On Sun, 23 Feb 2014, Viktor Dukhovni wrote:
On Sun, Feb 23, 2014 at 02:28:07PM +0100, Dirk St?cker wrote:
And whatever I do I'm unable to get any of these three to show a
trusted connection to any of the others. It trusts Google and GMX
and whatever, but not my own servers. That's disturbing.
Here the configs I use essentially
Essentially, or actually?
This should mean, that this was only an excerpt.
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_cert_file = ...cert file include cert and all related ca's...
smtpd_tls_key_file = ...key...
smtpd_tls_CApath = /etc/ssl/certs/
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtpd_tls_CApath = /etc/ssl/certs/
Notice anything funny about the last line?
A typo, sorry. But text should have shown, that this part worked as
expected.
When both sides are Postfix, and the client is opportunistic, the
server and client typically agree to a cipher-suite without any
certificates. Why bother, if the client does not check anyway.
Because it allows to at to least detect if connection has been broken. It
is a big difference for later investigation even if not for the mail
sending at that time.
Seems Postfix still need to learn a lot about secure connections. Your
text and my current experience seems to say it follows a total trust or
no trust. But there are at least two steps inbetween. E.G.
- Keep "may", but log much better status for later investigations
- Remember certs and report changes
If this is important to you, set:
smtp_tls_exclude_ciphers=aNULL
for the transport that delivers mail between your internal systems.
Does not sound like what I want. I don't want to hardcode a specific
handling for some servers, I want that the "trusted" state is logged
properly in any possible case.
This highlights a minor defect in the Postfix SMTP client TLS status
logging, it never actually logs the "Anonymous" case, that's only
done in the SMTP server.
PATCH:
diff --git a/src/tls/tls_client.c b/src/tls/tls_client.c
--- a/src/tls/tls_client.c
+++ b/src/tls/tls_client.c
@@ -1045,7 +1045,9 @@ TLS_SESS_STATE *tls_client_start(const
TLS_CLIENT_START_PROPS *props)
*/
if (log_mask & TLS_LOG_SUMMARY)
msg_info("%s TLS connection established to %s: %s with cipher %s "
- "(%d/%d bits)", TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
+ "(%d/%d bits)",
+ !TLS_CERT_IS_PRESENT(TLScontext) ? "Anonymous" :
+ TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted",
props->namaddr, TLScontext->protocol, TLScontext->cipher_name,
TLScontext->cipher_usebits, TLScontext->cipher_algbits);
Would be an improvement, but essentially I search for a
smtp_tls_verify_certs=whenpossible
which improves the log, but does not affect sending. Maybe together with a
smtp_tls_remember_certs=yes
and a notice when Cert changed. I.e. with a note like
(Un)trusted (first seen at 12.01.2014, last change 23.02.2014).
That would greatly improve the usefulness of the TLS log messages.
Also a replacement for "may" which allows to enforce TLS for any
connection, where TLS worked at least once would improve security. That
way a system would get more secure the longer it is running.
A full woldwide TLS setup wont come very soon, so at least a step-by-step
migration would be fine.
Something like
smtp_tls_security_level = may_for_new_encrypt_otherwise_secure_for_validcert
I.e.
- use "may" by default
- When at least once TLS was supported use TLS from now on
- When at least once the cert was valid, verify it later as well
Ciao
--
http://www.dstoecker.eu/ (PGP key available)
