Hello all,
$ posttls-finger -F/etc/pki/tls/cert.pem -c -lsecure "[theater.piekert.de]"
...
posttls-finger: Verified TLS connection established to
theater.piekert.de[81.169.233.252]:25: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature
RSA-PSS (2048 bits) server-digest SHA256
$ posttls-finger -F/etc/pki/tls/cert.pem -c -lsecure "[sonne.floppy.org]"
...
posttls-finger: Verified TLS connection established to
sonne.floppy.org[85.215.122.93]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384
(256/256 bits) key-exchange x25519 server-signature RSA-PSS (2048 bits)
server-digest SHA256
Do you have the requisite issuers in $smtp_tls_CAfile and/or $smtp_tls_CApath?
Yes. On all 3 servers posttls-finger returns verified for all 3 servers as per
your above example.
What TLS policy is returned to Postfix by your MTA-STS plugin?
Now you got me. Right now, there is no plugin.
So it comes down to
num=62:hostname mismatch
Likely the policy you're using isn't actually setting up the correct
name(s) to match.
Probably, since I don't have any plugin.
Further, I assume the directive "secure" in the tls policy overrides
the "testing" policy, right?
Postfix has no built-in MTA-STS support, so there's nothing to
"override". If you're using a dynamic TLS policy table, with some
service returning results via a socketmap, then the policy is whatever
that service returns.
The only policy table I have is the btree'd one
smtp_tls_policy_maps = btree:$meta_directory/tls_nach_ziel
which
root@butterfly:/etc/postfix# cat tls_nach_ziel.proto
#...redacted
renraku-software.de secure
#eof---
*IF* I downgrade the tls directive from "secure" to "encrypt"
Feb 21 08:50:56 theater postfix/qmgr[553270]: 257561229F34:
from=<r...@theater.piekert.de>, size=426, nrcpt=2 (queue active)
Feb 21 08:50:56 theater postfix/smtp[560140]: Trusted TLS connection
established to sonne.floppy.org[85.215.122.93]:25: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature
RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits)
client-digest SHA256
Feb 21 08:50:56 theater postfix/smtp[560140]: TLSRPT: status=success,
domain=renraku-software.de, receiving_mx=sonne.floppy.org[85.215.122.93]
The "secure" policy is NOT MTA-STS.
Understood.
<Loud thinking>
Understanding correctly, what I defined in the smtp_tls_policy_maps has what
function then?
https://www.postfix.org/postconf.5.html#smtp_tls_policy_maps
I tell pf to send mail for this domain via "secure"d TLS to - probably - the
MXs responsible for the domain, right?
No. Since MX dns requests will not be performed.
And since I do not have a MTA-STS plugin yet, whatever policy exists is irrelevant at
this moment, since it is not "visible" to pf anyway (due to lack of plugin).
I understand that MTA-STS is not relevant for what is happening for the domains
written there, then.
But follow up, WHY is secure failing - since the certs can be verified OK.
What is then the expectation of pf for the cert? Apparently not the MX
hostname? something WITH the domain name renraku-software.de instead?
The manual states..
secure
Secure certificate verification. Mail is delivered only if the TLS
handshake succeeds, the remote SMTP server certificate chain can be validated,
and a DNS name in the certificate matches the specified match criteria.
What is the "match" criteria there then?
...
At this security level, DNS MX lookups, though potentially used to determine
the candidate next-hop gateway IP addresses, are not presumed to be secure
enough for TLS peername verification.
So my understanding now is, that I possibly underspecified the secure directive
by omitting the match=sonne.floppy.org? And since I didn't do that, pf expected
some cert where renraku-software.de is present. Correct? At least this now
works with the additional match spec.
</Loud thinking>
Thanks for listening ;-)
Follow up question.
IF I setup an mta-sts plugin, will the
smtp_tls_policy_maps = btree:$meta_directory/tls_nach_ziel, socketmap...plugin
work? Is it first match wins or is ONLY 1 "response returner" allowed?
Thanks Viktor, once again,
Florian
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
