On Mon, Mar 05, 2012 at 07:26:18PM +0100, Robert Dahlem wrote:
> I'm on Postfix 2.5.6 and implementing TLS. I'm having difficulties to
> understand the difference between "verify" and "secure".
These are documented in TLS_README.html
http://www.postfix.org/TLS_README.html#client_tls_verify
The only difference between these levels is the default certificate
match policy, the former is "hostname" (not MITM secure) and the latter
is "dot-nexthop, nexthop" (MITM secure).
> /etc/postfix/main.cf
> disable_dns_lookups = yes
Unwise in most contexts, what's wrong with MX lookups?
> smtp_tls_loglevel = 2
Too verbose. Try "1".
> smtp_use_tls = yes
> smtp_enforce_tls = no
Obsolete, try "smtp_tls_security_level = may".
> smtp_tls_CApath = /etc/ssl/certs
> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
>
> /etc/postfix/transport:
> test1.prv smtp:[s2.mydomain.de]
>
> /etc/postfix/tls_policy:
> [s2.mydomain.de] verify
For destinations with a manually configured destination (no MX lookups)
the "verify" and "secure" match strategies are identical.
> On the server side I've got an SSL key and a certificate for that key
> signed by Thawte. The CN is s1.mydomain.de. Note the difference between
> s1 (key and certificate) and s2 (in the client configuration). This has
> been configured deliberately to explore the difference between "secure"
> and "verify".
>
> My expectation was that "verify" would work (certificate chain checks
> out) but "secure" would not (CN does not match next hop).
>
> Instead, "verify" doesn't work too:
Correct, the "hostname" for this connection is "s2.mydomain.de". Verify
will match MX hosts (insecurely), but you're not using MX records, you
have a static nexthop.
--
Viktor.
