Hi there! I've spent several hours trying to get it right, but seems I'm not getting much to anywhere, so I finally wanted to check whether I was doing something wrong or what.
Given the circumstances, I wanted to validate a remote TLS-enabled smtpd certificate before sending any email at all. I know this is not optimal for not-breaking-the-whole-world, but for this particular installation I'm trying to avoid MITM/impersonation/etc without the use of SASL or any kind of user/password mechanism. I've deployed both servers and clients with certificates that are verified correctly using the proper CA keyring and enforced both smtp_tls_security_level and smtpd_tls_security_level to encrypt, enabled smtpd_tls_auth_only smtpd_tls_ask_ccert, between others. Behavior remains the same for both client and remote server: the client mentions a Trusted TLS connection and the remote server keeps saying Anonymous TLS connection all the time. I went further more and manipulated clients TLS certificate so the private key mismatches the public certificate. Nothing is noticed at all, which is the thing that worries me the most. This is server installation TLS debug: Jan 20 10:03:33 server postfix/smtpd[25860]: connect from client[client_ip] Jan 20 10:03:33 server postfix/smtpd[25860]: setting up TLS connection from client[client_ip] Jan 20 10:03:33 server postfix/smtpd[25860]: client[client_ip]: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL" Jan 20 10:03:33 server postfix/smtpd[25860]: SSL_accept:before/accept initialization Jan 20 10:03:33 server postfix/smtpd[25860]: SSL_accept:unknown state Jan 20 10:03:33 server postfix/smtpd[25860]: SSL_accept:unknown state Jan 20 10:03:33 server postfix/smtpd[25860]: SSL_accept:unknown state Jan 20 10:03:33 server postfix/smtpd[25860]: SSL_accept:unknown state Jan 20 10:03:33 server postfix/smtpd[25860]: SSL_accept:unknown state Jan 20 10:03:33 server postfix/smtpd[25860]: SSL_accept:unknown state Jan 20 10:03:33 server postfix/smtpd[25860]: SSL_accept:unknown state Jan 20 10:03:33 server postfix/smtpd[25860]: SSL_accept:unknown state Jan 20 10:03:33 server postfix/smtpd[25860]: SSL_accept:unknown state Jan 20 10:03:33 server postfix/smtpd[25860]: client[client_ip]: Issuing session ticket, key expiration: DATE Jan 20 10:03:33 server postfix/smtpd[25860]: SSL_accept:unknown state Jan 20 10:03:33 server postfix/smtpd[25860]: SSL_accept:unknown state Jan 20 10:03:33 server postfix/smtpd[25860]: SSL_accept:unknown state Jan 20 10:03:33 server postfix/smtpd[25860]: SSL_accept:unknown state Jan 20 10:03:33 server postfix/smtpd[25860]: Anonymous TLS connection established from client[client_ip]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) As for the client, this is it: Jan 20 10:06:50 client postfix/smtp[24904]: initializing the client-side TLS engine Jan 20 10:06:50 client postfix/smtp[24904]: setting up TLS connection to server[ip] Jan 20 10:06:50 client postfix/smtp[24904]: server[ip]: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!eNULL" Jan 20 10:06:50 client postfix/smtp[24904]: SSL_connect:before/connect initialization Jan 20 10:06:50 client postfix/smtp[24904]: SSL_connect:SSLv2/v3 write client hello A Jan 20 10:06:50 client postfix/smtp[24904]: SSL_connect:unknown state Jan 20 10:06:50 client postfix/smtp[24904]: server[ip]: depth=1 verify=1 subject=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=supp...@cacert.org Jan 20 10:06:50 client postfix/smtp[24904]: server[ip]: depth=0 verify=1 subject=/CN=serverfqdn Jan 20 10:06:50 client postfix/smtp[24904]: SSL_connect:unknown state Jan 20 10:06:50 client postfix/smtp[24904]: SSL_connect:unknown state Jan 20 10:06:50 client postfix/smtp[24904]: SSL_connect:unknown state Jan 20 10:06:50 client postfix/smtp[24904]: SSL_connect:unknown state Jan 20 10:06:50 client postfix/smtp[24904]: SSL_connect:unknown state Jan 20 10:06:50 client postfix/smtp[24904]: SSL_connect:unknown state Jan 20 10:06:50 client postfix/smtp[24904]: SSL_connect:unknown state Jan 20 10:06:50 client postfix/smtp[24904]: SSL_connect:unknown state Jan 20 10:06:50 client postfix/smtp[24904]: SSL_connect:unknown state Jan 20 10:06:51 client postfix/smtp[24904]: SSL_connect:unknown state Jan 20 10:06:51 client postfix/smtp[24904]: SSL_connect:unknown state Jan 20 10:06:51 client postfix/smtp[24904]: server[ip]: subject_CN=serverfqdn, issuer_CN=CA Cert Signing Authority, fingerprint=FINGERPRINT, pkey_fingerprint=FINGERPRINT2 Jan 20 10:06:51 client postfix/smtp[24904]: Trusted TLS connection established to server[ip]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) This appears to be just one piece of the cake thou, because, as I mention, Anonymous connections are still allowed (even with forged client keys). Is there any possible scenario in which postfix can validate a remote smtpd installation making use of a TLS deploy? Thanks in advance! Cheers, Dererk -- BOFH excuse #449: greenpeace free'd the mallocs
