First of all thanks for the answers.
>> I hope my question is not off topic. I try to create a self signed
>> certificate, which is signed by my own CA. I have created a pkcs12 file,
>> which includes cert, key, and CA:
>
> Is this an S/MIME email signing/encryption certificate? Or a TLS
> client certificate? What is its purpose?
It is a client certificate and I want to send mail without password usage.
> Do always post relevant details from the Postfix logs when reporting
> Postfix problems.
Here is a log with Thunderbird:
Aug 22 19:00:47 mx0 postfix-submission/smtpd[29056]: connect from
static-201-106.deltasurf.de[193.239.106.201]:36755
Aug 22 19:00:54 mx0 postfix-submission/smtpd[29056]: Trusted TLS connection
established from static-201-106.deltasurf.de[193.239.106.201]:36755: TLSv1.2
with cipher ECDHE-RSA-
AES256-SHA (256/256 bits)
Aug 22 19:00:54 mx0 postfix-submission/smtpd[29056]: 3hfps2157xzMl3J:
client=static-201-106.deltasurf.de[193.239.106.201]:36755, sasl_method=PLAIN,
sasl_username=de10000@srvin
t.net
Aug 22 19:00:54 mx0 postfix-submission/cleanup[29064]: 3hfps2157xzMl3J:
message-id=<53f7773e.4040...@roessner-network-solutions.com>
Connection is trusted.
Now logs from Apple Mail:
Aug 22 19:14:09 mx0 postfix-submission/smtpd[29522]: connect from
static-201-106.deltasurf.de[193.239.106.201]:40001
Aug 22 19:14:10 mx0 postfix-submission/smtpd[29524]: connect from
static-201-106.deltasurf.de[193.239.106.201]:46337
Aug 22 19:14:10 mx0 postfix-submission/smtpd[29528]: connect from
static-201-106.deltasurf.de[193.239.106.201]:47064
Aug 22 19:14:10 mx0 postfix-submission/smtpd[29522]: Anonymous TLS connection
established from static-201-106.deltasurf.de[193.239.106.201]:40001: TLSv1 with
cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Aug 22 19:14:10 mx0 postfix-submission/smtpd[29524]: Anonymous TLS connection
established from static-201-106.deltasurf.de[193.239.106.201]:46337: TLSv1 with
cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Aug 22 19:14:10 mx0 postfix-submission/smtpd[29528]: Anonymous TLS connection
established from static-201-106.deltasurf.de[193.239.106.201]:47064: TLSv1 with
cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Aug 22 19:14:10 mx0 postfix-submission/smtpd[29522]: disconnect from
static-201-106.deltasurf.de[193.239.106.201]:40001 ehlo=2 starttls=1 auth=1
quit=1
Aug 22 19:14:10 mx0 postfix-submission/smtpd[29524]: disconnect from
static-201-106.deltasurf.de[193.239.106.201]:46337 ehlo=2 starttls=1 auth=1
quit=1
Aug 22 19:14:10 mx0 postfix-submission/smtpd[29528]: disconnect from
static-201-106.deltasurf.de[193.239.106.201]:47064 ehlo=2 starttls=1 auth=1
quit=1
Aug 22 19:14:45 mx0 postfix-submission/smtpd[29522]: connect from
static-201-106.deltasurf.de[193.239.106.201]:46282
Aug 22 19:14:46 mx0 postfix-submission/smtpd[29522]: Anonymous TLS connection
established from static-201-106.deltasurf.de[193.239.106.201]:46282: TLSv1 with
cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Aug 22 19:14:46 mx0 postfix-submission/smtpd[29522]: lost connection after EHLO
from static-201-106.deltasurf.de[193.239.106.201]:46282
Aug 22 19:14:46 mx0 postfix-submission/smtpd[29522]: disconnect from
static-201-106.deltasurf.de[193.239.106.201]:46282 ehlo=2 starttls=1
As you see, Apple Mail does have a different behavior.
