Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: TLS client certificate
343 views
Skip to first unread message
Wietse Venema
Aug 22, 2014, 11:28:52 AM8/22/14
to
> 1.) Thunderbird (works)
> 2.) Apple Mail (fails)
Without going into details, you need to check that the two above
use the same Postfix SMTP server address and port (25 or 587),
otherwise the comparison will not be valid.
Wietse
> 2.) Apple Mail (fails)
Without going into details, you need to check that the two above
use the same Postfix SMTP server address and port (25 or 587),
otherwise the comparison will not be valid.
Wietse
Viktor Dukhovni
Aug 22, 2014, 12:06:02 PM8/22/14
to
On Fri, Aug 22, 2014 at 04:46:56PM +0200, Christian R??ner wrote:
> Hi,
>
> I hope my question is not off topic. I try to create a self signed certificate, which is signed by my own CA. I have created a pkcs12 file, which includes cert, key, and CA:
Is this an S/MIME email signing/encryption certificate? Or a TLS
client certificate? What is its purpose?
Do always post relevant details from the Postfix logs when reporting
Postfix problems.
> 1.) Thunderbird
>
> I imported the same p12 file in Thunderbird. Did a test mail and
> a dialog asked me to use the imported certificate. I chose yes and
> I could successfully send mail. On my test account I verified the
> headers and saw that the user was verified.
Was the certificate actually used to authenticate mail submission?
Likely Thunderbird just used a username/password as it would absent
said certificate. The message content was plausibly signed with
the certificate. Don't confuse sender certificates in S/MIME with
TLS client certificates in SMTP (STARTTLS).
Sure seems like your "verification" is an S/MIME signature check.
> 2.) Apple Mail
>
> I entered settings and selected my account. I clicked on the
> certificate selector and found my certificate. Under SMTP servers
> I chose ?External (TLS-Certificate)?. Trying to deliver a test mail
> with this application, I directly get an error that the remote mail
> server would not support TLS certificates.
So Apple Mail actually supports TLS client certs, while T'Bird is
just doing S/MIME.
> So now I wonder what is wrong.
Some confusion about PKI I think.
> Because Thunderbird is working, I guess there is not a configuration problem in Postfix, could it?
Likely, T'Bird is not "working", just not using your certificate
at all with SMTP. Otherwise, what Wietse said, perhaps you're
not connecting to the same SMTP service with the two MUAs.
> [ usr_cert ]
> basicConstraints=CA:FALSE
> nsCertType = client, email
> nsComment = "OpenSSL Generated Certificate"
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid,issuer
TLS client and S/MIME, though I would use "extendedKeyUsage" rather
than "nsCertType".
> postconf -c /etc/postfix-submission/ -n
A separate submission instance? Another reason to check the
destination IP/port of both MUAs.
> smtpd_tls_ask_ccert = yes
OK, this Postfix instance requests client certs.
> tls_ssl_options = no_ticket, no_compression
I would not disable session tickets, at least not in the Postfix
SMTP server, as of 2.10 (IIRC, and definitely in 2.11) session
tickets are managed correctly.
--
Viktor.
> Hi,
>
> I hope my question is not off topic. I try to create a self signed certificate, which is signed by my own CA. I have created a pkcs12 file, which includes cert, key, and CA:
Is this an S/MIME email signing/encryption certificate? Or a TLS
client certificate? What is its purpose?
Do always post relevant details from the Postfix logs when reporting
Postfix problems.
> 1.) Thunderbird
>
> I imported the same p12 file in Thunderbird. Did a test mail and
> a dialog asked me to use the imported certificate. I chose yes and
> I could successfully send mail. On my test account I verified the
> headers and saw that the user was verified.
Was the certificate actually used to authenticate mail submission?
Likely Thunderbird just used a username/password as it would absent
said certificate. The message content was plausibly signed with
the certificate. Don't confuse sender certificates in S/MIME with
TLS client certificates in SMTP (STARTTLS).
Sure seems like your "verification" is an S/MIME signature check.
