Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Server Authentication: Certificate based
654 views
Skip to first unread message
Sachin Gupta
May 13, 2013, 5:07:28 AM5/13/13
to
Hi,
I have configured my setup for a server certificate based authentication.
Both Server and Client are sendmail systems and both have the same set of certificates.
However when client communicated with the server, i get the following error:
403 4.7.0 authentication failed
Access file contents:
TLS_Srv:mx3.domaintest.com VERIFY
TLS_Rcpt: VERIFY:CI:/O=Sendmail/OU=Sendmail+20Server/CN=debian/Email=admin@debian
db file created using following command:
makemap hash access.db < access
Client sendmail Logs:
May 13 03:38:26 sendmail[5052]: STARTTLS: CRLFile missing
May 13 03:38:26 sendmail[5052]: STARTTLS=client, init=1
May 13 03:38:26 sendmail[5052]: STARTTLS=client, start=ok
May 13 03:38:26 sendmail[5052]: STARTTLS=client, info: fds=7/6, err=2
May 13 03:38:27 sendmail[5052]: STARTTLS: TLS cert verify: depth=0 /O=Sendmail/OU=Sendmail Server/CN=debian/emailAddress=admin@debian, state=0, reason=self signed certificate
May 13 03:38:27 sendmail[5052]: STARTTLS=client, info: fds=7/6, err=2
May 13 03:38:27 sendmail[5052]: STARTTLS=client, get_verify: 18 get_peer: 0x81e7a60
May 13 03:38:27 sendmail[5052]: STARTTLS=client, relay=mx3.domaintest.com., version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
May 13 03:38:27 sendmail[5052]: STARTTLS=client, cert-subject=/O=Sendmail/OU=Sendmail+20Server/CN=debian/emailAddress=admin@debian, cert-issuer=/O=Sendmail/OU=Sendmail+20Server/CN=debian/emailAddress=admin@debian, verifymsg=self signed certificate
May 13 03:38:27 sendmail[5052]: ruleset=tls_server, arg1=FAIL, relay=mx3.domaintest.com, reject=403 4.7.0 authentication failed
Server Logs:
May 13 02:03:41 domaintest sm-mta[3966]: STARTTLS=read, info: fds=8/4, err=2
May 13 02:03:41 domaintest sm-mta[3966]: STARTTLS=read, info: fds=8/4, err=2
May 13 02:03:41 domaintest sm-mta[3966]: r4D73R1p003966: from=<sen...@local1.com>, size=706, class=0, nrcpts=1, msgid=<1368405535.7...@client1.com>, proto=ESMTP, daemon=MTA-v4, relay=domain.com [client_ip]
May 13 02:03:41 domaintest sm-mta[3966]: r4D73R1p003966: --- 250 2.0.0 r4D73R1p003966 Message accepted for delivery
May 13 02:03:41 domaintest sm-mta[3966]: STARTTLS=read, info: fds=8/4, err=2
May 13 02:03:41 domaintest sm-mta[3966]: r4D73R1q003966: <-- QUIT
May 13 02:03:41 domaintest sm-mta[3966]: r4D73R1q003966: --- 221 2.0.0 domaintest.com closing connection
May 13 02:03:41 domaintest sm-mta[3966]: STARTTLS=server, SSL_shutdown not done
May 13 02:03:41 domaintest sm-mta[3966]: poststats: /var/lib/sendmail/sendmail.st: No such file or directory
May 13 02:03:41 domaintest sm-mta[3970]: r4D73R1p003966: to=<rc...@domaintest.com>, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30999, dsn=2.0.0, stat=Sent
May 13 02:03:41 domaintest sm-mta[3970]: poststats: /var/lib/sendmail/sendmail.st: No such file or directory
May 13 02:03:41 domaintest sm-mta[3970]: r4D73R1p003966: done; delay=00:00:00, ntries=1
May 13 02:03:41 domaintest sm-mta[3970]: poststats: /var/lib/sendmail/sendmail.st: No such file or directory
Where am i going wrong here.
