Regarding using the right main.cf:
I've only installed a single Postfix instance, and changes I make to
main.cfdo affect Postfix. (E.g. turning up logging, etc.) The Postfix
log says I'm
using the config in /etc/postfix.
The output from postfinger:
# ./postfinger
postfinger - postfix configuration on Mon May 10 17:27:44 UTC 2010
version: 1.30
Warning: postfinger output may show private configuration information,
such as ip addresses and/or domain names which you do not want to show
to the public. If this is the case it is your responsibility to modify
the output to hide this private information. [Remove this warning with
the --nowarn option.]
--System Parameters--
mail_version = 2.6.5
hostname = AA-DD-DDD-DDD-DDD
uname = Linux aa-dd-ddd-ddd-ddd d.d.dd-ddd-aaa #7-Ubuntu SMP Tue Oct 13
19:06:04 UTC 2009 i686 GNU/Linux
--Packaging information--
looks like this postfix comes from deb package: postfix-2.6.5-3
--main.cf non-default parameters--
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 0
mailbox_size_limit = 0
maximal_backoff_time = 10s
maximal_queue_lifetime = 0
mydestination = aa-dd-ddd-ddd-ddd.aaa.aaaaaaaa, localhost
myhostname = aa-dd-ddd-ddd-ddd.aaa.aaaaaaaa
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relay_clientcerts = hash:/etc/postfix/relay_client_certs
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = permit_tls_clientcerts, warn_if_reject, reject
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = yes
smtpd_tls_security_level = encrypt
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/cert.pem
smtp_tls_fingerprint_digest = sha1
smtp_tls_key_file = /etc/postfix/key.pem
smtp_tls_loglevel = 2
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = encrypt
virtual_gid_maps = static:1004
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_domains = aaaaaaaaaaaaaaaaa.com
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_uid_maps = static:1004
--master.cf--
smtp inet n - - - - smtpd
smtps inet n - - - - smtpd
-o smtpd_sasl_path=smtpd
-o smtp_tls_security_level=fingerprint
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_auth_only=yes
-o smtp_tls_note_starttls_offer=yes
-o smtpd_tls_req_ccert=no
-o smtpd_tls_received_header=yes
-o smtpd_sasl_local_domain=
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_security_options=noanonymous
-o broken_sasl_auth_clients=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o smtpd_client_restrictions=
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
-o smtp_fallback_relay=
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
$recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
-- end of postfinger output --
Postfix logfile contents from a client connect:
May 10 17:32:14 aaaaaaaaaaaaaaaaa postfix/postfix-script[5513]: refreshing
the Postfix mail system
May 10 17:32:14 aaaaaaaaaaaaaaaaa postfix/master[1040]: reload -- version
2.6.5, configuration /etc/postfix
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: initializing the
server-side TLS engine
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: connect from
localhost[127.0.0.1]
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: setting up TLS
connection from localhost[127.0.0.1]
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: localhost[127.0.0.1]:
TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL"
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]:
SSL_accept:before/accept initialization
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3 read
client hello A
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3
write server hello A
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3
write certificate A
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3
write key exchange A
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3
write certificate request A
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3
flush data
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: localhost[127.0.0.1]:
certificate verification depth=1 verify=1
subject=/C=US/ST=aaaaaa/O=aaaaaa/OU=aaaaaa/CN=aaaaaa/emailAddress=
[email protected]
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: localhost[127.0.0.1]:
certificate verification depth=0 verify=1
subject=/C=US/ST=aaaaaa/O=aaaaaa/OU=aaaaaa/CN=
aaa-nnn-nn-nnn-nnn.aaaaaa-n.aaaaaaaaa.com/[email protected]
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3 read
client certificate A
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3 read
client key exchange A
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3 read
certificate verify A
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3 read
finished A
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3
write change cipher spec A
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3
write finished A
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3
flush data
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]:
subject=/C=US/ST=aaaaaaaa/O=aaaaaa/OU=aaa/CN=
aaa-ddd-dd-ddd-ddd.aaaaaaaaa.aaaaaaaaa.com/[email protected]
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]:
issuer=/C=US/ST=aaaaaaaa/O=aaaaaa/OU=aaa/CN=aaaaaaaaa/emailAddress=
[email protected]
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: localhost[127.0.0.1]:
Trusted: subject_CN=aaa-nnn-nn-nnn-nnn.aaaaaa-n.aaaaaaaaa.com,
issuer=aaaaaaaaaaaa,
fingerprint=nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: Trusted TLS
connection established from localhost[127.0.0.1]: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)
May 10 17:33:29 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: disconnect from
localhost[127.0.0.1]
The contents of relay_client_certs (containing acceptable fingerprints):
# cat relay_client_certs
06:9E:FA:8A:49:A2:24:88:89:16:48:D4:C0:C2:F4:A3:54:D9:65:14 OK
On Mon, May 10, 2010 at 11:01 AM, Noel Jones <[email protected]> wrote:
> On 5/10/2010 10:30 AM, Dave O'Larte wrote:
>
>> I'm trying to enable TLS client fingerprint checking on Postfix - that
>> is, I want Postfix, acting as a server, to check the fingerprint of
>> clients trying to connect against a table of cert fingerprints.
>>
>> From the Postfix logfile, TLS is working, client certs are being
>> requested, but I can't get Postfix to do the fingerprint check.
>>
>> In a nutshell, Postfix doesn't seem to pay any attention at all to the
>> following line in main.cf <http://main.cf>:
>>
>>
>>
>> smtpd_client_restrictions=permit_tls_clientcerts,warn_if_reject,reject
>>
>> I can put gibberish in the right side of the above main.cf
>> <http://main.cf> parameter and Postfix doesn't seem to pay any attention.
>>
>>
>> "postconf -n" shows that the parameter was correctly read from main.cf
>> <http://main.cf>.
>> master.cf <http://master.cf> does not override this value.
>>
>>
>> This is on an Ubuntu 9.10 system, running Postfix v 2.6.5
>> The frustrating thing is, I can get this to work on other Ubuntu systems
>> running the same version of Postfix, so obviously I'm doing something
>> wrong.
>>
>> Anyone know of a reason Postfix would ignore "smtpd_client_restrictions"?
>>
>> As this is the first time I've ever tried to post a Postfix question,
>> please don't hesitate to let me know if there's a better way to pPost
>> such a newb question ...
>>
>>
>> Dave
>>
>
>
> http://www.postfix.org/DEBUG_README.html#mail
>
> Show us your "postconf -n" and non-comment entries in master.cf.
>
> Are you sure you're editing the right main.cf? Maybe you have multiple
> postfix installations. Run "find / -name main.cf -ls" to make sure.
> Also, postfix/master logs the configuration directory when postfix starts
> or reloads.
>
> -- Noel Jones
>