> 2.) Apple Mail
>
> I entered settings and selected my account. I clicked on the
> certificate selector and found my certificate. Under SMTP servers
> I chose ?External (TLS-Certificate)?. Trying to deliver a test mail
> with this application, I directly get an error that the remote mail
> server would not support TLS certificates.
So Apple Mail actually supports TLS client certs, while T'Bird is
just doing S/MIME.
> So now I wonder what is wrong.
Some confusion about PKI I think.
> Because Thunderbird is working, I guess there is not a configuration problem in Postfix, could it?
Likely, T'Bird is not "working", just not using your certificate
at all with SMTP. Otherwise, what Wietse said, perhaps you're
not connecting to the same SMTP service with the two MUAs.
> [ usr_cert ]
> basicConstraints=CA:FALSE
> nsCertType = client, email
> nsComment = "OpenSSL Generated Certificate"
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid,issuer
TLS client and S/MIME, though I would use "extendedKeyUsage" rather
than "nsCertType".
> postconf -c /etc/postfix-submission/ -n
A separate submission instance? Another reason to check the
destination IP/port of both MUAs.
> smtpd_tls_ask_ccert = yes
OK, this Postfix instance requests client certs.
> tls_ssl_options = no_ticket, no_compression
I would not disable session tickets, at least not in the Postfix
SMTP server, as of 2.10 (IIRC, and definitely in 2.11) session
tickets are managed correctly.
--
Viktor.
Christian Rößner
Aug 22, 2014, 1:16:39 PM8/22/14
to
First of all thanks for the answers.
>> I hope my question is not off topic. I try to create a self signed certificate, which is signed by my own CA. I have created a pkcs12 file, which includes cert, key, and CA:
>
> Is this an S/MIME email signing/encryption certificate? Or a TLS
> client certificate? What is its purpose?
It is a client certificate and I want to send mail without password usage.
> Do always post relevant details from the Postfix logs when reporting
> Postfix problems.
Here is a log with Thunderbird:
Aug 22 19:00:47 mx0 postfix-submission/smtpd[29056]: connect from static-201-106.deltasurf.de[193.239.106.201]:36755
Aug 22 19:00:54 mx0 postfix-submission/smtpd[29056]: Trusted TLS connection established from static-201-106.deltasurf.de[193.239.106.201]:36755: TLSv1.2 with cipher ECDHE-RSA-
AES256-SHA (256/256 bits)
Aug 22 19:00:54 mx0 postfix-submission/smtpd[29056]: 3hfps2157xzMl3J: client=static-201-106.deltasurf.de[193.239.106.201]:36755, sasl_method=PLAIN, sasl_username=de10000@srvin
t.net
Aug 22 19:00:54 mx0 postfix-submission/cleanup[29064]: 3hfps2157xzMl3J: message-id=<53F7773E...@roessner-network-solutions.com>
Connection is trusted.
Now logs from Apple Mail:
Aug 22 19:14:09 mx0 postfix-submission/smtpd[29522]: connect from static-201-106.deltasurf.de[193.239.106.201]:40001
Aug 22 19:14:10 mx0 postfix-submission/smtpd[29524]: connect from static-201-106.deltasurf.de[193.239.106.201]:46337
Aug 22 19:14:10 mx0 postfix-submission/smtpd[29528]: connect from static-201-106.deltasurf.de[193.239.106.201]:47064
Aug 22 19:14:10 mx0 postfix-submission/smtpd[29522]: Anonymous TLS connection established from static-201-106.deltasurf.de[193.239.106.201]:40001: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Aug 22 19:14:10 mx0 postfix-submission/smtpd[29524]: Anonymous TLS connection established from static-201-106.deltasurf.de[193.239.106.201]:46337: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Aug 22 19:14:10 mx0 postfix-submission/smtpd[29528]: Anonymous TLS connection established from static-201-106.deltasurf.de[193.239.106.201]:47064: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Aug 22 19:14:10 mx0 postfix-submission/smtpd[29522]: disconnect from static-201-106.deltasurf.de[193.239.106.201]:40001 ehlo=2 starttls=1 auth=1 quit=1
Aug 22 19:14:10 mx0 postfix-submission/smtpd[29524]: disconnect from static-201-106.deltasurf.de[193.239.106.201]:46337 ehlo=2 starttls=1 auth=1 quit=1
Aug 22 19:14:10 mx0 postfix-submission/smtpd[29528]: disconnect from static-201-106.deltasurf.de[193.239.106.201]:47064 ehlo=2 starttls=1 auth=1 quit=1
Aug 22 19:14:45 mx0 postfix-submission/smtpd[29522]: connect from static-201-106.deltasurf.de[193.239.106.201]:46282
Aug 22 19:14:46 mx0 postfix-submission/smtpd[29522]: Anonymous TLS connection established from static-201-106.deltasurf.de[193.239.106.201]:46282: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Aug 22 19:14:46 mx0 postfix-submission/smtpd[29522]: lost connection after EHLO from static-201-106.deltasurf.de[193.239.106.201]:46282
Aug 22 19:14:46 mx0 postfix-submission/smtpd[29522]: disconnect from static-201-106.deltasurf.de[193.239.106.201]:46282 ehlo=2 starttls=1
As you see, Apple Mail does have a different behavior.
