Victor, thank you for your two helpful replies.
I do intend to read through the approaches you suggested, and most
likely implement them. My high-priority was to get the mail flowing
again, which your first helpful reply let me do. Indeed, I postponed
replying because I wanted to read the items yo
On Sun, Feb 16, 2020 at 01:41:16PM -0500, Viktor Dukhovni wrote:
> ; Suggested more robust TLSA record management approaches can be found
> via:
>
>
> https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
> https://mail.sys4.de/pipermail/dan
> On Feb 16, 2020, at 3:18 PM, Bernardo Reino wrote:
>
> May I ask you where to find/download your hsdig tool?
>
> (a quick search indicates that it's some Haskell tool written by yourself,
> but I can't seem to find it :)
I've not made it available to the public. You can get essentially
simi
On Sun, 16 Feb 2020, Viktor Dukhovni wrote:
As luck would have it, you've come to the right place. Your domain is
DNSSEC-signed, and your MX host has DANE TLSA records:
$ hsdig -t a maple.killian.com
maple.killian.com. IN A 199.165.155.8 ; NoError AD=1
[...]
May I ask you where to fin
n.com. IN TLSA 3 0 1
7a668f4b7f418a618a9e1043b644c282d55e5ead0ff20acaa4db5357a9764a2f ; NoError AD=1
> Comcast claims a TLS certificate verify failure. I have checked the TLS
> connection process with
Comcast (and not only they) support and enforce DANE.
> Diagnostic-Code: smtp; TLS negotiation: certificate ver
debugging advice to figure out what the problem might be.
Comcast claims a TLS certificate verify failure. I have checked the TLS
connection process with
openssl s_client -connect maple.killian.com:25 -starttls smtp
and it looks good. I also checked with https://www.checktls.com and got
all 100
Hi,
I am using a letsencrypt tls cert and whenever I receive email, I get
the following error. Is this a problem with my certificate? Or with
the configuration or something??
postfix/smtpd[526]: warning: TLS library problem:
error:060A209F:digital envelope routines:EVP_MD_size:message digest is
n
Thank you Viktor!
Totally clear to me now.
Greetings
2017-07-26 16:43 GMT+02:00 Viktor Dukhovni :
>
> > On Jul 26, 2017, at 6:01 AM, Z3us Linux wrote:
> >
> > I'm running Postfix with MailScanner as a spamfilter for multiple
> domains/customers.
> > Is it possible to create a TLS configuration
> On Jul 26, 2017, at 6:01 AM, Z3us Linux wrote:
>
> I'm running Postfix with MailScanner as a spamfilter for multiple
> domains/customers.
> Is it possible to create a TLS configuration to force encryption for a set of
> domains with one 1 SSL certificate for the FQDN of the mailserver?
Depl
I'm running Postfix with MailScanner as a spamfilter for multiple
domains/customers.
Is it possible to create a TLS configuration to force encryption for a set
of domains with one 1 SSL certificate for the FQDN of the mailserver?
The MX-records of the hosted domains are pointing to my mailserver an
Osama Al-Hassani:
> > Which Postfix SMTP client implementation matches server certificates
> > against server IP addresses?
>
> We are using 3.2.0 vanilla.
>
> To clarify, this is when using the "match" attribute with "verify" security
> level. I could rephrase the question as to why anything
DNS names are
ignored in the SANs field?
Thanks,
Osama
-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org]
On Behalf Of Wietse Venema
Sent: 15 June 2017 21:47
To: Postfix users
Subject: Re: Outbound TLS Certificate Verification
Os
; Osama
>
> -Original Message-
> From: owner-postfix-us...@postfix.org
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Viktor Dukhovni
> Sent: 15 June 2017 01:33
> To: postfix-users@postfix.org
> Subject: Re: Outbound TLS Certificate Verification
>
> On W
...@postfix.org [mailto:owner-postfix-us...@postfix.org]
On Behalf Of Viktor Dukhovni
Sent: 15 June 2017 01:33
To: postfix-users@postfix.org
Subject: Re: Outbound TLS Certificate Verification
On Wed, Jun 14, 2017 at 09:12:20PM +, Osama Al-Hassani wrote:
> When verifying server certificates on outbo
: Re: Inbound TLS Certificate SAN Verification
On Wed, Jun 14, 2017 at 08:47:31PM +, Osama Al-Hassani wrote:
> When verifying client certificates we are only able to receive CN
> data, and cannot get a hold of the SANs. The request data sent to the
> policy server does not contai
On Wed, Jun 14, 2017 at 08:47:31PM +, Osama Al-Hassani wrote:
> When verifying client certificates we are only able to receive CN data,
> and cannot get a hold of the SANs. The request data sent to the policy
> server does not contain any SAN attributes.
