Postfix TLS connection not verified
So, the first thing I notice in your log file is that the connection from exdb04 was incoming and the connection to gmail was outgoing. Have you configured the exchange machine to use a client certificate on it's outbound connections?
If, as you said, only outgoing mail is passing through these postfix machines, then your only incoming connections should be from your exchange machines then I'd also suggest some stricter config settings:
smtpd_tls_req_ccert = yes smtpd_tls_security_level = encrypt
But, to solve your problem, I'd pump up the logging for smtpd_tls_loglevel to 2.
Keep in mind that with your s_client testing, you're testing in only one direction. Which certificate, for example, is the exchange server presenting to your postfix server? Are you positive that it's the same one it's configured to use on it's own server port.
When you do the s_client testing and connect to your postfix server, what does the log file say - trusted or untrusted? How about when you specify a certificate with -cert?
I believe that the exchange server is not presenting a client certificate.
Good Luck
Related videos on Youtube
TobiK
Updated on September 18, 2022Comments
-
TobiK over 1 year
Hi!
I am in the process of setting up postfix.
What I want to achieve is trusted TLS connection between all internal parties. We deployed a PKI infrastructure with a Windows Server 2012 R2 CA for all internal certificates.
We are using those postfix machines as internet relay and all exchange machines are sending their outbound emails through those postfix machines.
Our Exchange Server 2013 has a certificate from the internal CA assigned. The CA root certificate is rolled out to the postfix machine. The postfix machine itself has a certificate issued by comodo.
I can verify both Exchange and Postfix with openssl:
openssl s_client -starttls smtp -connect XXXXXX:25 -CAfile /etc/ssl/certs/ca-certificates.crt
The result for Exchange is:
-----END CERTIFICATE----- subject=/C=DE/ST=NRW/L=XXX/O=XXX/OU=IT/CN=exdb04.XXX issuer=/DC=XXX/DC=XXX/CN=XXX-AD05-CA --- No client certificate CA names sent --- SSL handshake has read 1955 bytes and written 553 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES128-SHA Session-ID: E5180000ABE0F0824C152D04DF7CA7FB63835B573B06E9EBCA58D714852664E5 Session-ID-ctx: Master-Key: B0E445A6DEF7E225CCC602EDC8FE21A023EC683EEC1BEF3DC57EE2914D47A19B2E0ADAD5D4794900AE21B4D401FD66B9 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1393236731 Timeout : 300 (sec) Verify return code: 0 (ok) --- 250 XSHADOWREQUEST
And for postfix:
--- SSL handshake has read 24140 bytes and written 534 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 2D9409D1C4B2E391B0C64007F93B54C4938120B167782025D4809FC1C8143D6E Session-ID-ctx: Master-Key: 61A5DF94DAF7047B9B4FD9A9DB9E5F9F23518FA7DF78A7989720B138F663292054CAA63648A31A93BCBBA5DDBDB2008A Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 3600 (seconds) TLS session ticket: 0000 - fb 0f bc 6b 17 f4 bc fb-61 20 dc 3d e1 b1 93 15 ...k....a .=.... 0010 - 83 61 93 3e 4f c7 1c b7-3b 0c 4e 4b da 23 08 8e .a.>O...;.NK.#.. 0020 - 4b 3c 19 2c c0 0d 6a 1d-69 2c d3 7c d9 20 8b 2b K<.,..j.i,.|. .+ 0030 - 17 65 d2 d1 25 7d 26 7e-7b bd 76 f2 2a ae 3c 21 .e..%}&~{.v.*.<! 0040 - 33 4f c3 55 7e 6a fe 55-78 b9 fd 4e c1 f7 9b e2 3O.U~j.Ux..N.... 0050 - e3 2f 78 2c 06 21 bb 0b-20 e2 93 6b dd 06 2f e6 ./x,.!.. ..k../. 0060 - 10 30 84 d2 02 c2 5a 36-4b f3 50 18 7f 28 62 ab .0....Z6K.P..(b. 0070 - cc 15 4c cc bc 64 a5 a5-2c 26 d1 95 3f 77 2c ee ..L..d..,&..?w,. 0080 - 36 4b a6 91 b0 05 68 28-8a 34 3c 27 04 7d 66 48 6K....h(.4<'.}fH 0090 - d5 19 2e c8 bb e2 c3 96-06 de 3d b1 6d 0b 79 58 ..........=.m.yX 00a0 - 37 89 4e 2d 95 44 24 39-39 00 8e f4 6c 1c 54 6a 7.N-.D$99...l.Tj Compression: 1 (zlib compression) Start Time: 1393236872 Timeout : 300 (sec) Verify return code: 0 (ok) --- 250 DSN
Seems to be alright till here, but: while sending an email from Exchange to outside I can see these messages in the log:
Feb 24 11:05:54 mailout03 postfix/smtpd[5006]: connect from exdb04.XXXX[10.20.3.10] Feb 24 11:05:54 mailout03 postfix/smtpd[5006]: Untrusted TLS connection established from exdb04.XXXXXX[10.20.3.10]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) Feb 24 11:05:54 mailout03 postfix/smtpd[5006]: 4DD8613D8049: client=exdb04.XXXXXX[10.20.3.10] Feb 24 11:05:54 mailout03 postfix/cleanup[5010]: 4DD8613D8049: message-id=<[email protected]> Feb 24 11:05:54 mailout03 postfix/qmgr[4985]: 4DD8613D8049: from=<[email protected]>, size=2154, nrcpt=1 (queue active) Feb 24 11:05:54 mailout03 postfix/smtpd[5006]: disconnect from exdb04.XXXXXX[10.20.3.10] Feb 24 11:05:54 mailout03 postfix/smtp[5011]: connect to gmail-smtp-in.l.google.com[2a00:1450:4001:c02::1b]:25: Network is unreachable Feb 24 11:05:54 mailout03 postfix/smtp[5011]: Trusted TLS connection established to gmail-smtp-in.l.google.com[173.194.70.26]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) Feb 24 11:05:55 mailout03 postfix/smtp[5011]: 4DD8613D8049: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[173.194.70.26]:25, delay=1.4, delays=0.03/0/0.29/1.1, dsn=2.0.0, status=sent (250 2.0.0 OK 1393236355 gm5si14761594wjc.6 - gsmtp) Feb 24 11:05:55 mailout03 postfix/qmgr[4985]: 4DD8613D8049: removed
Pay attention to this part: Untrusted TLS connection established from exdb04.XXXXXX[10.20.3.10]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Why is that connection untrusted while the connection to google is trusted and verified.
Did I miss something?
Thanks Tobias
This is the postfix config: # See /usr/share/postfix/main.cf.dist for a commented, more complete version myhostname = mailout03.XXXXXX.de myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP ready biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings delay_warning_time = 2h # basic configuration readme_directory = no mydestination = mailout03.XXXX.de mynetworks = 127.0.0.0/8 127.0.0.2/32 [::1]/128 10.20.3.0/24 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all # message routing configuration sender_bcc_maps = hash:${config_directory}/sender_bcc sender_dependent_relayhost_maps = hash:${config_directory}/sender_relay alias_maps = hash:/etc/aliases relayhost = # message limit configuration message_size_limit = 157286400 # queue configuration queue_run_delay = 30s # TLS server configuration smtpd_tls_cert_file = ${config_directory}/certs/mailout03_XXXXX_de.pem smtpd_tls_key_file = ${config_directory}/certs/mailout03_XXXXX_de.key smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt #smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_security_level = may smtpd_starttls_timeout = 60s smtpd_tls_protocols = !SSLv2 smtpd_tls_ask_ccert = yes smtpd_tls_ccert_verifydepth = 9 # TLS logging configuration smtpd_tls_received_header = yes smtpd_tls_loglevel = 1 # TLS session cache smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_session_cache_timeout = 3600s # Perfect Forward Secrecy configuration smtpd_tls_eecdh_grade = ultra tls_preempt_cipherlist = yes smtpd_tls_dh1024_param_file = ${config_directory}/certs/dh2048.pem smtpd_tls_dh512_param_file = ${config_directory}/certs/dh512.pem # TLS client configuration smtp_tls_loglevel = 1 smtp_tls_security_level = may smtp_tls_scert_verifydepth = 9 smtp_tls_note_starttls_offer = yes smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt #smtp_tls_CApath = /etc/ssl/certs
-
TobiK about 10 yearsTHANKS! Setting loglevel to 2 did the trick (I only set it to 3): > Feb 24 12:26:17 mailout03 postfix/smtpd[6095]: certificate > verification failed for exdb04.XXX[10.20.3.10]: not > designated for use as a client certificate I issue the correct certificate now and will let you know if it works. Tobias
-
TobiK about 10 yearsIt works now, I had to add "Client Authentication" to the Web Server template in Certificate Templates SnapIn. The Certificate Authorities default webserver template does not add "Client Authentication" to the certificate.
-
etherfish about 10 yearsGlad to hear it! I suppose I was half-right, then. The server was supplying a certificate, but it wasn't acceptable by postfix. So, this answers your problem?