In the client sendmail.cf file, i can see that the following rule is getting hit:
STLS_connection
# authentication required: give appropriate error
# other side did authenticate (via STARTTLS)
R<$*><VERIFY> <> OK $@ OK
R<$*><VERIFY> <$+> OK $: <$1> <REQ:0> <$2>
R<$*><VERIFY:$-> <$*> OK $: <$1> <REQ:$2> <$3>
R<$*><ENCR:$-> <$*> $* $: <$1> <REQ:$2> <$3>
R<$-:$+><VERIFY $*> <$*> $#error $@ $2 $: $1 " authentication required"
R<$-:$+><VERIFY $*> <$*> FAIL $#error $@ $2 $: $1 " authentication failed"
R<$-:$+><VERIFY $*> <$*> NO $#error $@ $2 $: $1 " not authenticated"
R<$-:$+><VERIFY $*> <$*> NOT $#error $@ $2 $: $1 " no authentication requested"
R<$-:$+><VERIFY $*> <$*> NONE $#error $@ $2 $: $1 " other side does not support STARTTLS"
R<$-:$+><VERIFY $*> <$*> $+ $#error $@ $2 $: $1 " authentication failure " $4
R<$*><REQ:$-> <$*> $: <$1> <REQ:$2> <$3> $>max $&{cipher_bits} : $&{auth_ssf}
R<$*><REQ:$-> <$*> $- $: <$1> <$2:$4> <$3> $(arith l $@ $4 $@ $2 $)
R<$-:$+><$-:$-> <$*> TRUE $#error $@ $2 $: $1 " encryption too weak " $4 " less than " $3
R<$-:$+><$-:$-> <$*> $* $: <$1:$2 ++ $5>
R<$-:$+ ++ > $@ OK
R<$-:$+ ++ $+ > $: <$1:$2> <$3>
R<$-:$+> < $+ ++ $+ > <$1:$2> <$3> <$4>
R<$-:$+> $+ $@ $>"TLS_req" $3 $| <$1:$2>
Please guide!
Regards
I have configured my setup for a server certificate based authentication.
Both Server and Client are sendmail systems and both have the same set of certificates.
However when client communicated with the server, i get the following error:
403 4.7.0 authentication failed
Access file contents:
TLS_Srv:mx3.domaintest.com VERIFY
TLS_Rcpt: VERIFY:CI:/O=Sendmail/OU=Sendmail+20Server/CN=debian/Email=admin@debian
db file created using following command:
makemap hash access.db < access
Client sendmail Logs:
May 13 03:38:26 sendmail[5052]: STARTTLS: CRLFile missing
May 13 03:38:26 sendmail[5052]: STARTTLS=client, init=1
May 13 03:38:26 sendmail[5052]: STARTTLS=client, start=ok
May 13 03:38:26 sendmail[5052]: STARTTLS=client, info: fds=7/6, err=2
May 13 03:38:27 sendmail[5052]: STARTTLS: TLS cert verify: depth=0 /O=Sendmail/OU=Sendmail Server/CN=debian/emailAddress=admin@debian, state=0, reason=self signed certificate
May 13 03:38:27 sendmail[5052]: STARTTLS=client, info: fds=7/6, err=2
May 13 03:38:27 sendmail[5052]: STARTTLS=client, get_verify: 18 get_peer: 0x81e7a60
May 13 03:38:27 sendmail[5052]: STARTTLS=client, relay=mx3.domaintest.com., version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
May 13 03:38:27 sendmail[5052]: STARTTLS=client, cert-subject=/O=Sendmail/OU=Sendmail+20Server/CN=debian/emailAddress=admin@debian, cert-issuer=/O=Sendmail/OU=Sendmail+20Server/CN=debian/emailAddress=admin@debian, verifymsg=self signed certificate
