Re: TLS Encription and server verification

Sun, 08 Sep 2013 15:34:48 -0700 

On Sun, Sep 08, 2013 at 11:56:32AM +0200, Luigi Rosa wrote:

> Per http://www.postfix.org/postconf.5.html#smtpd_tls_policy_maps if I use
> fingerprint in smtp_tls_policy_maps "there are no trusted certificate
> authorities. The certificate trust chain, expiration date, ...
> are not checked"

Yes, but you do have to configure Postfix correctly.

> So I generated the keys on both servers and configured them in both Postfix
> with smtpd_tls_key_file and smtpd_tls_cert_file.

Fine.

> On the originating server I have:
> 
> smtp_tls_security_level = may
> smtp_tls_note_starttls_offer = yes
> smtp_tls_fingerprint_digest = sha1
> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
> smtp_tls_loglevel = 1
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtp_tls_session_cache_timeout = 3600s

You have failed to mention any related transport(5) settings.  The
SMTP TLS policy table lookup key is the transport nexthop.

> tls policy is:
> 
> domain.com          fingerprint
>         match=09:e6:21:1b:92:86:67:f1:56:6b:a5:06:7f:00:7e:ab:c7:43:68:6d
> mail.domain.com          fingerprint
>         match=09:e6:21:1b:92:86:67:f1:56:6b:a5:06:7f:00:7e:ab:c7:43:68:6d

Always good to check that the table actually returns these values
when queried with the right lookup keys.  Are these in fact the
sha1 fingerprints of the *peer* certificate?  How were they computed?

> When I try to send an email on the originatig server I have this log entries:
> 
> postfix/smtp[5360]: setting up TLS connection to xxxx[x.x.x.x]:25

> Untrusted TLS connection established to mail.domain.com[x.x.x.x]:25: TLSv1
> with cipher DHE-RSA-AES256-SHA (256/256 bits)
> postfix/smtp[5360]: A4A6320004D: Server certificate not verified

These log messages have been to heavily redacted.  If you crank the log
level to 2, Postfix will log the certificate and public key fingerprint
of the remote server.  You need to also post the relevant transport
messages, and more complete log entries.  Finally the version of Postfix.

On Sun, Sep 08, 2013 at 12:17:55PM +0200, Patrick Ben Koetter wrote:
> 
> You don't tell Postfix where to find the CA file that holds all CAs you trust.
> Without a CA cert Postfix cannot verify a server cert.

Irrelevant at the fingerprint  security level.

-- 
        Viktor.

Reply via email to