Hi,
I'm having an issue I can't quite understand at the moment.
We are part of a larger PKI infrastructure run by the german NREN, which
is in the end rooted at the Deutsche Telekom.
- Deutsche Telekom Root CA 2
- DFN-Verein PCA Global - G01
- LRZ-CA - G01 <-- this is ours
- some client cert
- LMU-CA <-- this is ours
- some client cert
- TUM-CA <-- this is ours
- some client cert
- more weirdos
- other weirdos
We want to allow relaying for all certificates issued by our CAs. Which
I thought to be pretty easy
smtpd_tls_CApath = /etc/postfix-postout/certs
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_ask_ccert=yes
smtpd_recipient_restrictions = permit_tls_all_clientcerts, reject
lxmhs33:~ # ls -la /etc/postfix-postout/certs/
drwxr-xr-x 2 postmaster root 4096 20. Dez 08:46 .
drwxr-xr-x 4 postmaster root 4096 20. Dez 08:46 ..
lrwxrwxrwx 1 postmaster root 10 20. Dez 08:46 1ebd942d.0 -> TUM-CA.pem
lrwxrwxrwx 1 postmaster root 10 20. Dez 08:46 367d1e35.0 -> LRZ-CA.pem
lrwxrwxrwx 1 postmaster root 10 20. Dez 08:46 7ece279c.0 -> LMU-CA.pem
-rw-r--r-- 1 postmaster root 1826 24. Jul 2010 LMU-CA.pem
-rw-r--r-- 1 postmaster root 1850 24. Jul 2010 LRZ-CA.pem
-rw-r--r-- 1 postmaster root 1724 24. Jul 2010 TUM-CA.pem
Dec 20 08:59:59 lxmhs33 postfix-postout/smtpd[9870]: setting up TLS
connection from postout.lrz.de[129.187.254.115]
Dec 20 08:59:59 lxmhs33 postfix-postout/smtpd[9870]: CA certificate
verification failed for postout.lrz.de[129.187.254.115]: num=2:unable to
get issuer certificate
Dec 20 08:59:59 lxmhs33 postfix-postout/smtpd[9870]:
postout.lrz.de[129.187.254.115]: Untrusted: subject_CN=postout.lrz.de,
issuer=LRZ-CA - G01,
fingerprint=18:4B:79:22:82:67:DC:1E:60:35:41:F2:E4:A0:9F:1F
Dec 20 08:59:59 lxmhs33 postfix-postout/smtpd[9870]: Untrusted TLS
connection established from postout.lrz.de[129.187.254.115]: TLSv1 with
cipher DHE-RSA-AES256-SHA (256/256 bits)
It only works when I put the full chain (including Deutsche Telekom and
DFN) into the certs-directory, but then permit_tls_all_clientcerts would
be stupid.
Dec 20 08:47:37 lxmhs33 postfix-postout/smtpd[9870]: connect from
postout.lrz.de[129.187.254.115]
Dec 20 08:47:37 lxmhs33 postfix-postout/smtpd[9870]: setting up TLS
connection from postout.lrz.de[129.187.254.115]
Dec 20 08:47:37 lxmhs33 postfix-postout/smtpd[9870]:
postout.lrz.de[129.187.254.115]: Trusted: subject_CN=postout.lrz.de,
issuer=LRZ-CA - G01, fingerprint=18:4B:79:22:82:67:DC:1E:60:35:41:
F2:E4:A0:9F:1F
Dec 20 08:47:37 lxmhs33 postfix-postout/smtpd[9870]: Trusted TLS
connection established from postout.lrz.de[129.187.254.115]: TLSv1 with
cipher DHE-RSA-AES256-SHA (256/256 bits)
This is SLES11.1 with postfix 2.8.7, openssl 0.9.8h.
Any idea how to allow all certificates issued by specific Sub-CAs,
without trusting everyone?
Bernhard