That's correct. The subject alternat
On Wed, Jun 14, 2017 at 09:12:20PM +, Osama Al-Hassani wrote:
> When verifying server certificates on outbound connections, it seems we
> are unable verify the IP addresses part of the SANs field. We are able to
> verify IPs in CNs.
Email is sent to addresses of the form ,
where the "domain-p
Hi all,
When verifying server certificates on outbound connections, it seems we are
unable verify the IP addresses part of the SANs field. We are able to verify
IPs in CNs.
What is the reasoning behind this behaviour?
Thank you,
Osama
Osama Al-Hassani
Software Engineer
[Telephone] +44 118
Hi all,
I have an enquiry regarding SAN verification when enforcing TLS on inbound
connections.
When verifying client certificates we are only able to receive CN data, and
cannot get a hold of the SANs. The request data sent to the policy sever does
not contain any SAN attributes.
Is there a
> On May 31, 2016, at 10:16 AM, Viktor Dukhovni
> wrote:
>
>main.cf:
> smtpd_client_restrictions =
> cidr = cidr:${config_directory}/
> check_client_access ${cidr}clnt-access
Oops, bad syntax, that should be:
main.cf:
cidr = cidr:${config_directory}/
> On May 31, 2016, at 10:01 AM, Rob Maidment wrote:
>
> I have clients where I'd like to replace Sendmail with Postfix however
> they have incoming mail requirements that prevent this, as far as I
> can tell. These are not so much to do with certificate validation but
> more fundamentally wheth
Thank you Wietse and Viktor for your in-depth responses.
It seems to me that the Postfix SMTP client has all the TLS options of
Sendmail and then some, however the Postfix SMTP server does not offer
the same level of granularity as Sendmail when it comes to applying
TLS to incoming connections.
I
On Thu, May 26, 2016 at 05:44:28PM +0100, Rob Maidment wrote:
> VERIFY verification must have succeeded
Note, this does not check the peer name, it only checks the validity
of the chain.
> VERIFY:bits verification must have succeeded and ${cipher_bits} must
> be greater than or equal bits.
> ENC
Rob Maidment:
> Looking at the Postfix configuration pages I can see how the
> smtp_tls_policy_maps option can be used to enable verification of
> remote server certificates When Postfix is the client but there
> doesn't seem to be the same level of control over what verification
> takes place exac
Hello
Sendmail has a number of TLS certificate validation options described
here: http://www.sendmail.co.uk/sm/open_source/docs/m4/starttls.html#allow_con
VERIFY verification must have succeeded
VERIFY:bits verification must have succeeded and ${cipher_bits} must
be greater than or equal bits
On Thu, Oct 24, 2013 at 07:59:46AM +0200, Tobias Reckhard wrote:
> > Support for public key fingerprints was added in Postfix 2.9, ...
>
> This is stated at the beginning of the section dealing with
> fingerprints. Further down, where the actual openssl commands are noted,
> there is no such not
Viktor Dukhovni wrote the following on 23.10.2013 16:23:
> If your Postfix version is 2.9.0--2.9.5 DO NOT USE public key
> fingerprints, or upgrade to 2.9.6 or later.
That wasn't the problem, the documentation is quite clear in this
regard. I mistakenly used the public key instructions for a pre-2
On Wed, Oct 23, 2013 at 09:39:36AM +0200, Tobias Reckhard wrote:
> > with instructions on how to extract public key digests from X.509
> > certs also at:
> >
> > http://www.postfix.org/postconf.5.html#smtp_tls_fingerprint_digest
>
> Those instructions had me confused a bit, I think I now see
On Tue, Oct 22, 2013 at 10:58:46AM -0400, Wietse Venema wrote:
> > Fingerprinting the leaf certificate will work until the next time
> > they deploy a new leaf certificate without notifying you in advance.
> > This is because fingerprint security does not rely on a valid chain
> > of signatures fr
Viktor Dukhovni:
> On Tue, Oct 22, 2013 at 11:07:07AM +0200, Tobias Reckhard wrote:
>
> > Maybe fingerprinting would work, though. I'll give it a shot on a test
> > system. Thanks for the suggestion.
>
> Fingerprinting the leaf certificate will work until the next time
> they deploy a new leaf ce
On Tue, Oct 22, 2013 at 11:01:22AM +0200, Tobias Reckhard wrote:
> > The most recent patch levels
> > of Postfix 2.7, 2.8, 2.9 and 2.10 have support for SHA256 turned for
> > SSL/TLS.
