does 'permit_tls_clientcerts' work with self-signed certificates?

Tue, 04 Oct 2022 09:01:32 -0700 

hey,
i am trying to set up a postfix 3.5.13 server as a destination for multiple null-clients, but am failing with verifying the client's self-signed client certificate. 

are self-signed certificates prohibited from this kind of verification?

TLS_README does'n help me with this issue.

greetings...


# postconf -n
compatibility_level = 3.5
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
local_transport = lmtp:unix:private/dovecot-lmtp
mydestination = domain.tld
mydomain = domain.tld
mynetworks = 127.0.0.1/32 10.0.1.0/24
relay_clientcerts = hash:/etc/postfix/relay_clientcerts_md5

smtpd_client_restrictions = permit_inet_interfaces, permit_tls_clientcerts, 
reject

smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = TLSv1.3
smtpd_tls_req_ccert = yes
smtpd_tls_security_level = encrypt

# cat /etc/postfix/relay_clientcerts_md5

01:23:45:67:89:AB:CD:EF:01:23:45:67:89:AB:CD:EF         
postfix-client.domain.tld
FE:DC:BA:98:76:54:32:10:FE:DC:BA:98:76:54:32:10         
postfix-client.domain.tld


/var/log/mail.log:

Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: initializing the 
server-side TLS engine
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: connect from 
postfix-client.domain.tld[10.0.1.157]
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: setting up TLS 
connection from postfix-client.domain.tld[10.0.1.157]
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: 
postfix-client.domain.tld[10.0.1.157]: TLS cipher list 
"aNULL:-aNULL:HIGH:@STRENGTH:!aNULL"
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: SSL_accept:before SSL 
initialization
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: SSL_accept:before SSL 
initialization
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: SSL_accept:SSLv3/TLS 
read client hello
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: SSL_accept:SSLv3/TLS 
write server hello
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: SSL_accept:SSLv3/TLS 
write change cipher spec
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: SSL_accept:TLSv1.3 
write encrypted extensions
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: SSL_accept:SSLv3/TLS 
write certificate request
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: SSL_accept:SSLv3/TLS 
write certificate
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: SSL_accept:TLSv1.3 
write server certificate verify
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: SSL_accept:SSLv3/TLS 
write finished
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: SSL_accept:TLSv1.3 
early data
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: SSL_accept:TLSv1.3 
early data
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: 
postfix-client.domain.tld[10.0.1.157]: depth=0 verify=0 
subject=/CN=postfix-client.domain.tld
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: 
postfix-client.domain.tld[10.0.1.157]: depth=0 verify=1 
subject=/CN=postfix-client.domain.tld
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: SSL_accept:SSLv3/TLS 
read client certificate
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: SSL_accept:SSLv3/TLS 
read certificate verify
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: SSL_accept:SSLv3/TLS 
read finished
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: 
postfix-client.domain.tld[10.0.1.157]: Issuing session ticket, key 
expiration: 1664898410
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: SSL_accept:SSLv3/TLS 
write session ticket
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: 
subject=/CN=postfix-client.domain.tld
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: 
issuer=/CN=postfix-client.domain.tld
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: 
postfix-client.domain.tld[10.0.1.157]: 
subject_CN=postfix-client.domain.tld, issuer=postfix-client.domain.tld, 
fingerprint=FE:DC:BA:98:76:54:32:10:FE:DC:BA:98:76:54:32:10, 
pkey_fingerprint=01:23:45:67:89:AB:CD:EF:01:23:45:67:89:AB:CD:EF
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: certificate 
verification failed for postfix-client.domain.tld[10.0.1.157]: self-signed 
certificate
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: Untrusted TLS 
connection established from postfix-client.domain.tld[10.0.1.157]: TLSv1.3 
with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 
server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature 
RSA-PSS (2048 bits) client-digest SHA256
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: NOQUEUE: abort: TLS 
from postfix-client.domain.tld[10.0.1.157]: Client certificate not trusted
Oct  4 17:16:51 postfix-server postfix/smtpd[109679]: disconnect from 
postfix-client.domain.tld[10.0.1.157] ehlo=1 starttls=1 commands=2

























					Reply via email to