>> 1.) Thunderbird
>>
>> I imported the same p12 file in Thunderbird. Did a test mail and
>> a dialog asked me to use the imported certificate. I chose yes and
>> I could successfully send mail. On my test account I verified the
>> headers and saw that the user was verified.
>
> Was the certificate actually used to authenticate mail submission?
> Likely Thunderbird just used a username/password as it would absent
> said certificate. The message content was plausibly signed with
> the certificate. Don't confuse sender certificates in S/MIME with
> TLS client certificates in SMTP (STARTTLS).
It uses the client certificate:
This is the header that comes from the T’bird test:
Received: from mx0.roessner-net.de (mail.roessner-net.de [193.239.107.42])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.roessner-net.de", Issuer "Thawte DV SSL CA" (verified OK))
by mx.deltaweb.de (Postfix) with ESMTPS id 3hfps3005jz1JCX
for <c...@deltaweb.de>; Fri, 22 Aug 2014 19:00:54 +0200 (CEST)
Received: from mail.roessner-net.de (mail.roessner-net.de [193.239.107.42])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.roessner-net.de", Issuer "Thawte DV SSL CA" (verified OK))
by mx0.roessner-net.de (Postfix) with ESMTPS id 3hfps25hBgzGpLH
for <c...@deltaweb.de>; Fri, 22 Aug 2014 19:00:54 +0200 (CEST)
Received: from MacBook-Pro.local (static-201-106.deltasurf.de [193.239.106.201])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Christian Roessner", Issuer "RNS-CA" (verified OK)) <—————————— See, it uses the certificate
(Authenticated sender: de1...@srvint.net)
by mail.roessner-net.de (Postfix) with ESMTPSA id 3hfps2157xzMl3J
for <c...@deltaweb.de>; Fri, 22 Aug 2014 19:00:54 +0200 (CEST)
> Sure seems like your "verification" is an S/MIME signature check.
>
>> 2.) Apple Mail
>>
>> I entered settings and selected my account. I clicked on the
>> certificate selector and found my certificate. Under SMTP servers
>> I chose ?External (TLS-Certificate)?. Trying to deliver a test mail
>> with this application, I directly get an error that the remote mail
>> server would not support TLS certificates.
>
> So Apple Mail actually supports TLS client certs, while T'Bird is
> just doing S/MIME.
T’Bird does S/MIME and client cert
>> So now I wonder what is wrong.
>
> Some confusion about PKI I think.
>
>> Because Thunderbird is working, I guess there is not a configuration problem in Postfix, could it?
>
> Likely, T'Bird is not "working", just not using your certificate
> at all with SMTP. Otherwise, what Wietse said, perhaps you're
> not connecting to the same SMTP service with the two MUAs.
Both MUAs use mail.roessner-net.de:587 TLS
>> [ usr_cert ]
>> basicConstraints=CA:FALSE
>> nsCertType = client, email
>> nsComment = "OpenSSL Generated Certificate"
>> subjectKeyIdentifier=hash
>> authorityKeyIdentifier=keyid,issuer
>
> TLS client and S/MIME, though I would use "extendedKeyUsage" rather
> than "nsCertType“.
