Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

TLS - Certificate not Trusted

634 views
Skip to first unread message

Dennis Putnam

unread,
Jan 11, 2010, 11:04:05 AM1/11/10
to
I'm just getting started with version 2.5.5 and TLS is different that my previous version. I have everything thing working except some email will not go out because of the error "delivery temporarily suspended: Server certificate not trusted." What parameter do I have wrong that requires trusted certificates? I want to enforce TLS but I don't care what certificate the receiver uses. Thanks.

Dennis Putnam
Sr. IT Systems Administrator

AIM Systems, Inc.
11675 Rainwater Dr., Suite 200
Alpharetta, GA  30009
Main Phone: 678-297-0700
The information contained in this e-mail and any attachments is strictly confidential. If you are not the intended recipient, any use, dissemination, distribution, or duplication of any part of this e-mail or any attachment is prohibited. If you are not the intended recipient, please notify the sender by return e-mail and delete all copies, including the attachments.

Dennis Putnam

unread,
Jan 11, 2010, 11:27:51 AM1/11/10
to
Hi Chris,

Thanks for the reply. Please see embedded comments.

On Jan 11, 2010, at 11:11 AM, Christoph Anton Mitterer wrote:

On Mon, 2010-01-11 at 11:04 -0500, Dennis Putnam wrote:
I want to enforce TLS but I don't care what certificate the receiver
uses. Thanks.
Apart from the fact that enforcing TLS with SMTP is usually a bad idea,
setting the
smtp_tls_security_level = encrypt
should usually do what you mean, enforce TLS with the remote SMTP
server, but accept untrusted certs or even those with a wrong name.

I don't get to choose, I just have to do it. How these parameters work is still a little confusing to me. I have smtpd and smtp security levels set to 'may.' What I am trying to do it set up opportunistic TLS except for specific hosts that I need to enforce (smtp_tls_per_site). What I noticed is that this one site was using Thawte as the signing authority. I tried adding their root certificate to my config and now the error has changed to a warning about untrusted TLS connection but the mail seems to be moving now. Did I stumble on to a fix or am I still missing something?



The information contained in this e-mail and any attachments is
strictly confidential. If you are not the intended recipient, any use,
dissemination, distribution, or duplication of any part of this e-mail
or any attachment is prohibited. If you are not the intended
recipient, please notify the sender by return e-mail and delete all
copies, including the attachments.
There is (at least in most countries) no legal ground for so called
"disclaimers".... and they're quite stupid and annoying when sending
them to public mailing lists.

I am quite familiar with the arguments but again it is not my choice. If you want, I can give you the number of our corporate lawyers and you can try to convince them. Perhaps you will have better luck than me. :-)




Cheers,
Chris.

Dennis Putnam

unread,
Jan 11, 2010, 11:38:00 AM1/11/10
to
Upon further investigation, apparently mail is not moving. There seems to be 2 domains associated with this site but I was only asked to enforce TLS on one of them. That is why it appeared to be working. Getting back to Chris' comments, I think setting the security level to 'encrypt' forces everything to be TLS and that will not work. I need it to work as I previously described.

Noah Sheppard

unread,
Jan 11, 2010, 11:53:35 AM1/11/10
to
> >> On Mon, 2010-01-11 at 11:04 -0500, Dennis Putnam wrote:
> >>> I want to enforce TLS but I don't care what certificate the receiver
> >>> uses. Thanks.
> >> Apart from the fact that enforcing TLS with SMTP is usually a bad idea,
> >> [..]

Why is TLS w/ SMTP a bad idea?

--
Noah Sheppard
Assistant Computer Resource Manager
Taylor University CSE Department
nshe...@cse.taylor.edu

/dev/rob0

unread,
Jan 11, 2010, 12:02:38 PM1/11/10
to
On Mon, Jan 11, 2010 at 11:53:35AM -0500, Noah Sheppard wrote:
[attribution to Chris is missing]

> > >> On Mon, 2010-01-11 at 11:04 -0500, Dennis Putnam wrote:
> > >>> I want to enforce TLS but I don't care what certificate the
> > >>> receiver uses. Thanks.
> > >> Apart from the fact that enforcing TLS with SMTP is usually a
> > >> bad idea, [..]
>
> Why is TLS w/ SMTP a bad idea?

TLS with SMTP is a fine idea.

