Can Postfix verify client certificate fingerprint when supporting StartTLS?

Hello everyone, I hope I have the correct mailing list for my question. Initially I asked this question at: http://stackoverflow.com/questions/24999580/can-postfix-verify-client-certificate-fingerprint-when-supporting-starttls According to the Postfix TLS Readme there are 3 ways to configure th

Re: Can Postfix verify client certificate fingerprint when supporting StartTLS?

Atze Zitman: > Hello everyone, > > I hope I have the correct mailing list for my question. Initially I asked > this question at: > http://stackoverflow.com/questions/24999580/can-postfix-verify-client-certificate-fingerprint-when-supporting-starttls > > According to the Postfix TLS Readme there

Re: About the postfix binding problem with SAP, urgent

lizhenquan: > Hello, my company the SAP server to send E-mail to each user, but SAP itself > without email function, SAP has an SMTP service, can pass and postfix > binding to realize the function of the SAP email. Can you explain this using the terminology of RFC 5321, the definition of the SMTP

RE: Can Postfix verify client certificate fingerprint when supporting StartTLS?

Thank you Wietse for your reply. The only real problem is clear communication to the client. I will always validate the sender address. When the client is authenticated, it is validated differently than when the client is not authenticated (using policyd). For example: * Unauthenticated user mu

Re: Can Postfix verify client certificate fingerprint when supporting StartTLS?

Why don't you use client (certificate or public-key) fingerprints? Wietse

Re: About the postfix binding problem with SAP, urgent

Wietse Venema: > lizhenquan: > > Hello, my company the SAP server to send E-mail to each user, but SAP itself > > without email function, SAP has an SMTP service, can pass and postfix > > binding to realize the function of the SAP email. > > Can you explain this using the terminology of RFC 5321,

Individual smtpd_tls_ask_ccert?

IIRC smtpd_tls_ask_ccert should not be enabled on publicly referenced MTAs, because there are enough MTAs out there unable to handle client certificate requests from a server they connect to. It that is true, would it be possible to make smtpd_tls_ask_ccert client dependent e.g. request a ccert wh

Re: Can Postfix verify client certificate fingerprint when supporting StartTLS?

On Tue, Jul 29, 2014 at 11:42:01AM +0200, Atze Zitman wrote: > According to the Postfix TLS Readme there are 3 ways to configure the > server-side to support access control: > > * permit_tls_clientcerts > * permit_tls_all_clientcerts > * check_ccert_access type:table > > But these three options

SOLVED: Re: warning: dane configured, but no requisite library support

* Patrick Ben Koetter : > * Viktor Dukhovni : > > On Mon, Jul 28, 2014 at 10:44:04AM +0200, Patrick Ben Koetter wrote: > > > Greetings, > > > > > > I am experiencing troubles enabling outbound DANE on a RHEL 6.5 system: > > > > > > warning: sys4.de: dane configured, but no requisite library s

Re: Individual smtpd_tls_ask_ccert?

On Tue, Jul 29, 2014 at 02:54:29PM +0200, Patrick Ben Koetter wrote: > IIRC smtpd_tls_ask_ccert should not be enabled on publicly referenced MTAs, > because there are enough MTAs out there unable to handle client certificate > requests from a server they connect to. > > It that is true, would it

Re: Individual smtpd_tls_ask_ccert?

* Viktor Dukhovni : > On Tue, Jul 29, 2014 at 02:54:29PM +0200, Patrick Ben Koetter wrote: > > > IIRC smtpd_tls_ask_ccert should not be enabled on publicly referenced MTAs, > > because there are enough MTAs out there unable to handle client certificate > > requests from a server they connect to. >

Re: Individual smtpd_tls_ask_ccert?

Patrick Ben Koetter: > IIRC smtpd_tls_ask_ccert should not be enabled on publicly referenced MTAs, > because there are enough MTAs out there unable to handle client certificate > requests from a server they connect to. Is this still true? Assuming that you are referring to MTA-MTA communication, n

Limiting From: header.

