Zitat von Bernhard Schmidt <be...@birkenwald.de>:
Hi, I'm having an issue I can't quite understand at the moment.We are part of a larger PKI infrastructure run by the german NREN, which is in the end rooted at the Deutsche Telekom.- Deutsche Telekom Root CA 2 - DFN-Verein PCA Global - G01 - LRZ-CA - G01 <-- this is ours - some client cert - LMU-CA <-- this is ours - some client cert - TUM-CA <-- this is ours - some client cert - more weirdos - other weirdosWe want to allow relaying for all certificates issued by our CAs. Which I thought to be pretty easysmtpd_tls_CApath = /etc/postfix-postout/certs smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_ask_ccert=yes smtpd_recipient_restrictions = permit_tls_all_clientcerts, reject lxmhs33:~ # ls -la /etc/postfix-postout/certs/ drwxr-xr-x 2 postmaster root 4096 20. Dez 08:46 . drwxr-xr-x 4 postmaster root 4096 20. Dez 08:46 .. lrwxrwxrwx 1 postmaster root 10 20. Dez 08:46 1ebd942d.0 -> TUM-CA.pem lrwxrwxrwx 1 postmaster root 10 20. Dez 08:46 367d1e35.0 -> LRZ-CA.pem lrwxrwxrwx 1 postmaster root 10 20. Dez 08:46 7ece279c.0 -> LMU-CA.pem -rw-r--r-- 1 postmaster root 1826 24. Jul 2010 LMU-CA.pem -rw-r--r-- 1 postmaster root 1850 24. Jul 2010 LRZ-CA.pem -rw-r--r-- 1 postmaster root 1724 24. Jul 2010 TUM-CA.pemDec 20 08:59:59 lxmhs33 postfix-postout/smtpd[9870]: setting up TLS connection from postout.lrz.de[129.187.254.115] Dec 20 08:59:59 lxmhs33 postfix-postout/smtpd[9870]: CA certificate verification failed for postout.lrz.de[129.187.254.115]: num=2:unable to get issuer certificate Dec 20 08:59:59 lxmhs33 postfix-postout/smtpd[9870]: postout.lrz.de[129.187.254.115]: Untrusted: subject_CN=postout.lrz.de, issuer=LRZ-CA - G01, fingerprint=18:4B:79:22:82:67:DC:1E:60:35:41:F2:E4:A0:9F:1F Dec 20 08:59:59 lxmhs33 postfix-postout/smtpd[9870]: Untrusted TLS connection established from postout.lrz.de[129.187.254.115]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)It only works when I put the full chain (including Deutsche Telekom and DFN) into the certs-directory, but then permit_tls_all_clientcerts would be stupid.Dec 20 08:47:37 lxmhs33 postfix-postout/smtpd[9870]: connect from postout.lrz.de[129.187.254.115] Dec 20 08:47:37 lxmhs33 postfix-postout/smtpd[9870]: setting up TLS connection from postout.lrz.de[129.187.254.115] Dec 20 08:47:37 lxmhs33 postfix-postout/smtpd[9870]: postout.lrz.de[129.187.254.115]: Trusted: subject_CN=postout.lrz.de, issuer=LRZ-CA - G01, fingerprint=18:4B:79:22:82:67:DC:1E:60:35:41:F2:E4:A0:9F:1FDec 20 08:47:37 lxmhs33 postfix-postout/smtpd[9870]: Trusted TLS connection established from postout.lrz.de[129.187.254.115]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)This is SLES11.1 with postfix 2.8.7, openssl 0.9.8h.Any idea how to allow all certificates issued by specific Sub-CAs, without trusting everyone?
As far as i understand you have to list the complete chain but only your sub-CA to get it working. So create a smtpd_tls_CAfile with the Telekom root and your sub-CA and nothing else. This would allow relaying for any certificate your sub-CA or the Telekom root CA has issued, but not for certificates issued by any sub-CA of the Telekom beside yours. Be aware that you should not do this on a public facing port 25.
Regards Andreas
smime.p7s
Description: S/MIME Cryptographic Signature
