trusted vs. verified TLS connection

[A. Schulze]

Hello,

while checking TLS to a destination domain I noticed a difference.
posttls-finger say "Verified" but log say (only) "Trusted".

# posttls-finger -c -F /etc/ssl/mail/trusted_cas.pem avira.com
posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName:
mx.ames.avira.net
posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName:
a.mx.ames.avira.net
posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName:
b.mx.ames.avira.net
posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: Matched
subjectAltName: mx1.c01.avira.com
posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName:
mx2.c01.avira.com
posttls-finger: mx1.c01.avira.com[212.79.247.134]:25 CommonName
mx.ames.avira.net
posttls-finger: mx1.c01.avira.com[212.79.247.134]:25:
subject_CN=mx1.c01.avira.com, issuer_CN=COMODO RSA Domain Validation
Secure Server CA,
fingerprint=7B:29:B8:4E:DE:65:D0:41:5B:2F:00:8C:83:E0:63:8F:0C:2A:99:D8,
pkey_fingerprint=D5:90:CE:7B:83:66:F3:D1:14:C4:B8:8A:F7:98:9E:36:75:A4:94:48
posttls-finger: Verified TLS connection established to
mx1.c01.avira.com[212.79.247.134]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

# grep "to mx1.c01.avira.com" /var/log/mail
Dec 10 12:58:19 mail postfix/smtp[2230]: Trusted TLS connection
established to mx1.c01.avira.com[212.79.247.144]:25: TLSv1.2 with
cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

# postconf -h mail_version
2.11.3

# postconf -h smtp_tls_CAfile
/etc/ssl/mail/trusted_cas.pem

I would say posttls-finger is wrong. Or am I?

Andreas

[Viktor Dukhovni]

On Wed, Dec 10, 2014 at 01:13:22PM +0100, A. Schulze wrote:

> while checking TLS to a destination domain I noticed a difference.
> posttls-finger say "Verified" but log say (only) "Trusted".

The posttls-finger(1) utility defaults to the "dane" security level
when TLSA records are present and "secure" when absent. Since it
just reports test results, routine failure at the more secure settings
is not a problem.

> posttls-finger: Verified TLS connection established to
> mx1.c01.avira.com[212.79.247.134]:25: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>
> # grep "to mx1.c01.avira.com" /var/log/mail
> Dec 10 12:58:19 mail postfix/smtp[2230]: Trusted TLS connection established
> to mx1.c01.avira.com[212.79.247.144]:25: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

The smtp(8) delivery agent is likely correctly defaulting to "may"
or "dane" when not otherwise configured for a particular destination.

Neither results in "Verified" for this domain.

> # postconf -h smtp_tls_CAfile
> /etc/ssl/mail/trusted_cas.pem
>
> I would say posttls-finger is wrong. Or am I?

Nobody's wrong, just a difference in policy settings. It looks
you're explicitly disabling "aNULL" ciphers somewhere. The
default for such a destination would have resulted in an
"Anonymous" connection. To get trusted with posttls-finger
I had to use:

$ posttls-finger -o tls_medium_cipherlist=DEFAULT -l may -c -F avira.pem avira.com

posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName: mx.ames.avira.net
posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName: a.mx.ames.avira.net
posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName: b.mx.ames.avira.net

posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName: mx1.c01.avira.com

posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName: mx2.c01.avira.com
posttls-finger: mx1.c01.avira.com[212.79.247.134]:25 CommonName mx.ames.avira.net

posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subject_CN=mx.ames.avira.net, issuer_CN=COMODO RSA Domain Validation Secure Server CA, fingerprint=7B:29:B8:4E:DE:65:D0:41:5B:2F:00:8C:83:E0:63:8F:0C:2A:99:D8, pkey_fingerprint=D5:90:CE:7B:83:66:F3:D1:14:C4:B8:8A:F7:98:9E:36:75:A4:94:48
posttls-finger: Trusted TLS connection established to mx1.c01.avira.com[212.79.247.134]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

--
Viktor.