On Wed, Sep 29, 2021 at 11:18:31AM -0400, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> On Thu, Sep 30, 2021 at 12:45:31AM +1000, raf wrote: > > > > postconf: warning: /etc/postfix/master.cf: undefined parameter: > > > submission_sender_restrictions > > > smtp inet n - n - - smtpd > > > submission inet n - n - - smtpd > > > -o syslog_name=postfix/submission > > > -o smtpd_recipient_restrictions=permit_tls_clientcerts,reject > > > -o smtpd_tls_req_ccert=yes > > > -o smtpd_tls_auth_only=no > > > -o smtpd_tls_security_level=encrypt > > > -o smtpd_tls_cert_file=/etc/postfix/ssl/submission.cert > > > -o smtpd_tls_key_file=/etc/postfix/ssl/submission.key > > > > The above two parameters are overriding the corresponding parameters > > in main.cf for incoming mail on port 587. That's probably not what you > > are intending. Normally, you would just set these in main.cf so that > > the same certificate is used on ports 25 and 587. But perhaps you want > > two different certificates for the same purpose. That's not > > necessarily a problem (but see below). > > Given the of names, the choice to use separate certificates for > submission vs. port 25 is rather apparent. > > > > I'm able to create and sign certs with those CA certificates? What > > > is it exactly that's breaking down here? Any pointers would be > > > greatly appreciated here. > > > > The main problem is that you are using two different certificates > > for the same purpose (server), but you seem to have created one for > > server use and the other one for client use. > > Please don't just make stuff up, this helps noone. The reported > error logging was: > > Sep 29 07:16:02 centos8mx-dev postfix/submission/smtpd[17603]: \ > issuer=/C=US/ST=Pennsylvania/L=Philadelphia/O=LHProjects Information \ > Network/OU=LHProjects Certificate Authority/CN=LHP MX CA \ > V1/emailAddress=admin...@lhpmail.us > Sep 29 07:16:02 centos8mx-dev postfix/submission/smtpd[17603]: \ > unknown[192.168.103.201]: subject_CN=smtp.lhpmail.us, issuer=LHP MX > CA V1, \ > > fingerprint=87:0F:12:04:F3:A1:BD:3A:E1:38:33:3E:62:65:8E:B1:A6:4D:A5:60, \ > > pkey_fingerprint=00:AC:ED:99:56:33:22:A0:CA:75:9D:69:4B:C4:E5:2B:45:7C:1E:6D > Sep 29 07:16:02 centos8mx-dev postfix/submission/smtpd[17603]: > certificate \ > verification failed for unknown[192.168.103.201]: not designated for > use as a CA \ > certificate > > The last of these indicates that "LHP MX CA V1" lacks the proper > extensions to be an X.509v3 CA for issuing TLS client certificates. The > underlying error from OpenSSL is "X509_V_ERR_INVALID_PURPOSE". > > The CA's extended key usage almost certainly specifies only "serverAuth" > and not also "clientAuth", so it is rejected as a client cert issuer. > > > Passing the "openssl verify -purpose sslclient ..." > > test is only appropriate for the smtp_tls_cert_file > > parameter (i.e. used by the local postfix smtp client for > > outgoing mail), which you aren't using anywhere. The > > certificate in smtpd_tls_cert_file is being used by the > > local postfix smtp server for incoming mail. > > The client certificates in question are those of various > MUAs, not the Postfix server in question. > > > Was your intention to use submission.cert as a client > > certificate when making outgoing connections to the > > relay_transport (smtp:smtp.lhpmail.us:587)? > > No, it was clearly to support client cert authenticated submission. > Best to not muddy the waters. > > -- > Viktor. Sorry for my confusion, and thanks for clearing it up. I hadn't even noticed that there was a third certificate (smtpd_tls_CAfile=ca_new2.pem) being used as a CA certificate. Maybe the fingerprint checking blinded me to that. You said that the following extensions are needed: basicConstraints = CA:true keyUsage = digitalSignature, keyCertSign, cRLSign extendedKeyUsage = serverAuth, clientAuth Is it the case that serverAuth is only required for CA certificates used with smtp_tls_CAfile (or lmtp_tls_CAfile), and that clientAuth is only required for CA certificates used with smtpd_tls_CAfile? cheers, raf
