On Fri, Aug 22, 2014 at 04:46:56PM +0200, Christian R??ner wrote:
> Hi,
>
> I hope my question is not off topic. I try to create a self signed
> certificate, which is signed by my own CA. I have created a pkcs12 file,
> which includes cert, key, and CA:
Is this an S/MIME email signing/encryption certificate? Or a TLS
client certificate? What is its purpose?
Do always post relevant details from the Postfix logs when reporting
Postfix problems.
> 1.) Thunderbird
>
> I imported the same p12 file in Thunderbird. Did a test mail and
> a dialog asked me to use the imported certificate. I chose yes and
> I could successfully send mail. On my test account I verified the
> headers and saw that the user was verified.
Was the certificate actually used to authenticate mail submission?
Likely Thunderbird just used a username/password as it would absent
said certificate. The message content was plausibly signed with
the certificate. Don't confuse sender certificates in S/MIME with
TLS client certificates in SMTP (STARTTLS).
Sure seems like your "verification" is an S/MIME signature check.
> 2.) Apple Mail
>
> I entered settings and selected my account. I clicked on the
> certificate selector and found my certificate. Under SMTP servers
> I chose ?External (TLS-Certificate)?. Trying to deliver a test mail
> with this application, I directly get an error that the remote mail
> server would not support TLS certificates.
So Apple Mail actually supports TLS client certs, while T'Bird is
just doing S/MIME.
> So now I wonder what is wrong.
Some confusion about PKI I think.
> Because Thunderbird is working, I guess there is not a configuration problem
> in Postfix, could it?
Likely, T'Bird is not "working", just not using your certificate
at all with SMTP. Otherwise, what Wietse said, perhaps you're
not connecting to the same SMTP service with the two MUAs.
> [ usr_cert ]
> basicConstraints=CA:FALSE
> nsCertType = client, email
> nsComment = "OpenSSL Generated Certificate"
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid,issuer
TLS client and S/MIME, though I would use "extendedKeyUsage" rather
than "nsCertType".
> postconf -c /etc/postfix-submission/ -n
A separate submission instance? Another reason to check the
destination IP/port of both MUAs.
> smtpd_tls_ask_ccert = yes
OK, this Postfix instance requests client certs.
> tls_ssl_options = no_ticket, no_compression
I would not disable session tickets, at least not in the Postfix
SMTP server, as of 2.10 (IIRC, and definitely in 2.11) session
tickets are managed correctly.
--
Viktor.
