On Wed, Oct 21, 2009 at 11:45:31PM +0200, Roland Dirlewanger wrote:
> Why do you expect clients on port 25 to have client certificates?
>
>
> In my opinion, as soon as a non anonymous TLS connection is set up between
> a client and a server, it is legitimate for both sides to verify whom they
> are talking to.
It is my best judgement that you are misguided.
- Many (ideally most, if they are wisely configured) clients will not
supply TLS certs even when these are requested.
- Asking for client TLS certificates with normal mail delivery reduce
interoperability, as some clients fail when asked for certs.
- There is little useful authentication function performed by the client
certificates. Mere validity of the trust chain is rather useless,
in the absense of any useful processing of the certified name(s).
It is best practice to not request client certificates on port 25, and for
SMTP clients delivering to MX hosts to not offer them even if requested.
> * connections to port 587 are required to use TLS. Our server should
> verify the client certificate using the CAs of our own private key
> infrastructure. These CAs are bundled in a file named
> ca-cnrs-bundle.crt
>
> Why do you expect submission clients to present client certificates?
> Most TLS-enabled MUAs do not support client certificates with SMTP.
>
> What type of clients are you expecting?
> What will you do with their certificates once the "trust chain" is verified?
>
> The clients are mostly Mozilla Thunderbird.
I don't recall how well Thunderbird supports client certs with SMTP,
submission. If it does, it is rather difficult to configure a particular
SMTP connection to use a particular client cert, the preferences UI
is rather anaemic in this respect.
I've only seen fully featured support for SMTP submission client certs
in "Mulberry".
> On port 587, the variable smtpd_recipient_restrictions is set to
> "permit_tls_all_clientcerts,reject" in order to allow the relaying only
> for clients using a certificate which can be trusted.
Have you found Thurderbird to use client certs with SMTP? Are your
users able to jump the hoops necessary to configure it to do so?
> The command "postconf -n | grep _tls_" gives the following output :
>
> smtp_tls_CApath =
> smtp_tls_loglevel = 1
> smtp_tls_security_level = may
> smtpd_tls_CApath =
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
>
> What am I doing wrong ? Is there a way to configure our postfix server to
> distinguish certificates issued by our PKI from other certificates ?
>
> Yes, by using a suitable CAfile + CApath combination.
>
> This is the content of master.cf.
>
> smtp inet n - n - - smtpd
> -o smtpd_tls_cert_file=/etc/postfix/tls/certs/server-cert-chain.pem
> -o smtpd_tls_key_file=/etc/postfix/tls/private/server.key
> -o smtpd_tls_CAfile=/etc/postfix/tls/certs/ca-bundle.crt
> -o smtpd_tls_security_level=may
> -o smtpd_tls_ask_ccert=yes
>
> submission inet n - n - - smtpd
> -o smtpd_tls_cert_file=/etc/postfix/tls/certs/server-cert-chain.pem
> -o smtpd_tls_key_file=/etc/postfix/tls/private/server.key
> -o smtpd_tls_CAfile=/etc/postfix/tls/certs/ca-cnrs-bundle.crt
> -o smtpd_tls_security_level=encrypt
> -o smtpd_tls_ask_ccert=yes
> -o smtpd_recipient_restrictions=permit_tls_all_clientcerts,reject
On the submission port, only clients whose certificates are issued by
CAs listed in your CA file (and perhaps also any root CA in the server
certificate file, if OpenSSL also trusts that by default) will be allowed.
Post verbose logging from the submission service (append "-v" after the
"smtpd" on the first line) that demonstrates any contrary behaviour.
Try again with any root CA removed from your "server-cert-chain.pem",
list just the leaf cert and all intermediate CAs, but not the root
cert.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