*Enforcing* TLS with SMTP is usually a bad idea. Many sites might not
support it, and if you require TLS, you cannot get their mail nor
send to them.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Noel Jones

unread,
Jan 11, 2010, 12:02:24 PM1/11/10
to
On 1/11/2010 10:38 AM, Dennis Putnam wrote:
> Upon further investigation, apparently mail is not moving. There seems
> to be 2 domains associated with this site but I was only asked to
> enforce TLS on one of them. That is why it appeared to be working.
> Getting back to Chris' comments, I think setting the security level to
> 'encrypt' forces everything to be TLS and that will not work. I need it
> to work as I previously described.

Postfix client TLS settings are described in
http://www.postfix.org/TLS_README.html#client_tls

For a general-purpose MTA the main.cf setting should be "none"
or "may". To force encryption for a specific recipient
domain, see
http://www.postfix.org/TLS_README.html#client_tls_policy

If your mail is deferred due to certificate errors, this
implies you're using a security level above "encrypt". Don't
do that unless you have the proper root certificates installed.


If you need more help, please refer to
http://www.postfix.org/DEBUG_README.html#mail
and show us your "postconf -n" output, any related policy map
contents, and related logging.

-- Noel Jones

Dennis Putnam

unread,
Jan 11, 2010, 12:16:59 PM1/11/10
to
Hi Noel,

Thanks. I thing you pointed me in the right direction. Am I correct that the per_site table is different under 2.5.5 than pre 2.3? I had trouble getting that to work on the old server so I didn't change it for the migration. What I have is:


I think it now can be a hash and should look like:

[somedomain.com] encrypt

Is that correct? I guessing the old 'MUST' is being interpreted as 'secure' in this version.

Noel Jones

unread,
Jan 11, 2010, 12:36:42 PM1/11/10
to
On 1/11/2010 11:16 AM, Dennis Putnam wrote:
> Hi Noel,
>
> Thanks. I thing you pointed me in the right direction. Am I correct that
> the per_site table is different under 2.5.5 than pre 2.3? I had trouble
> getting that to work on the old server so I didn't change it for the
> migration. What I have is:
>
> .somedomain.com MUST
>
> I think it now can be a hash and should look like:
>
> [somedomain.com <http://somedomain.com>] encrypt

>
> Is that correct? I guessing the old 'MUST' is being interpreted as
> 'secure' in this version.


According to the example in
http://www.postfix.org/TLS_README.html#client_tls_policy
the policy table should contain

somedomain.tld encrypt

To include subdomains of somedomain.tld also include
.somedomain.tld encrypt

-- Noel Jones

Victor Duchovni

unread,
Jan 11, 2010, 2:08:17 PM1/11/10
to
On Mon, Jan 11, 2010 at 11:36:42AM -0600, Noel Jones wrote:

> According to the example in
> http://www.postfix.org/TLS_README.html#client_tls_policy
> the policy table should contain
>
> somedomain.tld encrypt
>
> To include subdomains of somedomain.tld also include
>
> .somedomain.tld encrypt

And only when one's transport table or relayhost specifies a
nexthop of the form:

[gateway.example.com]

does the TLS policy table need an entry of the same form:

[gateway.example.com] encrypt|secure|fingerprint ...

For "[gateway]" nexthops there is no real difference between "secure"
and "verify", both test for the same nexthop address, unless "match"
values are specified explicitly.

In retrospect, it an interface design error to provide both levels,
just one would have been enough, with backwards compatibility for
tls_per_site provided via different "match" values for "verify" not a
different security level. Both, verify certificates using a slightly
different default set of match values. :-( The "damage" is fairly minor...

--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majo...@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

LuKreme

unread,
Jan 11, 2010, 2:13:09 PM1/11/10
to
On 11-Jan-2010, at 09:27, Dennis Putnam wrote:
> I am quite familiar with the arguments but again it is not my choice. If you want, I can give you the number of our corporate lawyers and you can try to convince them. Perhaps you will have better luck than me. :-)


I will be happy to email them daily links to publicly accessible web pages containing emails sent from that domain to a mailing list with that 'disclaimer' attached.

I will use, disseminate, distribute, and republish any post with a disclaimer on it as a matter of course.

--
INDIAN BURNS ARE NOT OUR CULTURAL HERITAGE
Bart chalkboard Ep. 3F05

0 new messages