Hi there. I'm trying to figure out if Postfix have a feature that allows me to limit the From: header, or if i should use an external filter. In our setup we have an alias map that I would like to use as a filer for address is allowed in the From-header, but I seem to only be able to find informa

Re: Individual smtpd_tls_ask_ccert?

Patrick Ben Koetter: > > > mail.example.comask_ccert > > > .example.netask_ccert > > > > Alternatively, allow a richer input to smtpd_tls_ask_ccert besides > > yes and no. For example, a (match)list. > > Yes. Finer control e.g. access(5) actions would be my ultimate wish. ac

Re: Individual smtpd_tls_ask_ccert?

* Wietse Venema : > Patrick Ben Koetter: > > IIRC smtpd_tls_ask_ccert should not be enabled on publicly referenced MTAs, > > because there are enough MTAs out there unable to handle client certificate > > requests from a server they connect to. > > Is this still true? Assuming that you are referri

Re: Individual smtpd_tls_ask_ccert?

On Tue, Jul 29, 2014 at 09:13:19AM -0400, Wietse Venema wrote: > > IIRC smtpd_tls_ask_ccert should not be enabled on publicly referenced MTAs, > > because there are enough MTAs out there unable to handle client certificate > > requests from a server they connect to. > > Is this still true? Assumi

Re: Individual smtpd_tls_ask_ccert?

On Tue, Jul 29, 2014 at 01:42:18PM +, Viktor Dukhovni wrote: > There were IIRC (also?) some issues with qmail, which is not updated > terribly frequently. TLS_README says: > > Note, that unless client certificates are used to allow greater access to > TLS authenticated clients, it is

EFF STARTTLS Everywhere project

I don't know if this list is aware of this project? https://github.com/EFForg/starttls-everywhere An intermediate effort before DNSSEC and DANE (hopefully) gets seriously deployed around the world and various TLDs. EFF will talk about this at PasswordsCon next week in Las Vegas, and I'll make refe

Re: Limiting From: header.

On Tue, Jul 29, 2014 at 03:21:17PM +0200, Lasse Poulsen wrote: > I'm trying to figure out if Postfix have a feature that allows me to > limit the From: header, or if I should use an external filter. There is no support for access checks on header addresses. Also a bit of a chicken-egg problem, s

Re: Individual smtpd_tls_ask_ccert?

Viktor Dukhovni: > > > It that is true, would it be possible to make smtpd_tls_ask_ccert client > > > dependent e.g. request a ccert when the client sends e.g. a specific HELO > > > hostname? > > > > > > mail.example.comask_ccert > > > .example.netask_ccert > > > > Alternative

RE: Can Postfix verify client certificate fingerprint when supporting StartTLS?

Hi Viktor, Thank you for your reply. It is true that I have "smtpd_delay_reject = no". I have done this, so the sender restrictions would not be evaluated for each recipient address, but for the sender address only (tested long time ago, hope I'm not wrong). When the policyd rejects a sender a

Re: EFF STARTTLS Everywhere project

On Tue, Jul 29, 2014 at 03:57:24PM +0200, Per Thorsheim wrote: > I don't know if this list is aware of this project? > > https://github.com/EFForg/starttls-everywhere The EFF folks behind this effort have reached out to me and we've discussed some of the issues. I am somewhat ambivalent about th

Re: EFF STARTTLS Everywhere project

Den 29.07.2014 16:14, skrev Viktor Dukhovni: > On Tue, Jul 29, 2014 at 03:57:24PM +0200, Per Thorsheim wrote: > >> I don't know if this list is aware of this project? >> >> https://github.com/EFForg/starttls-everywhere > > The EFF folks behind this effort have reached out to me and we've > discus

Re: Can Postfix verify client certificate fingerprint when supporting StartTLS?

On Tue, Jul 29, 2014 at 04:05:51PM +0200, Atze Zitman wrote: My final response in this thread: > It is true that I have "smtpd_delay_reject = no". I have done this, so > the sender restrictions would not be evaluated for each recipient address, > but for the sender address only (tested long time

Re: Individual smtpd_tls_ask_ccert?

