Postfix TLS connection not verified

postfix exchange tls

8,010

So, the first thing I notice in your log file is that the connection from exdb04 was incoming and the connection to gmail was outgoing. Have you configured the exchange machine to use a client certificate on it's outbound connections?

If, as you said, only outgoing mail is passing through these postfix machines, then your only incoming connections should be from your exchange machines then I'd also suggest some stricter config settings:

smtpd_tls_req_ccert = yes smtpd_tls_security_level = encrypt

But, to solve your problem, I'd pump up the logging for smtpd_tls_loglevel to 2.

Keep in mind that with your s_client testing, you're testing in only one direction. Which certificate, for example, is the exchange server presenting to your postfix server? Are you positive that it's the same one it's configured to use on it's own server port.

When you do the s_client testing and connect to your postfix server, what does the log file say - trusted or untrusted? How about when you specify a certificate with -cert?

I believe that the exchange server is not presenting a client certificate.

Good Luck

8,010

TobiK

Updated on September 18, 2022

Comments

TobiK over 1 year

Hi!

I am in the process of setting up postfix.

What I want to achieve is trusted TLS connection between all internal parties. We deployed a PKI infrastructure with a Windows Server 2012 R2 CA for all internal certificates.

We are using those postfix machines as internet relay and all exchange machines are sending their outbound emails through those postfix machines.

Our Exchange Server 2013 has a certificate from the internal CA assigned. The CA root certificate is rolled out to the postfix machine. The postfix machine itself has a certificate issued by comodo.

I can verify both Exchange and Postfix with openssl:

openssl s_client -starttls smtp -connect XXXXXX:25 -CAfile /etc/ssl/certs/ca-certificates.crt

The result for Exchange is:

-----END CERTIFICATE-----
subject=/C=DE/ST=NRW/L=XXX/O=XXX/OU=IT/CN=exdb04.XXX
issuer=/DC=XXX/DC=XXX/CN=XXX-AD05-CA
---
No client certificate CA names sent
---
SSL handshake has read 1955 bytes and written 553 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: E5180000ABE0F0824C152D04DF7CA7FB63835B573B06E9EBCA58D714852664E5
    Session-ID-ctx:
    Master-Key: B0E445A6DEF7E225CCC602EDC8FE21A023EC683EEC1BEF3DC57EE2914D47A19B2E0ADAD5D4794900AE21B4D401FD66B9
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1393236731
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 XSHADOWREQUEST

And for postfix:

---
SSL handshake has read 24140 bytes and written 534 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 2D9409D1C4B2E391B0C64007F93B54C4938120B167782025D4809FC1C8143D6E
    Session-ID-ctx:
    Master-Key: 61A5DF94DAF7047B9B4FD9A9DB9E5F9F23518FA7DF78A7989720B138F663292054CAA63648A31A93BCBBA5DDBDB2008A
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 3600 (seconds)
    TLS session ticket:
    0000 - fb 0f bc 6b 17 f4 bc fb-61 20 dc 3d e1 b1 93 15   ...k....a .=....
    0010 - 83 61 93 3e 4f c7 1c b7-3b 0c 4e 4b da 23 08 8e   .a.>O...;.NK.#..
    0020 - 4b 3c 19 2c c0 0d 6a 1d-69 2c d3 7c d9 20 8b 2b   K<.,..j.i,.|. .+
    0030 - 17 65 d2 d1 25 7d 26 7e-7b bd 76 f2 2a ae 3c 21   .e..%}&~{.v.*.<!
    0040 - 33 4f c3 55 7e 6a fe 55-78 b9 fd 4e c1 f7 9b e2   3O.U~j.Ux..N....
    0050 - e3 2f 78 2c 06 21 bb 0b-20 e2 93 6b dd 06 2f e6   ./x,.!.. ..k../.
    0060 - 10 30 84 d2 02 c2 5a 36-4b f3 50 18 7f 28 62 ab   .0....Z6K.P..(b.
    0070 - cc 15 4c cc bc 64 a5 a5-2c 26 d1 95 3f 77 2c ee   ..L..d..,&..?w,.
    0080 - 36 4b a6 91 b0 05 68 28-8a 34 3c 27 04 7d 66 48   6K....h(.4<'.}fH
    0090 - d5 19 2e c8 bb e2 c3 96-06 de 3d b1 6d 0b 79 58   ..........=.m.yX
    00a0 - 37 89 4e 2d 95 44 24 39-39 00 8e f4 6c 1c 54 6a   7.N-.D$99...l.Tj

