Prev: (mailscanner?) Installing smtp auth did not help my spam issueBelow is example
Next: Setting mime-header checking
From: "Jan C." on 8 Jun 2010 03:31
Hello,
I have my postfix set up as a TLS client to other smtp servers. I
point smtp_tls_CApath to a directory where I store my own imported
trusted CAs. My question is whether or not Postfix will also load the
Root CAs stored in /etc/ssl/certs. If not, does it mean that I have to
set smtp_tls_CApath to /etc/ssl/certs and store my own root CAs there
?

Thanks for your help,

Jan.

From: Victor Duchovni on 8 Jun 2010 11:56
On Tue, Jun 08, 2010 at 09:31:46AM +0200, Jan C. wrote:

> I have my postfix set up as a TLS client to other smtp servers. I
> point smtp_tls_CApath to a directory where I store my own imported
> trusted CAs. My question is whether or not Postfix will also load the
> Root CAs stored in /etc/ssl/certs. If not, does it mean that I have to
> set smtp_tls_CApath to /etc/ssl/certs and store my own root CAs there?

http://www.postfix.org/TLS_README.html#client_cert_key

To verify a remote SMTP server certificate, the Postfix SMTP
client needs to trust the certificates of the issuing certification
authorities. These certificates in "pem" format can be stored in
a single $smtp_tls_CAfile or in multiple files, one CA per file
in the $smtp_tls_CApath directory. If you use a directory, don't
forget to create the necessary "hash" links with:

# $OPENSSL_HOME/bin/c_rehash /path/to/directory

The $smtp_tls_CAfile contains the CA certificates of one or more
trusted CAs. The file is opened (with root privileges) before Postfix
enters the optional chroot jail and so need not be accessible from
inside the chroot jail.

Additional trusted CAs can be specified via the $smtp_tls_CApath
directory, in which case the certificates are read (with $mail_owner
privileges) from the files in the directory when the information is
needed. Thus, the $smtp_tls_CApath directory needs to be accessible
inside the optional chroot jail.

The choice between $smtp_tls_CAfile and $smtp_tls_CApath is a
space/time tradeoff. If there are many trusted CAs, the cost of
preloading them all into memory may not pay off in reduced access
time when the certificate is needed.

Example:

/etc/postfix/main.cf:
smtp_tls_CAfile = /etc/postfix/CAcert.pem
smtp_tls_CApath = /etc/postfix/certs

See also the recent posts about migrating from 0.9.8 CApath to 1.0.0
CApath where the hash links made by c_rehash are not 0.9.8 compatible
(and vice versa).

--
Viktor.

From: "Jan C." on 9 Jun 2010 04:22
Hi Viktor,
thanks for your answer but that does not answer by question. Is the
/etc/ssl/certs directory loaded also by default ? I did the test:
smtp_tls_CApath = /foo/bar
I added/hashed some certs in /foo/bar

When postfix connects to a smtp server (tls verify), certificates
issued by CAs from /etc/ssl/certs AND from /foo/bar are trusted. Do
you confirm this ?

Thanks,
Jan


On Tue, Jun 8, 2010 at 5:56 PM, Victor Duchovni
<Victor.Duchovni(a)morganstanley.com> wrote:
> On Tue, Jun 08, 2010 at 09:31:46AM +0200, Jan C. wrote:
>
>> I have my postfix set up as a TLS client to other smtp servers. I
>> point smtp_tls_CApath to a directory where I store my own imported
>> trusted CAs. My question is whether or not Postfix will also load the
>> Root CAs stored in /etc/ssl/certs. If not, does it mean that I have to
>> set smtp_tls_CApath to /etc/ssl/certs and store my own root CAs there?
>
> http://www.postfix.org/TLS_README.html#client_cert_key
>
>    To verify a remote SMTP server certificate, the Postfix SMTP
>    client needs to trust the certificates of the issuing certification
>    authorities. These certificates in "pem" format can be stored in
>    a single $smtp_tls_CAfile  or in multiple files, one CA per file
>    in the $smtp_tls_CApath  directory. If you use a directory, don't
>    forget to create the necessary "hash" links with:
>
>        # $OPENSSL_HOME/bin/c_rehash /path/to/directory
>
>    The $smtp_tls_CAfile contains the CA certificates of one or more
>    trusted CAs. The file is opened (with root privileges) before Postfix
>    enters the optional chroot jail and so need not be accessible from
>    inside the chroot jail.
>
>    Additional trusted CAs can be specified via the $smtp_tls_CApath
>    directory, in which case the certificates are read (with $mail_owner
>    privileges) from the files in the directory when the information is
>    needed. Thus, the $smtp_tls_CApath  directory needs to be accessible
>    inside the optional chroot jail.
>
>    The choice between $smtp_tls_CAfile and $smtp_tls_CApath is a
>    space/time tradeoff. If there are many trusted CAs, the cost of
>    preloading them all into memory may not pay off in reduced access
>    time when the certificate is needed.
>
>    Example:
>
>        /etc/postfix/main.cf:
>            smtp_tls_CAfile = /etc/postfix/CAcert.pem
>            smtp_tls_CApath = /etc/postfix/certs
>
> See also the recent posts about migrating from 0.9.8 CApath to 1.0.0
> CApath where the hash links made by c_rehash are not 0.9.8 compatible
> (and vice versa).
>
> --
>        Viktor.
>