May 13 03:38:27 sendmail[5052]: ruleset=tls_server, arg1=FAIL, relay=mx3.domaintest.com, reject=403 4.7.0 authentication failed
Server Logs:
May 13 02:03:41 domaintest sm-mta[3966]: STARTTLS=read, info: fds=8/4, err=2
May 13 02:03:41 domaintest sm-mta[3966]: STARTTLS=read, info: fds=8/4, err=2
May 13 02:03:41 domaintest sm-mta[3966]: r4D73R1p003966: from=<sen...@local1.com>, size=706, class=0, nrcpts=1, msgid=<1368405535.7...@client1.com>, proto=ESMTP, daemon=MTA-v4, relay=domain.com [client_ip]
May 13 02:03:41 domaintest sm-mta[3966]: r4D73R1p003966: --- 250 2.0.0 r4D73R1p003966 Message accepted for delivery
May 13 02:03:41 domaintest sm-mta[3966]: STARTTLS=read, info: fds=8/4, err=2
May 13 02:03:41 domaintest sm-mta[3966]: r4D73R1q003966: <-- QUIT
May 13 02:03:41 domaintest sm-mta[3966]: r4D73R1q003966: --- 221 2.0.0 domaintest.com closing connection
May 13 02:03:41 domaintest sm-mta[3966]: STARTTLS=server, SSL_shutdown not done
May 13 02:03:41 domaintest sm-mta[3966]: poststats: /var/lib/sendmail/sendmail.st: No such file or directory
May 13 02:03:41 domaintest sm-mta[3970]: r4D73R1p003966: to=<rc...@domaintest.com>, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30999, dsn=2.0.0, stat=Sent
May 13 02:03:41 domaintest sm-mta[3970]: poststats: /var/lib/sendmail/sendmail.st: No such file or directory
May 13 02:03:41 domaintest sm-mta[3970]: r4D73R1p003966: done; delay=00:00:00, ntries=1
May 13 02:03:41 domaintest sm-mta[3970]: poststats: /var/lib/sendmail/sendmail.st: No such file or directory
Where am i going wrong here.
In the client sendmail.cf file, i can see that the following rule is getting hit:
STLS_connection
# authentication required: give appropriate error
# other side did authenticate (via STARTTLS)
R<$*><VERIFY> <> OK $@ OK
R<$*><VERIFY> <$+> OK $: <$1> <REQ:0> <$2>
R<$*><VERIFY:$-> <$*> OK $: <$1> <REQ:$2> <$3>
R<$*><ENCR:$-> <$*> $* $: <$1> <REQ:$2> <$3>
R<$-:$+><VERIFY $*> <$*> $#error $@ $2 $: $1 " authentication required"
R<$-:$+><VERIFY $*> <$*> FAIL $#error $@ $2 $: $1 " authentication failed"
R<$-:$+><VERIFY $*> <$*> NO $#error $@ $2 $: $1 " not authenticated"
R<$-:$+><VERIFY $*> <$*> NOT $#error $@ $2 $: $1 " no authentication requested"
R<$-:$+><VERIFY $*> <$*> NONE $#error $@ $2 $: $1 " other side does not support STARTTLS"
R<$-:$+><VERIFY $*> <$*> $+ $#error $@ $2 $: $1 " authentication failure " $4
R<$*><REQ:$-> <$*> $: <$1> <REQ:$2> <$3> $>max $&{cipher_bits} : $&{auth_ssf}
R<$*><REQ:$-> <$*> $- $: <$1> <$2:$4> <$3> $(arith l $@ $4 $@ $2 $)
R<$-:$+><$-:$-> <$*> TRUE $#error $@ $2 $: $1 " encryption too weak " $4 " less than " $3
R<$-:$+><$-:$-> <$*> $* $: <$1:$2 ++ $5>
R<$-:$+ ++ > $@ OK
R<$-:$+ ++ $+ > $: <$1:$2> <$3>
R<$-:$+> < $+ ++ $+ > <$1:$2> <$3> <$4>
R<$-:$+> $+ $@ $>"TLS_req" $3 $| <$1:$2>
Please guide!