Ok, this is something, I can try.
>> postconf -c /etc/postfix-submission/ -n
>
> A separate submission instance? Another reason to check the
> destination IP/port of both MUAs.
It’s multi instance, yes. The reason is simple: I deploy mail systems that have separated border filter, mxin, mxout, submission and my server reflects the setups in multi instances. Patrick Ben Koetter helped me to split it into multi instances. And he also did a complete review of all my settings so chances are high that there might not be too much wrong here ;-)
>> smtpd_tls_ask_ccert = yes
>
> OK, this Postfix instance requests client certs.
>
>> tls_ssl_options = no_ticket, no_compression
>
> I would not disable session tickets, at least not in the Postfix
> SMTP server, as of 2.10 (IIRC, and definitely in 2.11) session
> tickets are managed correctly.
Thanks a lot for this. I will correct it.
-Christian Rößner
--
Bachelor of Science Informatik
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com
>> I hope my question is not off topic. I try to create a self signed certificate, which is signed by my own CA. I have created a pkcs12 file, which includes cert, key, and CA:
>
> Is this an S/MIME email signing/encryption certificate? Or a TLS
> client certificate? What is its purpose?
> Do always post relevant details from the Postfix logs when reporting
> Postfix problems.
Aug 22 19:00:47 mx0 postfix-submission/smtpd[29056]: connect from static-201-106.deltasurf.de[193.239.106.201]:36755
Aug 22 19:00:54 mx0 postfix-submission/smtpd[29056]: Trusted TLS connection established from static-201-106.deltasurf.de[193.239.106.201]:36755: TLSv1.2 with cipher ECDHE-RSA-
AES256-SHA (256/256 bits)
Aug 22 19:00:54 mx0 postfix-submission/smtpd[29056]: 3hfps2157xzMl3J: client=static-201-106.deltasurf.de[193.239.106.201]:36755, sasl_method=PLAIN, sasl_username=de10000@srvin
t.net
Aug 22 19:00:54 mx0 postfix-submission/cleanup[29064]: 3hfps2157xzMl3J: message-id=<53F7773E...@roessner-network-solutions.com>
Connection is trusted.
Now logs from Apple Mail:
Aug 22 19:14:09 mx0 postfix-submission/smtpd[29522]: connect from static-201-106.deltasurf.de[193.239.106.201]:40001
Aug 22 19:14:10 mx0 postfix-submission/smtpd[29524]: connect from static-201-106.deltasurf.de[193.239.106.201]:46337
Aug 22 19:14:10 mx0 postfix-submission/smtpd[29528]: connect from static-201-106.deltasurf.de[193.239.106.201]:47064
Aug 22 19:14:10 mx0 postfix-submission/smtpd[29522]: Anonymous TLS connection established from static-201-106.deltasurf.de[193.239.106.201]:40001: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Aug 22 19:14:10 mx0 postfix-submission/smtpd[29524]: Anonymous TLS connection established from static-201-106.deltasurf.de[193.239.106.201]:46337: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Aug 22 19:14:10 mx0 postfix-submission/smtpd[29528]: Anonymous TLS connection established from static-201-106.deltasurf.de[193.239.106.201]:47064: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Aug 22 19:14:10 mx0 postfix-submission/smtpd[29522]: disconnect from static-201-106.deltasurf.de[193.239.106.201]:40001 ehlo=2 starttls=1 auth=1 quit=1
Aug 22 19:14:10 mx0 postfix-submission/smtpd[29524]: disconnect from static-201-106.deltasurf.de[193.239.106.201]:46337 ehlo=2 starttls=1 auth=1 quit=1
Aug 22 19:14:10 mx0 postfix-submission/smtpd[29528]: disconnect from static-201-106.deltasurf.de[193.239.106.201]:47064 ehlo=2 starttls=1 auth=1 quit=1
Aug 22 19:14:45 mx0 postfix-submission/smtpd[29522]: connect from static-201-106.deltasurf.de[193.239.106.201]:46282
Aug 22 19:14:46 mx0 postfix-submission/smtpd[29522]: Anonymous TLS connection established from static-201-106.deltasurf.de[193.239.106.201]:46282: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Aug 22 19:14:46 mx0 postfix-submission/smtpd[29522]: lost connection after EHLO from static-201-106.deltasurf.de[193.239.106.201]:46282
Aug 22 19:14:46 mx0 postfix-submission/smtpd[29522]: disconnect from static-201-106.deltasurf.de[193.239.106.201]:46282 ehlo=2 starttls=1
As you see, Apple Mail does have a different behavior.