>
> postfix 2.8.5 is available as a backport for Ubuntu 10.04 LTS. I've
> suggested upgrading to that, since it
On Tue, Oct 22, 2013 at 11:07:07AM +0200, Tobias Reckhard wrote:
> Maybe fingerprinting would work, though. I'll give it a shot on a test
> system. Thanks for the suggestion.
Fingerprinting the leaf certificate will work until the next time
they deploy a new leaf certificate without notifying you
Viktor Dukhovni wrote the following on 21.10.2013 17:21:
> On Mon, Oct 21, 2013 at 10:07:13AM -0500, Noel Jones wrote:
>> Looks as if they use a private root CA. Probably the easiest fix is
>> to use "fingerprint" verification. See:
>> http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps
>
Viktor Dukhovni wrote the following on 21.10.2013 17:30:
> This organization uses SHA256 signatures for their certificates, even
> though these are not widely supported.
Ah, OK, thanks for the explanation.
> The most recent patch levels
> of Postfix 2.7, 2.8, 2.9 and 2.10 have support for SHA256
On Mon, Oct 21, 2013 at 03:30:46PM +, Viktor Dukhovni wrote:
> On Mon, Oct 21, 2013 at 02:55:22PM +0200, Tobias Reckhard wrote:
>
> > Oct 21 08:43:58 postfix/smtp[5991]: CA certificate
> > verification failed for mx10.unicredit.eu[62.122.80.93]:25:
> > num=7:certificate signature failure
>
On Mon, Oct 21, 2013 at 10:07:13AM -0500, Noel Jones wrote:
> > Oct 21 08:43:58 postfix/smtp[5991]: CA certificate
> > verification failed for mx10.unicredit.eu[62.122.80.93]:25:
> > num=7:certificate signature failure
>
> Looks as if they use a private root CA. Probably the easiest fix is
> to
On Mon, Oct 21, 2013 at 02:55:22PM +0200, Tobias Reckhard wrote:
> Oct 21 08:43:58 postfix/smtp[5991]: CA certificate
> verification failed for mx10.unicredit.eu[62.122.80.93]:25:
> num=7:certificate signature failure
This organization uses SHA256 signatures for their certificates, even
though t
On 10/21/2013 7:55 AM, Tobias Reckhard wrote:
> Hello
>
> In configuring a postfix 2.7.0 (on Ubuntu 10.04 LTS) for mandatory TLS
> to a couple of domains, I'm running into the following oddity when
> sending e-mail to the UniCredit servers:
>
> Oct 21 08:43:58 postfix/smtp[5991]: CA certificate
Hello
In configuring a postfix 2.7.0 (on Ubuntu 10.04 LTS) for mandatory TLS
to a couple of domains, I'm running into the following oddity when
sending e-mail to the UniCredit servers:
Oct 21 08:43:58 postfix/smtp[5991]: CA certificate
verification failed for mx10.unicredit.eu[62.122.80.93]:25:
On Tue, Dec 20, 2011 at 10:24:04AM +0100, lst_ho...@kwsoft.de wrote:
> As far as I understand you have to list the complete chain but only
> your sub-CA to get it working.
This is not the case:
http://www.postfix.org/TLS_README.html#server_access
Allow the remote SMTP client request
Am 20.12.2011 14:30, schrieb lst_ho...@kwsoft.de:
Hi,
Any idea how to allow all certificates issued by specific Sub-CAs,
without trusting everyone?
>>>
>>> As far as i understand you have to list the complete chain but only your
>>> sub-CA to get it working. So create a smtpd_tls_CAfile
Zitat von Bernhard Schmidt :
Am 20.12.2011 10:24, schrieb lst_ho...@kwsoft.de:
Hello,
Any idea how to allow all certificates issued by specific Sub-CAs,
without trusting everyone?
As far as i understand you have to list the complete chain but only your
sub-CA to get it working. So create a
Am 20.12.2011 10:24, schrieb lst_ho...@kwsoft.de:
Hello,
>> Any idea how to allow all certificates issued by specific Sub-CAs,
>> without trusting everyone?
>
> As far as i understand you have to list the complete chain but only your
> sub-CA to get it working. So create a smtpd_tls_CAfile with
Zitat von Bernhard Schmidt :
Hi,
I'm having an issue I can't quite understand at the moment.
We are part of a larger PKI infrastructure run by the german NREN,
which is in the end rooted at the Deutsche Telekom.
- Deutsche Telekom Root CA 2
- DFN-Verein PCA Global - G01
- LRZ-CA - G0
Hi,
I'm having an issue I can't quite understand at the moment.