On Tue, Jul 29, 2014 at 10:03:04AM -0400, Wietse Venema wrote: > > That was also my thinking, but I was expecting a new parameter, > > > > smtpd_tls_ask_ccert_helo_names = > > > > Turning "smtpd_tls_ask_ccert" from a boolean to a matchlist, requires > > a bit of special gymnastics to deal

Re: EFF STARTTLS Everywhere project

* Viktor Dukhovni : > On Tue, Jul 29, 2014 at 03:57:24PM +0200, Per Thorsheim wrote: > > > I don't know if this list is aware of this project? > > > > https://github.com/EFForg/starttls-everywhere > > The EFF folks behind this effort have reached out to me and we've > discussed some of the issues

Re: Individual smtpd_tls_ask_ccert?

Viktor Dukhovni: > On Tue, Jul 29, 2014 at 10:03:04AM -0400, Wietse Venema wrote: > > > > That was also my thinking, but I was expecting a new parameter, > > > > > > smtpd_tls_ask_ccert_helo_names = > > > > > > Turning "smtpd_tls_ask_ccert" from a boolean to a matchlist, requires > > > a b

Re: EFF STARTTLS Everywhere project

* Patrick Ben Koetter : > * Viktor Dukhovni : > > On Tue, Jul 29, 2014 at 03:57:24PM +0200, Per Thorsheim wrote: > > > > > I don't know if this list is aware of this project? > > > > > > https://github.com/EFForg/starttls-everywhere > > > > The EFF folks behind this effort have reached out to me

Re: Individual smtpd_tls_ask_ccert?

On Tue, Jul 29, 2014 at 10:52:42AM -0400, Wietse Venema wrote: > > My thinking is that only the HELO name is a plausibly correct client > > identity for certificate checks. This is that the client calls itself. > > It does not matter. We have a client with N properties and we need > a matching m

Re: EFF STARTTLS Everywhere project

Am 29.07.2014 um 16:14 schrieb Viktor Dukhovni: > On Tue, Jul 29, 2014 at 03:57:24PM +0200, Per Thorsheim wrote: > >> I don't know if this list is aware of this project? >> >> https://github.com/EFForg/starttls-everywhere > > The EFF folks behind this effort have reached out to me and we've > dis

Can Postfix automatically add line "Resent-From: " in the header?

Greetings, Our OSU State University uses Microsoft exchange servers as our main email system. Many users' email accounts are forwarding accounts, which forward emails of nam...@osu.edu (i. e. smith.8...@osu.edu) to other email systems such as

Re: EFF STARTTLS Everywhere project

On Tue, Jul 29, 2014 at 05:10:25PM +0200, Robert Schetterer wrote: > Hi Viktor, perhaps silly question, I sometimes asked myself why not use > something like advanced SPF with i.e > > IN SPF "v=spf1 mx ip4:1.2.3.4/24 > TLSPOLICY:require-valid-certificate -all" Well SPF records are for

Re: Individual smtpd_tls_ask_ccert?

Viktor Dukhovni: > * smtpd_tls_ask_ccert_helo_names = >(overrides smtpd_tls_ask_ccert = no) And one more main.cf parameter for client TLSA records. That would make three. > * smtpd_tls_ask_ccert = > no | yes | > match_client_{address,name,helo_name} type:name, >

Re: Can Postfix automatically add line "Resent-From: " in the header?

On Tue, Jul 29, 2014 at 03:10:59PM +, Xie, Wei wrote: > Here we have a question about postfix. When the message passes by Postfix, > can Postfix automatically add line "Resent-From: " in > the header? That would be wrong. "Resent-From:" is appropriate when a user takes a message delivered to

Re: Can Postfix automatically add line "Resent-From: " in the header?