>> 1.) Thunderbird
>>
>> I imported the same p12 file in Thunderbird. Did a test mail and
>> a dialog asked me to use the imported certificate. I chose yes and
>> I could successfully send mail. On my test account I verified the
>> headers and saw that the user was verified.
>
> Was the certificate actually used to authenticate mail submission?
> Likely Thunderbird just used a username/password as it would absent
> said certificate. The message content was plausibly signed with
> the certificate. Don't confuse sender certificates in S/MIME with
> TLS client certificates in SMTP (STARTTLS).
This is the header that comes from the T’bird test:
Received: from mx0.roessner-net.de (mail.roessner-net.de [193.239.107.42])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.roessner-net.de", Issuer "Thawte DV SSL CA" (verified OK))
by mx.deltaweb.de (Postfix) with ESMTPS id 3hfps3005jz1JCX
for <c...@deltaweb.de>; Fri, 22 Aug 2014 19:00:54 +0200 (CEST)
Received: from mail.roessner-net.de (mail.roessner-net.de [193.239.107.42])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.roessner-net.de", Issuer "Thawte DV SSL CA" (verified OK))
by mx0.roessner-net.de (Postfix) with ESMTPS id 3hfps25hBgzGpLH
for <c...@deltaweb.de>; Fri, 22 Aug 2014 19:00:54 +0200 (CEST)
Received: from MacBook-Pro.local (static-201-106.deltasurf.de [193.239.106.201])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Christian Roessner", Issuer "RNS-CA" (verified OK)) <—————————— See, it uses the certificate
(Authenticated sender: de1...@srvint.net)
by mail.roessner-net.de (Postfix) with ESMTPSA id 3hfps2157xzMl3J
for <c...@deltaweb.de>; Fri, 22 Aug 2014 19:00:54 +0200 (CEST)
> Sure seems like your "verification" is an S/MIME signature check.
>
>> 2.) Apple Mail
>>
>> I entered settings and selected my account. I clicked on the
>> certificate selector and found my certificate. Under SMTP servers
>> I chose ?External (TLS-Certificate)?. Trying to deliver a test mail
>> with this application, I directly get an error that the remote mail
>> server would not support TLS certificates.
>
> So Apple Mail actually supports TLS client certs, while T'Bird is
> just doing S/MIME.
>> So now I wonder what is wrong.
>
> Some confusion about PKI I think.
>
>> Because Thunderbird is working, I guess there is not a configuration problem in Postfix, could it?
>
> Likely, T'Bird is not "working", just not using your certificate
> at all with SMTP. Otherwise, what Wietse said, perhaps you're
> not connecting to the same SMTP service with the two MUAs.
>> [ usr_cert ]
>> basicConstraints=CA:FALSE
>> nsCertType = client, email
>> nsComment = "OpenSSL Generated Certificate"
>> subjectKeyIdentifier=hash
>> authorityKeyIdentifier=keyid,issuer
>
> TLS client and S/MIME, though I would use "extendedKeyUsage" rather
> than "nsCertType“.
>> postconf -c /etc/postfix-submission/ -n
>
> A separate submission instance? Another reason to check the
> destination IP/port of both MUAs.
>> smtpd_tls_ask_ccert = yes
>
> OK, this Postfix instance requests client certs.
>
>> tls_ssl_options = no_ticket, no_compression
>
> I would not disable session tickets, at least not in the Postfix
> SMTP server, as of 2.10 (IIRC, and definitely in 2.11) session
> tickets are managed correctly.
