On Thu, Jul 06, 2017 at 08:27:35PM +0200, Paul Menzel wrote:
> $ sudo posttls-finger -t30 -T180 -c -L verbose,summary gwdg.de
There's no need to run posttls-finger as root. And "verbose"
is just distracting.
> posttls-finger: setting up TLS connection to
> mfilter-123-3-1.mx.srv.dfn.de[194.95.232.101]:25
> posttls-finger: Untrusted TLS connection established to
> mfilter-123-3-1.mx.srv.dfn.de[194.95.232.101]:25: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
This is not surprising, since by default Postfix trusts no CAs,
also recent versions of posttls-finger do "dane" verification by
default.
On my system the system certificate bundle is in /etc/ssl/cert.pem,
and so the correct test is:
$ posttls-finger -c -l secure -F /etc/ssl/cert.pem gwdg.de
.mx.srv.dfn.de
posttls-finger: mfilter-123-3-3.mx.srv.dfn.de[194.95.238.101]:25:
Matched subjectAltName: mfilter-123-3-3.mx.srv.dfn.de
posttls-finger: mfilter-123-3-3.mx.srv.dfn.de[194.95.238.101]:25
CommonName mfilter-123-3-3.mx.srv.dfn.de
posttls-finger: mfilter-123-3-3.mx.srv.dfn.de[194.95.238.101]:25:
subject_CN=mfilter-123-3-3.mx.srv.dfn.de,
issuer_CN=DFN-Verein-GS-CA - G02,
fingerprint=6D:C1:73:0B:7F:E4:CD:A5:54:CF:D8:79:7E:17:37:27:81:EF:9A:BE,
pkey_fingerprint=E1:7E:4F:88:AD:09:50:54:5C:19:49:47:62:C6:64:33:A0:D7:48:35
posttls-finger: Verified TLS connection established to
mfilter-123-3-3.mx.srv.dfn.de[194.95.238.101]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Notes:
1. "-l secure" selects the desired security level.
2. "-F /etc/ssl/cert.pem" selects the correct trusted certificate bundle.
This corresponds to smtp_tls_CAfile. You can use "-P /some/path" to
select a directory of trusted certs hashed in the usual way with
c_rehash. This corresponds to smtp_tls_CApath.
3. The domain's MX hosts have certificates with the MX host DNS names,
but do not contain the nexthop domain. Since the MX hosts are
typically obtained via insecure DNS lookups, they cannot be trusted.
See TLS_README for details. Therefore "secure" verification of this
domain requires a non-default name matching strategy. In this case
".mx.srv.dfn.de" is a parent domain of all the MX hosts.
Thus your TLS policy entry for this domain would be:
# Perhaps some day the MX host certs will have gwdg.de names, so
# include nexthop and dot-nexthop in addition to the current MX
# provider domain.
#
gwdg.de secure match=nexthop:dot-nexthop:.mx.srv.dfn.de
Encourage the counter-party to deploy DANE, SMTP TLS security scales
much better with DANE (does not require per-destination manual
configuration like the above).
--
Viktor.