    Compression: 1 (zlib compression)
    Start Time: 1393236872
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 DSN

Seems to be alright till here, but: while sending an email from Exchange to outside I can see these messages in the log:

Feb 24 11:05:54 mailout03 postfix/smtpd[5006]: connect from exdb04.XXXX[10.20.3.10]
Feb 24 11:05:54 mailout03 postfix/smtpd[5006]: Untrusted TLS connection established from exdb04.XXXXXX[10.20.3.10]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Feb 24 11:05:54 mailout03 postfix/smtpd[5006]: 4DD8613D8049: client=exdb04.XXXXXX[10.20.3.10]
Feb 24 11:05:54 mailout03 postfix/cleanup[5010]: 4DD8613D8049: message-id=<[email protected]>
Feb 24 11:05:54 mailout03 postfix/qmgr[4985]: 4DD8613D8049: from=<[email protected]>, size=2154, nrcpt=1 (queue active)
Feb 24 11:05:54 mailout03 postfix/smtpd[5006]: disconnect from exdb04.XXXXXX[10.20.3.10]
Feb 24 11:05:54 mailout03 postfix/smtp[5011]: connect to gmail-smtp-in.l.google.com[2a00:1450:4001:c02::1b]:25: Network is unreachable
Feb 24 11:05:54 mailout03 postfix/smtp[5011]: Trusted TLS connection established to gmail-smtp-in.l.google.com[173.194.70.26]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Feb 24 11:05:55 mailout03 postfix/smtp[5011]: 4DD8613D8049: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[173.194.70.26]:25, delay=1.4, delays=0.03/0/0.29/1.1, dsn=2.0.0, status=sent (250 2.0.0 OK 1393236355 gm5si14761594wjc.6 - gsmtp)
Feb 24 11:05:55 mailout03 postfix/qmgr[4985]: 4DD8613D8049: removed

Pay attention to this part: Untrusted TLS connection established from exdb04.XXXXXX[10.20.3.10]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)

Why is that connection untrusted while the connection to google is trusted and verified.

Did I miss something?

Thanks Tobias

This is the postfix config:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

myhostname = mailout03.XXXXXX.de
myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP ready
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
delay_warning_time = 2h

# basic configuration
readme_directory = no
mydestination = mailout03.XXXX.de
mynetworks = 127.0.0.0/8 127.0.0.2/32 [::1]/128 10.20.3.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all


# message routing configuration
sender_bcc_maps = hash:${config_directory}/sender_bcc
sender_dependent_relayhost_maps = hash:${config_directory}/sender_relay
alias_maps = hash:/etc/aliases
relayhost =

# message limit configuration
message_size_limit = 157286400

# queue configuration
queue_run_delay = 30s


# TLS server configuration
smtpd_tls_cert_file = ${config_directory}/certs/mailout03_XXXXX_de.pem
smtpd_tls_key_file = ${config_directory}/certs/mailout03_XXXXX_de.key
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
#smtpd_tls_CApath = /etc/ssl/certs

smtpd_tls_security_level = may
smtpd_starttls_timeout = 60s
smtpd_tls_protocols = !SSLv2
smtpd_tls_ask_ccert = yes
smtpd_tls_ccert_verifydepth = 9

# TLS logging configuration
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1

# TLS session cache
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s

# Perfect Forward Secrecy configuration
smtpd_tls_eecdh_grade = ultra
tls_preempt_cipherlist = yes
smtpd_tls_dh1024_param_file = ${config_directory}/certs/dh2048.pem
smtpd_tls_dh512_param_file = ${config_directory}/certs/dh512.pem

# TLS client configuration
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_scert_verifydepth = 9
smtp_tls_note_starttls_offer = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
#smtp_tls_CApath = /etc/ssl/certs

TobiK about 10 years

THANKS! Setting loglevel to 2 did the trick (I only set it to 3): > Feb 24 12:26:17 mailout03 postfix/smtpd[6095]: certificate > verification failed for exdb04.XXX[10.20.3.10]: not > designated for use as a client certificate I issue the correct certificate now and will let you know if it works. Tobias
TobiK about 10 years

It works now, I had to add "Client Authentication" to the Web Server template in Certificate Templates SnapIn. The Certificate Authorities default webserver template does not add "Client Authentication" to the certificate.
etherfish about 10 years

Glad to hear it! I suppose I was half-right, then. The server was supplying a certificate, but it wasn't acceptable by postfix. So, this answers your problem?