-Christian Rößner
--
Bachelor of Science Informatik
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com
Viktor Dukhovni
Aug 22, 2014, 1:34:15 PM8/22/14
to
On Fri, Aug 22, 2014 at 07:16:39PM +0200, Christian R??ner wrote:
> Here is a log with Thunderbird:
>
> Aug 22 19:00:47 mx0 postfix-submission/smtpd[29056]: connect from static-201-106.deltasurf.de[193.239.106.201]:36755
> Aug 22 19:00:54 mx0 postfix-submission/smtpd[29056]: Trusted TLS connection established from static-201-106.deltasurf.de[193.239.106.201]:36755: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Postfix received a client certificate,
> Here is a log with Thunderbird:
>
> Aug 22 19:00:47 mx0 postfix-submission/smtpd[29056]: connect from static-201-106.deltasurf.de[193.239.106.201]:36755
> Aug 22 19:00:54 mx0 postfix-submission/smtpd[29056]: Trusted TLS connection established from static-201-106.deltasurf.de[193.239.106.201]:36755: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
> Aug 22 19:00:54 mx0 postfix-submission/smtpd[29056]: 3hfps2157xzMl3J: client=static-201-106.deltasurf.de[193.239.106.201]:36755, sasl_method=PLAIN, sasl_username=de1...@srvint.net
But then client MUA authenticated with SASL PLAIN anyway.
> Now logs from Apple Mail:
>
> Aug 22 19:14:10 mx0 postfix-submission/smtpd[29522]: Anonymous TLS connection established from static-201-106.deltasurf.de[193.239.106.201]:40001: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
No certificate sent, so Apple Mail is not configured to employ a
TLS client certificate, and may not support that feature.
> Aug 22 19:14:10 mx0 postfix-submission/smtpd[29528]: Anonymous TLS connection established from static-201-106.deltasurf.de[193.239.106.201]:47064: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
and probably should not. I don't think Postfix supports this
anyway. IIRC you mentioned configuring Apple Mail for "EXTERNAL"
auth. That won't work.
> As you see, Apple Mail does have a different behavior.
configured. Since the Postfix server requests a client certificate,
the issue is entirely on the client side.
> > Was the certificate actually used to authenticate mail submission?
> > Likely Thunderbird just used a username/password as it would absent
> > said certificate. The message content was plausibly signed with
> > the certificate. Don't confuse sender certificates in S/MIME with
> > TLS client certificates in SMTP (STARTTLS).
>
> It uses the client certificate:
> Received: from MacBook-Pro.local (static-201-106.deltasurf.de [193.239.106.201])
> (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
> (Client CN "Christian Roessner", Issuer "RNS-CA" (verified OK))
> (Authenticated sender: de1...@srvint.net)
> by mail.roessner-net.de (Postfix) with ESMTPSA id 3hfps2157xzMl3J
> for <c...@deltaweb.de>; Fri, 22 Aug 2014 19:00:54 +0200 (CEST)
Right, both client cert and SASL. Perhaps either is sufficient, if the
> by mail.roessner-net.de (Postfix) with ESMTPSA id 3hfps2157xzMl3J
> for <c...@deltaweb.de>; Fri, 22 Aug 2014 19:00:54 +0200 (CEST)
fingerprint is present in:
relay_clientcerts = ${mapidx}/relay_clientcerts
> > TLS client and S/MIME, though I would use "extendedKeyUsage" rather
>
> Ok, this is something, I can try.
https://www.openssl.org/docs/apps/x509v3_config.html#Extended_Key_Usage_
> Ok, this is something, I can try.
extendedKeyUsage = clientAuth, emailProtection
> It's multi instance, yes. The reason is simple: I deploy mail
> systems that have separated border filter, mxin, mxout, submission
> and my server reflects the setups in multi instances. Patrick Ben
> Koetter helped me to split it into multi instances. And he also
> did a complete review of all my settings so chances are high that
> there might not be too much wrong here ;-)
--
Viktor.
