On Fri, Aug 22, 2014 at 07:16:39PM +0200, Christian R??ner wrote:
> Here is a log with Thunderbird:
>
> Aug 22 19:00:47 mx0 postfix-submission/smtpd[29056]: connect from
> static-201-106.deltasurf.de[193.239.106.201]:36755
> Aug 22 19:00:54 mx0 postfix-submission/smtpd[29056]: Trusted TLS connection
> established from static-201-106.deltasurf.de[193.239.106.201]:36755: TLSv1.2
> with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Postfix received a client certificate,
> Aug 22 19:00:54 mx0 postfix-submission/smtpd[29056]: 3hfps2157xzMl3J:
> client=static-201-106.deltasurf.de[193.239.106.201]:36755, sasl_method=PLAIN,
> sasl_username=de10...@srvint.net
But then client MUA authenticated with SASL PLAIN anyway.
> Now logs from Apple Mail:
>
> Aug 22 19:14:10 mx0 postfix-submission/smtpd[29522]: Anonymous TLS connection
> established from static-201-106.deltasurf.de[193.239.106.201]:40001: TLSv1
> with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
No certificate sent, so Apple Mail is not configured to employ a
TLS client certificate, and may not support that feature.
> Aug 22 19:14:10 mx0 postfix-submission/smtpd[29528]: Anonymous TLS connection
> established from static-201-106.deltasurf.de[193.239.106.201]:47064: TLSv1
> with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Your server SASL layer did not offer a SASL "EXTERNAL" mechanism,
and probably should not. I don't think Postfix supports this
anyway. IIRC you mentioned configuring Apple Mail for "EXTERNAL"
auth. That won't work.
> As you see, Apple Mail does have a different behavior.
Yep, it does not employ client certificates, at least not as
configured. Since the Postfix server requests a client certificate,
the issue is entirely on the client side.
> > Was the certificate actually used to authenticate mail submission?
> > Likely Thunderbird just used a username/password as it would absent
> > said certificate. The message content was plausibly signed with
> > the certificate. Don't confuse sender certificates in S/MIME with
> > TLS client certificates in SMTP (STARTTLS).
>
> It uses the client certificate:
And yet the client also uses SASL auth.
> Received: from MacBook-Pro.local (static-201-106.deltasurf.de
> [193.239.106.201])
> (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
> (Client CN "Christian Roessner", Issuer "RNS-CA" (verified OK))
> (Authenticated sender: de10...@srvint.net)
> by mail.roessner-net.de (Postfix) with ESMTPSA id 3hfps2157xzMl3J
> for <c...@deltaweb.de>; Fri, 22 Aug 2014 19:00:54 +0200 (CEST)
Right, both client cert and SASL. Perhaps either is sufficient, if the
fingerprint is present in:
relay_clientcerts = ${mapidx}/relay_clientcerts
> > TLS client and S/MIME, though I would use "extendedKeyUsage" rather
> > than "nsCertType?.
>
> Ok, this is something, I can try.
https://www.openssl.org/docs/apps/x509v3_config.html#Extended_Key_Usage_
extendedKeyUsage = clientAuth, emailProtection
> It's multi instance, yes. The reason is simple: I deploy mail
> systems that have separated border filter, mxin, mxout, submission
> and my server reflects the setups in multi instances. Patrick Ben
> Koetter helped me to split it into multi instances. And he also
> did a complete review of all my settings so chances are high that
> there might not be too much wrong here ;-)
The server configuration looks fine.
--
Viktor.