Xie, Wei: > Greetings, > > Our OSU State University uses Microsoft exchange servers as our > main email system. Many users' email accounts are forwarding > accounts, which forward emails of nam...@osu.edu > (i. e. smith.8...@osu.edu) to other > em

Re: EFF STARTTLS Everywhere project

Am 29.07.2014 um 17:23 schrieb Viktor Dukhovni: > On Tue, Jul 29, 2014 at 05:10:25PM +0200, Robert Schetterer wrote: > >> Hi Viktor, perhaps silly question, I sometimes asked myself why not use >> something like advanced SPF with i.e >> >> IN SPF "v=spf1 mx ip4:1.2.3.4/24 >> TLSPOLICY:r

Re: Individual smtpd_tls_ask_ccert?

On Tue, Jul 29, 2014 at 11:24:52AM -0400, Wietse Venema wrote: > Viktor Dukhovni: > > * smtpd_tls_ask_ccert_helo_names = > > (overrides smtpd_tls_ask_ccert = no) > > And one more main.cf parameter for client TLSA records. That would > make three. Yes, in this model, another boolean to en

Re: Individual smtpd_tls_ask_ccert?

Patrick Ben Koetter: IIRC smtpd_tls_ask_ccert should not be enabled on publicly referenced MTAs ... It that is true ... Hello, I ask for client certs on every of my public mx servers without any compatibility issues for more the two years. Andreas

Re: Individual smtpd_tls_ask_ccert?

On Tue, Jul 29, 2014 at 03:54:37PM +, Viktor Dukhovni wrote: > Perhaps a better option is to change the "match" feature to a lookup > feature which returns a value of "no | ask | require | dane", thus we'd have: > > smtpd_tls_ccert_policy = > lookup_client_address static:no, >

Re: Individual smtpd_tls_ask_ccert?

Am 29.07.2014 um 19:06 schrieb Viktor Dukhovni: > The syntactic overhead can be reduced, by making "lookup_client_helo_name" > implicit: > > smtpd_tls_ccert_policy = static:dane > > and we could also make "static:" implicit when the string is one > of: "no | ask | require | dane". Thus enabl

Re: Individual smtpd_tls_ask_ccert?

On Tue, Jul 29, 2014 at 07:24:41PM +0200, BlueStar88 wrote: > First we should extend DNS using another MX-like entry, to be able to > define authoritative MTA client nodes for a specific domain, so we have > something to stick on. This was abandoned in favour of SPF, DKIM and DMARC. http://t

RE: Can Postfix automatically add line "Resent-From: " in the header?

Wietse, >>How would Postfix know out that mail is forwarded from OSU Microsoft exchange >>servers? Postfix only receives all outbound emails from 8 exchange hub servers. The email received by Postfix is probably 1) osu.edu account to non-osu.edu account; 2) osu.edu account to osu.edu forwardin

RE: Can Postfix automatically add line "Resent-From: " in the header?

Viktor, >> Here we have a question about postfix. When the message passes by >> Postfix, can Postfix automatically add line "Resent-From: > address>" in the header? > >That would be wrong. "Resent-From:" is appropriate when a user takes a >message delivered to his mailbox (possibly long after i

Re: Can Postfix automatically add line "Resent-From: " in the header?

On Tue, Jul 29, 2014 at 06:28:29PM +, Xie, Wei wrote: > >> There are also various extensions to Postfix to handle SPF and SRS. > > Would you please talk a little more about above topic? Postfix neither has nor should have any built-in feature to add "Resent-From:", it is not only the wrong h

Re: Can Postfix automatically add line "Resent-From: " in the header?

Xie, Wei: > Can't Postfix header_checks perform too complicated rules? Amavisd-new > maybe another big change to us, but this is option. Sorry, delivery decisions MUST NOT be made based on email headers. Email headers do not say where mail comes from, and they do not say where mail goes to. If t

Re: Can Postfix automatically add line "Resent-From: " in the header?

Xie, Wei: > Here we have a question about postfix. When the message passes by > Postfix, can Postfix automatically add line "Resent-From: email address>" in the header? Postfix it will add a "Delivered-To: " header, when it delivers mail to a non-virtual alias, or to a user. If the user forwards

How to detect AUTH before STARTTLS?

