posttls-finger(1):
-s servername
The server name to send with the TLS Server Name Indication
(SNI) extension. When the server has DANE TLSA records, this
parameter is ignored and the TLSA base domain is used instead.
Otherwise, SNI is not used by default, but can be enabled by
specifying the desired value with this option.
postconf(5):
may Opportunistic TLS. Since sending in the clear is acceptable,
demanding stronger than default TLS security merely reduces
interoperability. The optional "ciphers", "exclude", and
"protocols" attributes (available for opportunistic TLS with
Postfix >= 2.6) and "connection_reuse" attribute (Postfix >=
3.4) override the "smtp_tls_ciphers",
"smtp_tls_exclude_ciphers", "smtp_tls_protocols", and
"smtp_tls_connection_reuse" configuration parameters. In the
policy table, multiple ciphers, protocols or excluded ciphers
must be separated by colons, as attribute values may not contain
----> whitespace or commas. At this level and higher, the optional
----> "servername" attribute (available with Postfix >= 3.4) overrides
----> the global "smtp_tls_servername" parameter, enabling
----> per-destination configuration of the SNI extension sent to the
----> remote SMTP server. The optional "enable_rpk" attribute
(Postfix >= 3.9) overrides the main.cf smtp_tls_enable_rpk
parameter. When opportunistic TLS handshakes fail, Postfix
retries the connection with TLS disabled. This allows mail
delivery to sites with non-interoperable TLS implementations.
You need to add "servername=shieldersme.com" to the policy table entry.
Also, in this case, using "hostname" is a bad idea, it means you'd trust
insecurely obtained forged MX records to tell the client what name to
match, so any active attacker can compromise the connection by sending
a suitably crafted MX response. The match pattern you want here is
nexthop:dot-nexthop
*without* "hostname". Or (less fungible) even just "nexthop", if by
mutual agreement with the receiving system, you're sure that the cert
will "always" include the domain.
Viktor, thank you for your explanation. Now it makes sense.
I did not know about the posttls-finger command. I will use that in the
future instead of openssl when tracking down TLS problems in Postfix.
I will contact the manufacturer of that mailgateway appliance and
suggest they adjust the TLS policy map configuration to include the
'servername' option and leave out 'hostname' for the 'match' clause.
A big thanks to both Wietse and you for your great work!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
