simplfied test of Postfix->Postfix TLS auth. smtp_client_restrictions only executes 'generic_checks' not specific DB

[hndl...@tutanota.de]

I am now simple-testing Postfix->Postfix TLS AUTH.  It is all on internal test network on the LAN.

I create on the receiving server this service in http://master.cf

    1234  inet  n  -  n  -  -  smtpd -v
    -o smtp_helo_name=auth.srachnet.loc
    -o smtpd_tls_security_level=may
    -o smtpd_tls_fingerprint_digest=sha1
    -o smtpd_client_restrictions=check_ccert_access,lmdb:/etc/postfix/ok_ccerts,reject
    -o smtpd_relay_restrictions=permit_tls_clientcerts,reject
    -o smtpd_data_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_recipient_restrictions=

And the file

    /etc/postfix/ok_ccerts
    11:...:11 relay.srachnet.loc

I launch Postfix and send a test mail.  In the Postfix log I see only the 'generic_checks' but no check in the lmdb:/etc/postfix/ok_ccerts database

    Jan 30 14:53:41 mx postfix/smtpd[32574]: >>> START Client host RESTRICTIONS <<<
    Jan 30 14:53:41 mx postfix/smtpd[32574]: generic_checks: name=check_ccert_access
    Jan 30 14:53:41 mx postfix/smtpd[32574]: generic_checks: name=check_ccert_access status=0
    Jan 30 14:53:41 mx postfix/smtpd[32574]: generic_checks: name=reject
    Jan 30 14:53:41 mx postfix/smtpd[32574]: NOQUEUE: reject: RCPT from relay.srachnet.loc[10.14.0.2]: 554 5.7.1 <relay.srachnet.loc[10.14.0.2]>: Client host rejected: Access denied; from=<ro...@laptop.srachnet.loc> to=<srch...@srachnet2.loc> proto=ESMTP helo=<relay.srachnet.loc>
    Jan 30 14:53:41 mx postfix/smtpd[32574]: generic_checks: name=reject status=2
    Jan 30 14:53:41 mx postfix/smtpd[32574]: >>> END Client host RESTRICTIONS <<<

If I change the http://master.cf

-    -o smtpd_client_restrictions=check_ccert_access,lmdb:/etc/postfix/ok_ccerts,reject
+    -o smtpd_client_restrictions=check_ccert_access lmdb:/etc/postfix/ok_ccerts,reject

When I send the test mail the logs show me

    Jan 30 14:55:54 mx postfix/smtpd[42774]: fatal: unexpected command-line argument: lmdb:/etc/postfix/ok_ccerts

Why is it not checking the database?

*S*

[Wietse Venema]

hndl...@tutanota.de:
> I am now simple-testing Postfix->Postfix TLS AUTH.? It is all on internal

> test network on the LAN.
>
> I create on the receiving server this service in http://master.cf
>

> ??? 1234? inet? n? -? n? -? -? smtpd -v
> ??? -o smtp_helo_name=auth.srachnet.loc
> ??? -o smtpd_tls_security_level=may
> ??? -o smtpd_tls_fingerprint_digest=sha1
> ??? -o
> smtpd_client_restrictions=check_ccert_access,lmdb:/etc/postfix/ok_ccerts,reject

How do you know that the client actually SENDS a certificate?

Wietse

[hndl...@tutanota.de]

Hello Wietse

> How do you know that the client actually SENDS a certificate?

I do not know because I do not yet see the proof of it in the right log.  But I try to configure for it.  I am trying to make a simple example all under my control so that I can see the certs exchanged and then verified.  And then access granted.

Excuse me if things are changing from last message. I am working on it.

In the client /etc/postfix/http://main.cf

    local_transport = error:5.1.1 local mail delivery is disabled
    alias_maps =
    alias_database =
    relay_domains = lmdb:/etc/postfix/relay_domains
    relay_transport = relay:[10.14.0.10]:1234
    smtp_use_tls = yes
    smtpd_tls_security_level = may
    smtp_tls_CApath = /etc/ssl/certs/
    smtp_tls_cert_file =
    smtp_tls_key_file =
    smtp_tls_session_cache_database = lmdb:/var/lib/postfix/smtp_cache
    smtp_tls_session_cache_timeout = 3600s
    smtp_tls_policy_maps = lmdb:/etc/postfix/tls_policy

In /etc/postfix/tls_policy
    [10.14.0.10]:1234  encrypt
      fingerprint match=9C:...:A7