Recently, I've noticed a lot of repeated connections, like this: Jul 29 20:26:06 rollo postfix/smtpd[21285]: connect from unknown[175.101.8.162] Jul 29 20:26:09 rollo postfix/smtpd[21285]: lost connection after UNKNOWN from unknown[175.101.8.162] Jul 29 20:26:09 rollo postfix/smtpd[21285]: disconn

Re: How to detect AUTH before STARTTLS?

Anders Wegge Keller: > My analysis is that the remote system is making a dictionary attack, to try > and see if it's possible to relay mail through my server that way. > Unfortunately (for the spammer), postfix is configured with > smtpd_tls_auth_only = yes, so the connection is rejected. However,

Re: How to detect AUTH before STARTTLS?

On 2014-07-29 22:17, wie...@porcupine.org wrote: Anders Wegge Keller: My analysis is that the remote system is making a dictionary attack, to try and see if it's possible to relay mail through my server that way. Unfortunately (for the spammer), postfix is configured with smtpd_tls_auth_only =

Re: Individual smtpd_tls_ask_ccert?

* Viktor Dukhovni : > On Tue, Jul 29, 2014 at 03:54:37PM +, Viktor Dukhovni wrote: > > > Perhaps a better option is to change the "match" feature to a lookup > > feature which returns a value of "no | ask | require | dane", thus we'd > > have: > > > > smtpd_tls_ccert_policy = > >

Re: Individual smtpd_tls_ask_ccert?

On Tue, Jul 29, 2014 at 11:59:41PM +0200, Patrick Ben Koetter wrote: > > network path can change any of the three inputs (client IP, client > > name or client HELO name), so unless the client is using an MiTM > > resistant sending policy, we can't prevent MiTM attacks, rather > > we can only detec

Re: Individual smtpd_tls_ask_ccert?

Am 29.07.2014 um 19:40 schrieb Viktor Dukhovni: > On Tue, Jul 29, 2014 at 07:24:41PM +0200, BlueStar88 wrote: > >> First we should extend DNS using another MX-like entry, to be able to >> define authoritative MTA client nodes for a specific domain, so we have >> something to stick on. > This was a

Re: Individual smtpd_tls_ask_ccert?

On July 29, 2014 7:15:04 PM EDT, BlueStar88 wrote: > >Am 29.07.2014 um 19:40 schrieb Viktor Dukhovni: >> On Tue, Jul 29, 2014 at 07:24:41PM +0200, BlueStar88 wrote: >> >>> First we should extend DNS using another MX-like entry, to be able >to >>> define authoritative MTA client nodes for a specifi

Re: Individual smtpd_tls_ask_ccert?

On Wed, Jul 30, 2014 at 01:15:04AM +0200, BlueStar88 wrote: > Am 29.07.2014 um 19:40 schrieb Viktor Dukhovni: > > On Tue, Jul 29, 2014 at 07:24:41PM +0200, BlueStar88 wrote: > > > >> First we should extend DNS using another MX-like entry, to be able to > >> define authoritative MTA client nodes fo

Re: Individual smtpd_tls_ask_ccert?

I think it would help if someone can explain what an SMTP client certificate actually proves, without all the wishful thinking that every nugget of "security" is a worthwhile improvement. What does the certificate really prove about the SMTP client? What does the certificate prove about the conne

Re: Individual smtpd_tls_ask_ccert?

On Tue, Jul 29, 2014 at 07:53:41PM -0400, Wietse Venema wrote: > I think it would help if someone can explain what an SMTP client > certificate actually proves, without all the wishful thinking that > every nugget of "security" is a worthwhile improvement. > > What does the certificate really pro

Re: Individual smtpd_tls_ask_ccert?

Am 30.07.2014 um 01:50 schrieb Viktor Dukhovni: > I'm afraid magical thinking does not make progress in this space. > What's reasonable to do is constrained by what is possible to do, > (additional practical constraints also apply). When you keep > suggesting the impossible, I can only continue t