We are part of a larger PKI infrastructure run by the german NREN, which
is in the end rooted at the Deutsche Telekom.
- Deutsche Telekom Root CA 2
- DFN-Verein PCA Global - G01
- LRZ-CA - G01 <-- this is ours
- som
On 11-Jan-2010, at 09:27, Dennis Putnam wrote:
> I am quite familiar with the arguments but again it is not my choice. If you
> want, I can give you the number of our corporate lawyers and you can try to
> convince them. Perhaps you will have better luck than me. :-)
I will be happy to email th
On Mon, Jan 11, 2010 at 11:36:42AM -0600, Noel Jones wrote:
> According to the example in
> http://www.postfix.org/TLS_README.html#client_tls_policy
> the policy table should contain
>
> somedomain.tld encrypt
>
> To include subdomains of somedomain.tld also include
>
> .somedomain.tld
On 1/11/2010 11:16 AM, Dennis Putnam wrote:
Hi Noel,
Thanks. I thing you pointed me in the right direction. Am I correct that
the per_site table is different under 2.5.5 than pre 2.3? I had trouble
getting that to work on the old server so I didn't change it for the
migration. What I have is:
.
Hi Noel,
Thanks. I thing you pointed me in the right direction. Am I correct that the
per_site table is different under 2.5.5 than pre 2.3? I had trouble getting
that to work on the old server so I didn't change it for the migration. What I
have is:
.somedomain.com MUST
I think it now can be
On 1/11/2010 10:38 AM, Dennis Putnam wrote:
Upon further investigation, apparently mail is not moving. There seems
to be 2 domains associated with this site but I was only asked to
enforce TLS on one of them. That is why it appeared to be working.
Getting back to Chris' comments, I think setting
On Mon, Jan 11, 2010 at 11:53:35AM -0500, Noah Sheppard wrote:
[attribution to Chris is missing]
> > >> On Mon, 2010-01-11 at 11:04 -0500, Dennis Putnam wrote:
> > >>> I want to enforce TLS but I don't care what certificate the
> > >>> receiver uses. Thanks.
> > >> Apart from the fact that enforci
> >> On Mon, 2010-01-11 at 11:04 -0500, Dennis Putnam wrote:
> >>> I want to enforce TLS but I don't care what certificate the receiver
> >>> uses. Thanks.
> >> Apart from the fact that enforcing TLS with SMTP is usually a bad idea,
> >> [..]
Why is TLS w/ SMTP a bad idea?
--
Noah Sheppard
Assis
Upon further investigation, apparently mail is not moving. There seems to be 2
domains associated with this site but I was only asked to enforce TLS on one of
them. That is why it appeared to be working. Getting back to Chris' comments, I
think setting the security level to 'encrypt' forces ever
Hi Chris,
Thanks for the reply. Please see embedded comments.
On Jan 11, 2010, at 11:11 AM, Christoph Anton Mitterer wrote:
> On Mon, 2010-01-11 at 11:04 -0500, Dennis Putnam wrote:
>> I want to enforce TLS but I don't care what certificate the receiver
>> uses. Thanks.
> Apart from the fact tha
On Mon, 2010-01-11 at 11:04 -0500, Dennis Putnam wrote:
> I want to enforce TLS but I don't care what certificate the receiver
> uses. Thanks.
Apart from the fact that enforcing TLS with SMTP is usually a bad idea,
setting the
smtp_tls_security_level = encrypt
should usually do what you mean, enfor
I'm just getting started with version 2.5.5 and TLS is different that my
previous version. I have everything thing working except some email will not go
out because of the error "delivery temporarily suspended: Server certificate
not trusted." What parameter do I have wrong that requires trusted
On Fri, 6 Feb 2009 12:15:26 -0500, Victor Duchovni
wrote:
> On Fri, Feb 06, 2009 at 07:13:17PM +0200, Tolga wrote:
>
>> > Who can't use the certificate?
>>
>> I, when I try with Thunderbird from another location.
>
> Well, it is Thunderbird that needs to extend its list of trusted
> CAs not Po
Victor Duchovni yazmış:
On Fri, Feb 06, 2009 at 07:13:17PM +0200, Tolga wrote:
Who can't use the certificate?
I, when I try with Thunderbird from another location.