From: /dev/rob0 on 9 Jun 2010 06:27
Please do not top-post your replies. Thank you.

On Wed, Jun 09, 2010 at 10:22:16AM +0200, Jan C. wrote:
> thanks for your answer but that does not answer by question. Is the
> /etc/ssl/certs directory loaded also by default ? I did the test:

Postfix postconf(5) defaults can be shown with the postconf(1) tool:
$ /usr/sbin/postconf -d smtp_tls_CApath
smtp_tls_CApath =
Defaults are also documented as much as possible in the postconf(5)
man page; every defined setting has its own hyperlink in the HTML
version, as such: postconf.5.html#smtp_tls_CApath

> smtp_tls_CApath = /foo/bar
> I added/hashed some certs in /foo/bar
>
> When postfix connects to a smtp server (tls verify), certificates
> issued by CAs from /etc/ssl/certs AND from /foo/bar are trusted. Do
> you confirm this ?

Um, no. By default Postfix is not going to use TLS at all. When
activated, by default, no certificate verification is done at all.
Consult your distributor's package documentation if they have set
different defaults.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

From: "Jan C." on 9 Jun 2010 09:01
Hi,
> Um, no. By default Postfix is not going to use TLS at all. When
> activated, by default, no certificate verification is done at all.
> Consult your distributor's package documentation if they have set
> different defaults.

If I set smtp_tls_CApath to /etc/ssl/certs and then again to something
else, it looks like the CAs from /etc/ssl/certs are being all the time
loaded:

Here is what I did:
1- clean installation of Postfix (2.5.5) on Debian Lenny
2- TLS policy mapping for destination tls.com "verify match=test-tls.com"
3- copy the CA of the test-tls.com to /etc/ssl/certs and run c_rehash
3- leave smtp_tls_CApath empty

If I send an email now, it gets deffered (Server certificate not
trusted). Until now it makes perfect sense.

Now I set:
~ $ postconf -e smtp_tls_CApath=/etc/ssl/certs/
and reload postfix

If I send an email, it is correctly sent via TLS. Again, it makes sense.

Thing is that now, I set smtp_tls_CApath to something else (empty
directory) and the CA is still trusted :
~ $ mkdir -p /foo/bar
~ $ postconf -e smtp_tls_CApath=/foo/bar/
~ $ postfix reload
Postfix log:
> tls.com[10.2.87.10]:25: Matched subject_CN=test-tls.com, issuer_CN=Admin Test TLS

... so how can the certificate be trusted if I point the
smtp_tls_CApath to an empty dir ?

Still with smtp_tls_CApath pointing to /foo/bar, I delete my CA from
/etc/ssl/certs/ and rehash, the email gets again deferred:
> relay=tls.com[10.2.87.10]:25, delay=0.11, delays=0.01/0.03/0.07/0, dsn=4.7.5, status=deferred (Server certificate not trusted)

... so there must be somewhere a reference to /etc/ssl/certs

Did I miss something ?

Thanks for your help,
Jan

 |  Next  |  Last
Pages: 1 2 3 4
Prev: (mailscanner?) Installing smtp auth did not help my spam issueBelow is example
Next: Setting mime-header checking