Prev: Mailing list on virtual domain
Next: ISP bounces email
From: Hadmut Danisch on 15 May 2010 18:52
Hi,

just a configuration/security question:

I am running a postfix server which allows relaying and using particular
sender domains for some people, but not for the public. The authorised
users have to authnticate either with SASL or TLS client certificates.
Since the server works also as a recipient, TLS is not enforced for
incoming emails.

So relaying and using local domains as sender domains is restricted
with permit_mynetworks, permit_tls_clientcerts, permit_sasl_authenticated.
Works as expected.

Interestingly, this works even when the client certificate has expired.

Although postfix recognizes that it is expired, logs "certificate has
expired" and calls it "Untrusted TLS connection established from ", it
still grants the rights as if the client had authenticated through TLS.
It just verifies the fingerprint.


Is that intentional to log expired certificates and declare them as
untrusted, but still accept them ?


regards
Hadmut

From: Hadmut Danisch on 15 May 2010 18:54
...btw., using postfix 2.6.5-3 (debian)

From: zhong ming wu on 16 May 2010 07:56
On Sun, May 16, 2010 at 6:03 AM, Hadmut Danisch <hadmut(a)danisch.de> wrote:
> On 16.05.2010 01:24, zhong ming wu wrote:
>> On Sat, May 15, 2010 at 6:52 PM, Hadmut Danisch <hadmut(a)danisch.de> wrote:
>>> I am running a postfix server which allows relaying and using particular
>>> sender domains for some people, but not for the public. The authorised
>>> users have to authnticate either with SASL or TLS client certificates.
>>> Since the server works also as a recipient, TLS is not enforced for
>>> incoming emails.
>>>
>> what is
>>
>> postconf -n
>
> Which parts of the output would you need? (The configuration is
> distributed over several lookup tables and contains details not to be
> released to the public)
>
> The general question is:  Why does an expired certificate fulfill the
> permit_tls_clientcerts clause?

Unless
smtpd_tls_req_ccert = yes
server will not enforce the validity for the cert

My guess is that if you use the same server instance for both as
public mx host and as relay server
authenticated using tls certificate, then what you want isn't possible
since smtpd_tls_req_ccert should not
be required for public mx part of your server.

permit_tls_clientcert is used in conjunction with relay_clientcerts
and you should be removing fp of expired certs from that
map anyway. Part of postfix implementation of TLS client side isn't
conventional; for example the way you revoke
a client certificate is deleting the fp from a lookup map but not with a CRL.

From: Victor Duchovni on 16 May 2010 13:13
On Sun, May 16, 2010 at 12:52:56AM +0200, Hadmut Danisch wrote:

> So relaying and using local domains as sender domains is restricted
> with permit_mynetworks, permit_tls_clientcerts, permit_sasl_authenticated.
> Works as expected.

There is a difference between "permit_tls_clientcerts" and
"permit_tls_all_clientcerts". The former uses an explicit list of trusted
certificate fingerprints (as proxies for the underlying public key), and
therefore does not heed the validity of the CA trust chain, expiration
dates, .... The latter trusts all client certs issued by a particular
(dedicated, private) set of CAs and only permits properly signed,
unexpired, ... certificates.

> Interestingly, this works even when the client certificate has expired.

This is intentional. To "expire" a certificate, remove its fingerprint
from your access table.

--
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.

 | 
Pages: 1
Prev: Mailing list on virtual domain
Next: ISP bounces email