Regards
Claus Aßmann
May 13, 2013, 9:35:28 PM5/13/13
to
Sachin Gupta wrote:
> Both Server and Client are sendmail systems and both have the same set of certificates.
Not really good, CN should be the hostname.
> Both Server and Client are sendmail systems and both have the same set of certificates.
> 403 4.7.0 authentication failed
> TLS_Srv:mx3.domaintest.com VERIFY
> TLS_Rcpt: VERIFY:CI:/O=Sendmail/OU=Sendmail+20Server/CN=debian/Email=admin@debian
> May 13 03:38:27 sendmail[5052]: STARTTLS=client, relay=mx3.domaintest.com., version=TLSv1/SSLv3, verify=FAIL,
> May 13 03:38:27 sendmail[5052]: STARTTLS=client,
> cert-subject=/O=Sendmail/OU=Sendmail+20Server/CN=debian/emailAddress=admin@debian,
> cert-issuer=/O=Sendmail/OU=Sendmail+20Server/CN=debian/emailAddress=admin@debian, verifymsg=self signed
> certificate
Please read doc/op/op.*:
...
6.6.1. Certificates for STARTTLS
When acting as a server, sendmail requires
X.509 certificates to support STARTTLS: one as cer-
tificate for the server (ServerCertFile and corre-
sponding private ServerKeyFile) at least one root
CA (CACertFile), i.e., a certificate that is used
to sign other certificates, and a path to a direc-
tory which contains other CAs (CACertPath). The
file specified via CACertFile can contain several
certificates of CAs. The DNs of these certificates
are sent to the client during the TLS handshake (as
part of the CertificateRequest) as the list of
acceptable CAs. However, do not list too many root
CAs in that file, otherwise the TLS handshake may
fail; e.g.,
error:14094417:SSL routines:SSL3_READ_BYTES:
sslv3 alert illegal parameter:s3_pkt.c:964:SSL alert number 47
You should probably put only the CA cert into that
file that signed your own cert(s), or at least only
those you trust. The CACertPath directory must
contain the hashes of each CA certificate as file-
names (or as links to them). Symbolic links can be
generated with the following two (Bourne) shell
commands:
C=FileName_of_CA_Certificate
ln -s $C `openssl x509 -noout -hash < $C`.0
etc....
and maybe:
http://www.sendmail.org/~ca/email/starttls.html
--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.
Andrzej Adam Filip
May 14, 2013, 12:30:00 PM5/14/13
to
Claus Aßmann <ca+sendmail(-no-copies-please)@mine.informatik.uni-kiel.de> wrote:
> [...]
md5 fingerprint? [ $&{cert_md5} ]
It would help to support self-signed certificates without CA trust
It would also help to support "matches one of a few"
(e.g. to smooth certificate change).
Simple version seems to be published at
http://www.novosial.org/sendmail/tls-relay/index.html#s6
[...] In the following example, the md5 fingerprints of the client
certificates will be used to allow relaying. [...]
--
Andrzej A. Filip
> [...]
> You didn't tell the client MTA the "root" certificate of the server.
Does Sendmail.org plan to support certificate verification based on key's
md5 fingerprint? [ $&{cert_md5} ]
It would help to support self-signed certificates without CA trust
It would also help to support "matches one of a few"
(e.g. to smooth certificate change).
Simple version seems to be published at
http://www.novosial.org/sendmail/tls-relay/index.html#s6
[...] In the following example, the md5 fingerprints of the client
certificates will be used to allow relaying. [...]
--
Andrzej A. Filip
amitsin...@gmail.com
Aug 19, 2013, 7:08:10 AM8/19/13
to
0 new messages