On 2013-10-06 23:13, Viktor Dukhovni wrote:
On Sun, Oct 06, 2013 at 08:52:06PM -0400, Dan Langille wrote:
[ What Noel said, plus see below. ]
10.0.0.1:submission inet n - n - - smtpd
-o smtpd_tls_req_ccert=yes
Fine.
-o smtpd_tls_auth_only=no
This seems silly. Since authentication gets them nowhere, why
allow plaintext password leaks? Just disable SASL period.
I am not using SASL at all.
-o smtpd_tls_ask_ccert=yes
This is implied by req_ccert.
Removed.
-o smtp_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
This is an SMTP client parameter that serves no purpose here.
Removed.
-o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
This is a bad idea. Instead set this to an empty file. The list
of all the CA DNs from this file is sent to the client, but your
clients probably don't need CA hints. Otherwise make this is a
small list of one or two suitable CAs that issue the certificates
which are admitted via the relay certs file. You should your digest
algorithm explicitly (sha1 or better if available as with OpenSSL
1.0.0 or later or the most recent Postfix patches that make sha256
available with older OpenSSL releases).
FYI: this is the bundle from the CA which issued the certificate in
question. Prior attempts with a smaller list failed.
# cat /usr/local/etc/postfix-config/main/relay_clientcerts
3A:2E:AB:6A:F1:D4:32:74:C9:C6:DD:2B:8D:2A:87:97 cliff.example.org
This looks like md5, and while still largely resistant to 2nd
preimage attacks, you should still avoid it.
It is indeed MD5. I've changed to sha1 and obtained the new fingerprint
via:
openssl x509 -noout -in cliff.example.org.crt -fingerprint
Thank you. Much appreciated.
--
Dan Langille - http://langille.org/
