Re: Postfix ignoring "", won't do fingerprint checking

Noel Jones Tue, 11 May 2010 07:02:54 -0700

On 5/10/2010 11:14 PM, Dave O'Larte wrote:

On Mon, May 10, 2010 at 3:31 PM, Noel Jones<njo...@megan.vbhcs.org>  wrote:

On 5/10/2010 12:52 PM, Dave O'Larte wrote:


Regarding using the right main.cf<http://main.cf>:
I've only installed a single Postfix instance, and changes I make to
main.cf<http://main.cf>  do affect Postfix. (E.g. turning up logging,
etc.) The Postfix log says I'm using the config in /etc/postfix.

The output from postfinger:

# ./postfinger
postfinger - postfix configuration on Mon May 10 17:27:44 UTC 2010
version: 1.30

Warning: postfinger output may show private configuration information,
such as ip addresses and/or domain names which you do not want to show
to the public.  If this is the case it is your responsibility to modify
the output to hide this private information.  [Remove this warning with
the --nowarn option.]

--System Parameters--
mail_version = 2.6.5
hostname = AA-DD-DDD-DDD-DDD
uname = Linux aa-dd-ddd-ddd-ddd d.d.dd-ddd-aaa #7-Ubuntu SMP Tue Oct 13
19:06:04 UTC 2009 i686 GNU/Linux

--Packaging information--
looks like this postfix comes from deb package: postfix-2.6.5-3

--main.cf<http://main.cf>  non-default parameters--
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 0
mailbox_size_limit = 0
maximal_backoff_time = 10s
maximal_queue_lifetime = 0
mydestination = aa-dd-ddd-ddd-ddd.aaa.aaaaaaaa, localhost
myhostname = aa-dd-ddd-ddd-ddd.aaa.aaaaaaaa
mynetworks = 127.0.0.0/8<http://127.0.0.0/8>  [::ffff:127.0.0.0]/104
[::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relay_clientcerts = hash:/etc/postfix/relay_client_certs
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = permit_tls_clientcerts, warn_if_reject, reject
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = yes
smtpd_tls_security_level = encrypt
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/cert.pem
smtp_tls_fingerprint_digest = sha1
smtp_tls_key_file = /etc/postfix/key.pem
smtp_tls_loglevel = 2
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = encrypt
virtual_gid_maps = static:1004
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_domains = aaaaaaaaaaaaaaaaa.com
<http://aaaaaaaaaaaaaaaaa.com>
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_uid_maps = static:1004

--master.cf--
smtp      inet  n       -       -       -       -       smtpd
smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_sasl_path=smtpd
  -o smtp_tls_security_level=fingerprint
  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_auth_only=yes
  -o smtp_tls_note_starttls_offer=yes
  -o smtpd_tls_req_ccert=no
  -o smtpd_tls_received_header=yes
  -o smtpd_sasl_local_domain=
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_security_options=noanonymous
  -o broken_sasl_auth_clients=yes
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o smtpd_client_restrictions=
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
         -o smtp_fallback_relay=
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
   flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
   flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail    unix  -       n       n       -       -       pipe
   flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
   flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
$recipient
scalemail-backend unix  -       n       n       -       2       pipe
   flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
   flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
   ${nexthop} ${user}

-- end of postfinger output --



Postfix logfile contents from a client connect:

May 10 17:32:14 aaaaaaaaaaaaaaaaa postfix/postfix-script[5513]:
refreshing the Postfix mail system
May 10 17:32:14 aaaaaaaaaaaaaaaaa postfix/master[1040]: reload --
version 2.6.5, configuration /etc/postfix
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: initializing the
server-side TLS engine
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: connect from
localhost[127.0.0.1]
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: setting up TLS
connection from localhost[127.0.0.1]
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]:
localhost[127.0.0.1]: TLS cipher list
"ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL"
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]:
SSL_accept:before/accept initialization
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3
read client hello A
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3
write server hello A
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3
write certificate A
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3
write key exchange A
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3
write certificate request A
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3
flush data
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]:
localhost[127.0.0.1]: certificate verification depth=1 verify=1

subject=/C=US/ST=aaaaaa/O=aaaaaa/OU=aaaaaa/CN=aaaaaa/emailaddress=a...@aaaaaa.com
<mailto:a...@aaaaaa.com>
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]:
localhost[127.0.0.1]: certificate verification depth=0 verify=1

subject=/C=US/ST=aaaaaa/O=aaaaaa/OU=aaaaaa/CN=aaa-nnn-nn-nnn-nnn.aaaaaa-n.aaaaaaaaa.com/emailaddress=a...@aaaaaa.com

<http://aaa-nnn-nn-nnn-nnn.aaaaaa-n.aaaaaaaaa.com/emailaddress=a...@aaaaaa.com>
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3
read client certificate A
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3
read client key exchange A
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3
read certificate verify A
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3
read finished A
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3
write change cipher spec A
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3
write finished A
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3
flush data
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]:

subject=/C=US/ST=aaaaaaaa/O=aaaaaa/OU=aaa/CN=aaa-ddd-dd-ddd-ddd.aaaaaaaaa.aaaaaaaaa.com/emailaddress=...@aaaaaa.com

<http://aaa-ddd-dd-ddd-ddd.aaaaaaaaa.aaaaaaaaa.com/emailaddress=...@aaaaaa.com>
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]:

issuer=/C=US/ST=aaaaaaaa/O=aaaaaa/OU=aaa/CN=aaaaaaaaa/emailaddress=...@aaaaaa.com
<mailto:a...@aaaaaa.com>
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]:
localhost[127.0.0.1]: Trusted:
subject_CN=aaa-nnn-nn-nnn-nnn.aaaaaa-n.aaaaaaaaa.com
<http://aaa-nnn-nn-nnn-nnn.aaaaaa-n.aaaaaaaaa.com>, issuer=aaaaaaaaaaaa,
fingerprint=nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn
May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: Trusted TLS
connection established from localhost[127.0.0.1]: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)
May 10 17:33:29 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: disconnect from
localhost[127.0.0.1]

The contents of relay_client_certs (containing acceptable fingerprints):

# cat relay_client_certs
06:9E:FA:8A:49:A2:24:88:89:16:48:D4:C0:C2:F4:A3:54:D9:65:14 OK




OK, now tell us why you think it's not working.


Because it doesn't matter what, if anything I put into the fingerprint
file - /etc/postfix/relay_client_certs - the file can be empty, I can
do a postmap on it, then restart Posfix, and the incoming TLS client
connection is still successful.



You'll need to show us something that's not working as you expect.

Note that with the config you shared still only allows clientsin mynetworks to relay mail through the server. If you wantto allow clients to relay based on certificates, you'll needto include permit_tls_clientcerts in yoursmtpd_recipient_restrictions.

Re: Postfix ignoring "", won't do fingerprint checking

Reply via email to