Hi List! for a particular connection, i always received the error message "Server certificate not verified". client was postfix, server was postfix. both as distributed by debian stretch, version 3.1.12-0+deb9u1. i was using the following settings on the smtp-postfix: relayhost=[localhost]:24 smtp_tls_security_level=fingerprint smtp_tls_fingerprint_digest=sha1 smtp_tls_fingerprint_cert_match=<value exactly matching the "pkey" remote fingerprint shown with smtp_tls_loglevel=2>
i couldn't quite figure out what might be the cause from reading the documentation nor searching "the web". investigating the source code, i now think to have found the cause: file src/smtp/smtp_proto.c near line 1130 is using TLS_MUST_MATCH (defined in tls/tls.h near line 54) which is just a "level>TLS_LEV_ENCRYPT". this causes the "fingerprint" security level to verify the peername in addition to the cert or pkey fingerprint. in my setup, the certificate used by the smtpd-postfix did not include "localhost" as subjAltName (nor as commonName) and therefore the smtp-postfix did report the error "Server certificate not verified". Particular the formulation in the documentation similar to the one in file man/man5/postconf.5 near line 8136 "the server certificate is verified by directly matching its certificate fingerprint" was interpreted by me to mean, that the peername was _not_ checked. This made sense from a security perspective, because after all, as soon as the fingerprint is verified against a trusted store, all other checks do not add security. having told the whole story above, i would now ask this list if: a) someone can adjust the source-code so that security_level=fingerprint does only check the fingerprint and not the peername? -- i think that's the better solution. (however, i do not think i am proficient enough to do this) b) or, i should send in a PATCH for the documentation, editing file proto/postconf.5 accordingly, in order to help others scratching their heads of the same questions? with kind regards, Max
signature.asc
Description: OpenPGP digital signature