In /etc/postfix/relay_domains
    srachnet2.loc  OK

In the client /etc/postfix/http://master.cf

    relay unix -  -  n  -  -  smtp
      -o smtp_bind_address=10.14.0.2
      -o smtp_tls_cert_file="/etc/ssl/email_keys/relay.srachnet.loc.crt"
      -o smtp_tls_key_file="/etc/ssl/email_keys/relay.srachnet.loc.key"
      -o smtp_tls_CAfile="/etc/ssl/email_keys/srachnet_CA.crt"
      -o smtpd_tls_CAfile="/etc/ssl/email_keys/srachnet_CA.crt"

*S*

[Viktor Dukhovni]

On Fri, Jan 30, 2015 at 11:18:29PM +0000, hndl...@tutanota.de wrote:

> I create on the receiving server this service in http://master.cf
>

> 1234 inet n - n - - smtpd -v
> -o smtp_helo_name=auth.srachnet.loc
> -o smtpd_tls_security_level=may
> -o smtpd_tls_fingerprint_digest=sha1
> -o smtpd_client_restrictions=check_ccert_access,lmdb:/etc/postfix/ok_ccerts,reject
> -o smtpd_relay_restrictions=permit_tls_clientcerts,reject
> -o smtpd_data_restrictions=
> -o smtpd_helo_restrictions=
> -o smtpd_recipient_restrictions=

And where is "smtpd_tls_req_ccert=yes" or "smtpd_tls_ask_ccert=yes"?
And why not "smtpd_tls_security_level=encrypt"?

--
Viktor.

[hndl...@tutanota.de]

> And where is "smtpd_tls_req_ccert=yes" or "smtpd_tls_ask_ccert=yes"?
> And why not "smtpd_tls_security_level=encrypt"?

>> Excuse me if things are changing from last message. I am working on it.

These have been added to the server already since.  In the moment the server configuration is

1234  inet  n  -  n  -  -  smtpd

    -o smtp_helo_name=auth.srachnet.loc
    -o smtpd_client_restrictions=
    -o smtpd_relay_restrictions=check_ccert_access,lmdb:/etc/postfix/ok_ccerts,reject
>    -o smtpd_tls_req_ccert=yes
>    -o smtpd_tls_security_level=encrypt
    -o smtpd_tls_fingerprint_digest=sha1
    -o smtpd_tls_CAfile="/etc/ssl/email_keys/srachnet_CA.crt"
    -o smtpd_tls_cert_file="/etc/ssl/email_keys/mx.srachnet.loc.crt"
    -o smtpd_tls_key_file="/etc/ssl/email_keys/mx.srachnet.loc.key"

    -o smtpd_data_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_recipient_restrictions=

    -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
    -o smtpd_tls_mandatory_ciphers=high

also trying with

    -o smtpd_client_restrictions=check_ccert_access,lmdb:/etc/postfix
    -o smtpd_relay_restrictions=

The result is still for now the same for all.

[Viktor Dukhovni]

On Sat, Jan 31, 2015 at 03:06:06AM +0000, hndl...@tutanota.de wrote:

> > And where is "smtpd_tls_req_ccert=yes" or "smtpd_tls_ask_ccert=yes"?
> > And why not "smtpd_tls_security_level=encrypt"?
>
> >> Excuse me if things are changing from last message. I am working on it.
>

> These have been added to the server already since.? In the moment the server

> configuration is
>
> 1234 inet n - n - - smtpd
> -o smtp_helo_name=auth.srachnet.loc
> -o smtpd_client_restrictions=
> -o smtpd_relay_restrictions=check_ccert_access,lmdb:/etc/postfix/ok_ccerts,reject
> -o smtpd_tls_req_ccert=yes
> -o smtpd_tls_security_level=encrypt
> -o smtpd_tls_fingerprint_digest=sha1
> -o smtpd_tls_CAfile="/etc/ssl/email_keys/srachnet_CA.crt"
> -o smtpd_tls_cert_file="/etc/ssl/email_keys/mx.srachnet.loc.crt"
> -o smtpd_tls_key_file="/etc/ssl/email_keys/mx.srachnet.loc.key"
> -o smtpd_data_restrictions=
> -o smtpd_helo_restrictions=
> -o smtpd_recipient_restrictions=
> -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
> -o smtpd_tls_mandatory_ciphers=high

This looks fine, for Postfix 2.10 or later. What version is this?

> also trying with
>
> -o smtpd_client_restrictions=check_ccert_access,lmdb:/etc/postfix
> -o smtpd_relay_restrictions=

Postfix will not allow both smtpd_relay_restrictions and
smtpd_recipient_restrictions to be empty (to not contain a default
reject action).

> The result is still for now the same for all.

What result is that? What's in the server's logs? How are you
testing this configuration?

--
Viktor.