>> 1.) Thunderbird
>>
>> I imported the same p12 file in Thunderbird. Did a test mail and
>> a dialog asked me to use the imported certificate. I chose yes and
>> I could successfully send mail. On my test account I verified the
>> headers and saw that the user was verified.
>
> Was the certificate actually used to authenticate mail submission?
> Likely Thunderbird just used a username/password as it would absent
> said certificate. The message content was plausibly signed with
> the certificate. Don't confuse sender certificates in S/MIME with
> TLS client certificates in SMTP (STARTTLS).
It uses the client certificate:
This is the header that comes from the T’bird test:
Received: from mx0.roessner-net.de (mail.roessner-net.de [193.239.107.42])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.roessner-net.de", Issuer "Thawte DV SSL CA" (verified
OK))
by mx.deltaweb.de (Postfix) with ESMTPS id 3hfps3005jz1JCX
for <c...@deltaweb.de>; Fri, 22 Aug 2014 19:00:54 +0200 (CEST)
Received: from mail.roessner-net.de (mail.roessner-net.de [193.239.107.42])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.roessner-net.de", Issuer "Thawte DV SSL CA" (verified
OK))
by mx0.roessner-net.de (Postfix) with ESMTPS id 3hfps25hBgzGpLH
for <c...@deltaweb.de>; Fri, 22 Aug 2014 19:00:54 +0200 (CEST)
Received: from MacBook-Pro.local (static-201-106.deltasurf.de [193.239.106.201])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Christian Roessner", Issuer "RNS-CA" (verified OK))
<—————————— See, it uses the certificate
(Authenticated sender: de10...@srvint.net)
by mail.roessner-net.de (Postfix) with ESMTPSA id 3hfps2157xzMl3J
for <c...@deltaweb.de>; Fri, 22 Aug 2014 19:00:54 +0200 (CEST)
> Sure seems like your "verification" is an S/MIME signature check.
>
>> 2.) Apple Mail
>>
>> I entered settings and selected my account. I clicked on the
>> certificate selector and found my certificate. Under SMTP servers
>> I chose ?External (TLS-Certificate)?. Trying to deliver a test mail
>> with this application, I directly get an error that the remote mail
>> server would not support TLS certificates.
>
> So Apple Mail actually supports TLS client certs, while T'Bird is
> just doing S/MIME.
T’Bird does S/MIME and client cert
>> So now I wonder what is wrong.
>
> Some confusion about PKI I think.
>
>> Because Thunderbird is working, I guess there is not a configuration problem
>> in Postfix, could it?
>
> Likely, T'Bird is not "working", just not using your certificate
> at all with SMTP. Otherwise, what Wietse said, perhaps you're
> not connecting to the same SMTP service with the two MUAs.
Both MUAs use mail.roessner-net.de:587 TLS
>> [ usr_cert ]
>> basicConstraints=CA:FALSE
>> nsCertType = client, email
>> nsComment = "OpenSSL Generated Certificate"
>> subjectKeyIdentifier=hash
>> authorityKeyIdentifier=keyid,issuer
>
> TLS client and S/MIME, though I would use "extendedKeyUsage" rather
> than "nsCertType“.
Ok, this is something, I can try.
>> postconf -c /etc/postfix-submission/ -n
>
> A separate submission instance? Another reason to check the
> destination IP/port of both MUAs.
It’s multi instance, yes. The reason is simple: I deploy mail systems that have
separated border filter, mxin, mxout, submission and my server reflects the
setups in multi instances. Patrick Ben Koetter helped me to split it into multi
instances. And he also did a complete review of all my settings so chances are
high that there might not be too much wrong here ;-)
>> smtpd_tls_ask_ccert = yes
>
> OK, this Postfix instance requests client certs.
>
>> tls_ssl_options = no_ticket, no_compression
>
> I would not disable session tickets, at least not in the Postfix
> SMTP server, as of 2.10 (IIRC, and definitely in 2.11) session
> tickets are managed correctly.
Thanks a lot for this. I will correct it.
-Christian Rößner
--
Bachelor of Science Informatik
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com
