Hi, I hope my question is not off topic. I try to create a self signed certificate, which is signed by my own CA. I have created a pkcs12 file, which includes cert, key, and CA:
openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -CAfile cacert.pem
-chain -out croessner.p12
I have imported this file on Mac OS X. I explicitly have given a full trust to
the CA certificate and hav moved it to „System“. My certificate is listed and
the key chain app tells me that it trusts this certificate.
I also created a SHA256 fingerprint and modified main.cf to accept mail from
this certificate.
1.) Thunderbird
I imported the same p12 file in Thunderbird. Did a test mail and a dialog asked
me to use the imported certificate. I chose yes and I could successfully send
mail. On my test account I verified the headers and saw that the user was
verified.
2.) Apple Mail
I entered settings and selected my account. I clicked on the certificate
selector and found my certificate. Under SMTP servers I chose „External
(TLS-Certificate)“. Trying to deliver a test mail with this application, I
directly get an error that the remote mail server would not support TLS
certificates.
So now I wonder what is wrong.
Because Thunderbird is working, I guess there is not a configuration problem in
Postfix, could it?
I have not very much knowledge about the openssl.cnf stuff. This here is what I
used:
cat openssl_client.cnf | grep -ve ^.*#.* -ve ^$
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
[ CA_default ]
policy = policy_match
[ policy_match ]
domainComponent = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
domainComponent = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_md = sha1
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
string_mask = utf8only
[ req_distinguished_name ]
0.domainComponent = TLD domain component
0.domainComponent_default = de
1.domainComponent = 2nd domain component
1.domainComponent_default = roessner-net
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Deutschland
localityName = Locality Name (eg, city)
localityName_default = Alsfeld
0.organizationName = Organization Name (eg, company)
0.organizationName_default = roessner-network-solutions.com
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your name or your server\'s
hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
emailAddress_default = c...@roessner-network-solutions.com
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
[ tsa ]
[ tsa_config1 ]
Is it possible that Apple Mail requires something special? Or do I have to do
something else with the certificate?
It would be great, if I could use Apple Mail with Postfix and TLS certs.
postconf -c /etc/postfix-submission/ -n
alias_database =
alias_maps =
amavisd_milter = inet:[::1]:10024
anvil_rate_time_unit = 30s
anvil_status_update_time = 600s
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix-submission/
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix-submission
default_database_type = lmdb
enable_long_queue_ids = yes
html_directory = no
inet_interfaces = ${mail_roessner_net_de}
inet_protocols = ipv4, ipv6
ldap = proxy:ldap:${config_directory}/ldap
local_recipient_maps =
local_transport = error:5.1.1 Mailbox unavailable
mail_owner = postfix
mail_roessner_net_de = 193.239.107.42
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/man
map = ${config_directory}/maps
mapidx = ${default_database_type}:${map}
message_size_limit = 31457280
meta_directory = /etc/postfix
milter_connect_macros = j, v, {daemon_name}, {client_ptr}
milter_macro_daemon_name = ORIGINATING
milter_mail_macros = i, {auth_type}, {auth_authen}, {auth_author}, {mail_addr},
{mail_host}, {mail_mailer}, {client_name}
multi_instance_enable = yes
multi_instance_name = postfix-submission
mydestination =
mydomain = roessner-net.de
myhostname = mail.${mydomain}
mynetworks =
newaliases_path = /usr/bin/newaliases
odkim_sign = inet:[::1]:8892
proxy_read_maps = proxy:unix:passwd.byname, ${ldap}/smtpd_sender_login_maps.cf
queue_directory = /var/spool/postfix-submission
queue_minfree = 47185920
readme_directory = no
relay_clientcerts = ${mapidx}/relay_clientcerts
relayhost = [mx0.roessner-net.de]:10025
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
shlib_directory = /usr/lib64/postfix/${mail_version}
smtp_bind_address = ${mail_roessner_net_de}
smtp_dns_support_level = dnssec
smtp_host_lookup = dns
smtp_send_xforward_command = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_cert_file = /etc/ssl/certs/mail.roessner-net.de.pem
smtp_tls_exclude_ciphers = RC4, aNULL
smtp_tls_key_file = /etc/ssl/private/mail.roessner-net.de.key.pem
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane-only
smtp_tls_session_cache_database = btree:${data_directory}/smtp_session_cache
smtpd_banner = ${myhostname} ESMTP Submission
smtpd_client_connection_rate_limit = 8
smtpd_client_message_rate_limit = 20
smtpd_client_new_tls_session_rate_limit = 5
smtpd_client_port_logging = yes
smtpd_client_recipient_rate_limit = 0
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_milters = ${amavisd_milter}, ${odkim_sign}
smtpd_recipient_restrictions = permit_sasl_authenticated, reject
smtpd_relay_restrictions = check_sender_access pcre:${map}/sender_access.pcre,
check_recipient_access ${mapidx}/reject_srvint_net, reject_non_fqdn_recipient,
permit_tls_clientcerts, permit_sasl_authenticated,
reject_unauthenticated_sender_login_mismatch, reject
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = ${mydomain}
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_sender_login_maps = ${ldap}/smtpd_sender_login_maps.cf
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/ssl/certs/mail.roessner-net.de.pem
smtpd_tls_dh1024_param_file = ${config_directory}/ssl/dh_2048.pem
smtpd_tls_dh512_param_file = ${config_directory}/ssl/dh_512.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = RC4, aNULL, SEED-SHA, EXPORT
smtpd_tls_fingerprint_digest = sha256
smtpd_tls_key_file = /etc/ssl/private/mail.roessner-net.de.key.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_session_cache
sogo_roessner_net_de = 193.239.107.43
syslog_name = postfix-submission
tls_preempt_cipherlist = yes
tls_ssl_options = no_ticket, no_compression
Thanks in advance
-Christian Rößner
--
Bachelor of Science Informatik
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com
smime.p7s
Description: S/MIME cryptographic signature