Well, it is Thunderbird that needs to extend its list of trusted
CAs not Postfix. No amount of tweaking the Pos
='-DHAS_PCRE -DUSE_TLS -I/opt/openssl/include
-I/usr/local/include' OPT='-O' DEBUG='' 'AUXLIBS=-L/usr/local/lib -lpcre
-L/opt/openssl/lib -lssl -lcrypto -L/usr/local/lib'
Setup:
1. Smarthost with TLS Certificate User auth (for relaying) ("wurzel")
On Fri, Feb 06, 2009 at 07:13:17PM +0200, Tolga wrote:
> > Who can't use the certificate?
>
> I, when I try with Thunderbird from another location.
Well, it is Thunderbird that needs to extend its list of trusted
CAs not Postfix. No amount of tweaking the Postfix server will
make Thunderbird tru
Forgot to CC it.
Original Message
Subject: Re: TLS certificate
Date: Fri, 06 Feb 2009 19:11:43 +0200
From: Tolga
To: Patrick Ben Koetter
On Fri, 6 Feb 2009 15:58:29 +0100, Patrick Ben Koetter
wrote:
> * Tolga :
>>> Here's your error: "unab
On Fri, Feb 06, 2009 at 11:28:17AM +0100, Patrick Ben Koetter wrote:
> Here's your error: "unable to verify the first certificate". Did you add your
> CA certificate to your CA certificate store ca-bundles.crt (in your case)?
In what sense is that an "error"? He's got a private-label CA cert, why
* Tolga :
>> Here's your error: "unable to verify the first certificate". Did you add your
>> CA certificate to your CA certificate store ca-bundles.crt (in your case)?
>>
>> p...@rick
>>
> I just did that, restarted postfix, and when I did an openssl s_client
> -starttls smtp -CAfile /etc/ssl
Patrick Ben Koetter yazmış:
* Tolga :
Please show evidence of such a session.
to...@ozses:~$ openssl s_client -starttls smtp -CApath /etc/ssl/private
-connect localhost:25
CONNECTED(0003)
depth=0
/C=TR/ST=Marmara/L=Istanbul/O=ozses.net/OU=ozses.net/CN=mail.ozses.net/emailaddre
* Tolga :
> > Please show evidence of such a session.
>
> to...@ozses:~$ openssl s_client -starttls smtp -CApath /etc/ssl/private
> -connect localhost:25
> CONNECTED(0003)
> depth=0
> /C=TR/ST=Marmara/L=Istanbul/O=ozses.net/OU=ozses.net/CN=mail.ozses.net/emailaddress=to...@ozses.net
> verify
On Thu, Feb 05, 2009 at 07:43:38PM +0100, Patrick Ben Koetter wrote:
> * Tolga :
> > On Thu, Feb 05, 2009 at 04:25:50PM +0100, Patrick Ben Koetter wrote:
> > > * Tolga :
> > > > I am reading The Book of Postfix, I applied the steps CA.pl -newca,
> > > > openssl
> > > > req -new -nodes -keyout priv
On Thu, Feb 05, 2009 at 07:43:38PM +0100, Patrick Ben Koetter wrote:
> * Tolga :
> > On Thu, Feb 05, 2009 at 04:25:50PM +0100, Patrick Ben Koetter wrote:
> > > * Tolga :
> > > > I am reading The Book of Postfix, I applied the steps CA.pl -newca,
> > > > openssl
> > > > req -new -nodes -keyout priv
* Tolga :
> On Thu, Feb 05, 2009 at 04:25:50PM +0100, Patrick Ben Koetter wrote:
> > * Tolga :
> > > I am reading The Book of Postfix, I applied the steps CA.pl -newca,
> > > openssl
> > > req -new -nodes -keyout privatekey.pem -out privatekey.pem -days 1825 and
> > > openssl ca -policy policy_any
On Thu, Feb 05, 2009 at 04:25:50PM +0100, Patrick Ben Koetter wrote:
> * Tolga :
> > I am reading The Book of Postfix, I applied the steps CA.pl -newca, openssl
> > req -new -nodes -keyout privatekey.pem -out privatekey.pem -days 1825 and
> > openssl ca -policy policy_anything -out publiccert.pem -
* Tolga :
> I am reading The Book of Postfix, I applied the steps CA.pl -newca, openssl
> req -new -nodes -keyout privatekey.pem -out privatekey.pem -days 1825 and
> openssl ca -policy policy_anything -out publiccert.pem -infiles
> privatekey.pem , copied the key and cert under /etc/ssl/private and
Hello,
I am reading The Book of Postfix, I applied the steps CA.pl -newca, openssl req
-new -nodes -keyout privatekey.pem -out privatekey.pem -days 1825 and
openssl ca -policy policy_anything -out publiccert.pem -infiles privatekey.pem
, copied the key and cert under /etc/ssl/private and /etc/s
71 matches
Mail list logo