Bill Cole
Aug 22, 2014, 6:28:43 PM8/22/14
to
On 22 Aug 2014, at 14:16, Christian Rößner wrote:
>>> Aug 22 19:14:10 mx0 postfix-submission/smtpd[29528]: Anonymous TLS
>>> connection established from
>>> static-201-106.deltasurf.de[193.239.106.201]:47064: TLSv1 with
>>> cipher ECDHE-RSA-AES256-SHA (256/256 bits)
>>
>> Your server SASL layer did not offer a SASL "EXTERNAL" mechanism,
>> and probably should not. I don't think Postfix supports this
>> anyway. IIRC you mentioned configuring Apple Mail for "EXTERNAL"
>> auth. That won't work.
>
> I guess it is not SASL/EXTERNAL. The dialog says: Extern (TLS
>>> Aug 22 19:14:10 mx0 postfix-submission/smtpd[29528]: Anonymous TLS
>>> connection established from
>>> static-201-106.deltasurf.de[193.239.106.201]:47064: TLSv1 with
>>> cipher ECDHE-RSA-AES256-SHA (256/256 bits)
>>
>> Your server SASL layer did not offer a SASL "EXTERNAL" mechanism,
>> and probably should not. I don't think Postfix supports this
>> anyway. IIRC you mentioned configuring Apple Mail for "EXTERNAL"
>> auth. That won't work.
>
> Clientzertifikat)
>
> I don’t know, why they call it „extern“
>
>>> As you see, Apple Mail does have a different behavior.
>>
>> Yep, it does not employ client certificates, at least not as
>> configured. Since the Postfix server requests a client certificate,
>> the issue is entirely on the client side.
>
> Yes, I agree. I have done several certificates now and none work. And
>>> As you see, Apple Mail does have a different behavior.
>>
>> Yep, it does not employ client certificates, at least not as
>> configured. Since the Postfix server requests a client certificate,
>> the issue is entirely on the client side.
>
> as I have no idea where to find further information, how the
> certificate must have been created to work with Apple Mail, I give up
> right now.
I hope you have not entirely given up, because I believe there is a fix,
although I'm only able to describe how to find it in the US English
version of Mail. I hope this provides adequate clues.
Apple Mail hides the right place to set a certificate that it should use
for *connection* to a server (TLS over TCP) and prominently offers a
place to set a certificate that is used for *authentication* inside
application-layer protocols (SMTP, IMAP, POP3) which would use the SASL
EXTERNAL mechanism. Postfix seems to offer no support for SASL EXTERNAL,
but the Postfix TLS_README does explain what seems to be a way to permit
submission and relay based on TLS use of a set trusted certificates,
WITHOUT using SASL authentication at all. I've not done that myself so I
can only point you to that doc and hope you can work it out.
The log line cited above shows that Apple Mail is using no client
certificate to set up TLS. To make it do so, you need to use the
Preferences->Accounts screen inside Mail (NOT the global "Internet
Accounts" panel in System Preferences) There you have an "Account
Information" tab, with a pull-down menu for the "Outgoing Mail
Server(SMTP)". The last entry in that menu is "Edit SMTP Server List",
which is where SMTP connection and authentication details are hidden.
That will open a panel with a list of your configured SMTP servers in
the top section. Selecting the one you're trying to fix will show you
tabs for "Account Information" and "Advanced" in the bottom section. In
"Account Information" you can use the "TLS Certificate" pull-down to
select your personal certificate. You also will need to switch to the
"Advanced" tab to switch "Authentication" from "External (TLS Client
Certificate)" to "None" (if you have Postfix configured to permit use
based on the TLS certificate) or "Password" (if you want to ALSO use the
SASL authentication that you appear to have working with TBird). One
good feature of Mail is that you can use "Window->Connection Doctor" to
perform a test of all connection settings and log the details for
analysis if need be.
Message has been deleted
find...@gmail.com
May 3, 2016, 10:47:35 PM5/3/16
to
Bill, thank you. This was the solution I was looking for. Specify TLS Client Certificate and set authentication to none in Mail app. Postfix logs confirm that TLS client auth succeeds and relaying is permitted based on certificate auth.
Cheers!
Cheers!
0 new messages