Client cert based relaying setup not working

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Client cert based relaying setup not working

Adam Cecile
Hello,


Here is my submission definition on *server* master.cf:

submission inet  n       -       y       -       -       smtpd
     -o syslog_name=postfix/submission
     -o smtpd_tls_security_level=encrypt
     -o smtpd_sasl_auth_enable=yes
#    -o smtpd_tls_fingerprint_digest=sha1
#    -o relay_clientcerts=hash:/etc/postfix/relay_clientcerts
#    -o
smtpd_client_restrictions=permit_tls_clientcerts,permit_sasl_authenticated,reject
     -o smtpd_client_restrictions=permit_sasl_authenticated,reject
     -o milter_macro_daemon_name=ORIGINATING
     -o content_filter=dkimproxy:[127.0.0.1]:10028

That I turned into:

submission inet  n       -       y       -       -       smtpd
     -o syslog_name=postfix/submission
     -o smtpd_tls_security_level=encrypt
     -o smtpd_sasl_auth_enable=yes
-o smtpd_tls_fingerprint_digest=sha1
     -o relay_clientcerts=hash:/etc/postfix/relay_clientcerts
     -o
smtpd_client_restrictions=permit_tls_clientcerts,permit_sasl_authenticated,reject
     -o milter_macro_daemon_name=ORIGINATING
     -o content_filter=dkimproxy:[127.0.0.1]:10028


File /etc/postfix/relay_clientcerts contains client certificate
retreived by running: openssl x509 -fingerprint -sha1 -in
/etc/ssl/certs/ssl-cert-snakeoil.pem then a space the the client hostname


On *client* main.cf contains the following:

smtp_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtp_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtp_use_tls = yes
relayhost = [server.hostname.com]:587


But when I send an email, server says:

postfix/submission/smtpd[569]: NOQUEUE: reject: RCPT from
unknown[1.2.3.4]: 554 5.7.1 <unknown[1.2.3.4]>: Client host rejected:
Access denied....


Can someone give me a hint to get this working ?


Thanks in advance,

Regards, Adam.

Reply | Threaded
Open this post in threaded view
|

Re: Client cert based relaying setup not working

Viktor Dukhovni
On Tue, Mar 10, 2020 at 03:33:44PM +0100, Adam Cecile wrote:

> submission inet  n       -       y       -       -       smtpd
>      -o syslog_name=postfix/submission
>      -o smtpd_tls_security_level=encrypt
>      -o smtpd_sasl_auth_enable=yes
>      -o smtpd_tls_fingerprint_digest=sha1
>      -o relay_clientcerts=hash:/etc/postfix/relay_clientcerts
>      -o smtpd_client_restrictions=permit_tls_clientcerts,permit_sasl_authenticated,reject
>      -o milter_macro_daemon_name=ORIGINATING
>      -o content_filter=dkimproxy:[127.0.0.1]:10028

I don't see "-o smtpd_tls_ask_ccert=yes" in there...

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Client cert based relaying setup not working

Adam Cecile

On 3/10/20 10:33 PM, Viktor Dukhovni wrote:

> On Tue, Mar 10, 2020 at 03:33:44PM +0100, Adam Cecile wrote:
>
>> submission inet  n       -       y       -       -       smtpd
>>       -o syslog_name=postfix/submission
>>       -o smtpd_tls_security_level=encrypt
>>       -o smtpd_sasl_auth_enable=yes
>>       -o smtpd_tls_fingerprint_digest=sha1
>>       -o relay_clientcerts=hash:/etc/postfix/relay_clientcerts
>>       -o smtpd_client_restrictions=permit_tls_clientcerts,permit_sasl_authenticated,reject
>>       -o milter_macro_daemon_name=ORIGINATING
>>       -o content_filter=dkimproxy:[127.0.0.1]:10028
> I don't see "-o smtpd_tls_ask_ccert=yes" in there...
>
Thanks a lot, that was it !

I think Postfix doc could be improved, mentioning "smtpd_tks_ask_ccert"
here http://www.postfix.org/postconf.5.html#permit_tls_clientcerts would
have been helpful.


Regards, Adam.

Reply | Threaded
Open this post in threaded view
|

Re: Client cert based relaying setup not working

Viktor Dukhovni
On Wed, Mar 11, 2020 at 10:49:32AM +0100, Adam Cecile wrote:

> On 3/10/20 10:33 PM, Viktor Dukhovni wrote:
> > On Tue, Mar 10, 2020 at 03:33:44PM +0100, Adam Cecile wrote:
> >
> >> submission inet  n       -       y       -       -       smtpd
> >>       -o syslog_name=postfix/submission
> >>       -o smtpd_tls_security_level=encrypt
> >>       -o smtpd_sasl_auth_enable=yes
> >>       -o smtpd_tls_fingerprint_digest=sha1
> >>       -o relay_clientcerts=hash:/etc/postfix/relay_clientcerts
> >>       -o smtpd_client_restrictions=permit_tls_clientcerts,permit_sasl_authenticated,reject
> >>       -o milter_macro_daemon_name=ORIGINATING
> >>       -o content_filter=dkimproxy:[127.0.0.1]:10028
> > I don't see "-o smtpd_tls_ask_ccert=yes" in there...
> >
> Thanks a lot, that was it !

No worries, glad it solved your problem.  [ No need to separately reply
also to my address, I did not set "Reply-To" to the list address by
accident, but please don't follow up on this side remark. ]

> I think Postfix doc could be improved, mentioning "smtpd_tls_ask_ccert"
> here http://www.postfix.org/postconf.5.html#permit_tls_clientcerts would
> have been helpful.

Feel free to post a patch.  The relevant source file is
"proto/postconf.proto", from which both the HTML and the manpage are
machine-generated.  You can find the source at either:

    http://www.postfix.org/download.html

or clone it via git from:

    https://github.com/vdukhovni/postfix

In that repository all the upstream files are in an additional top-level
"postfix" sub-directory, so the file in question is in
postfix/proto/postconf.proto.

That repository is not the dev upstream version of Postfix, rather it is
mostly a convenient place for me to keep track of all the upstream
snapshots.  So it is not monitored for issues or pull requests.  Small
changes to Postfix can be proposed on this list, and larger features
that may require more extensive discussion on postfix-devel.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Client cert based relaying setup not working

Wietse Venema
Viktor Dukhovni:

> > I think Postfix doc could be improved, mentioning "smtpd_tls_ask_ccert"
> > here http://www.postfix.org/postconf.5.html#permit_tls_clientcerts would
> > have been helpful.
>
> Feel free to post a patch.  The relevant source file is
> "proto/postconf.proto", from which both the HTML and the manpage are
> machine-generated.  You can find the source at either:
>
>     http://www.postfix.org/download.html
>
> or clone it via git from:
>
>     https://github.com/vdukhovni/postfix
>
> In that repository all the upstream files are in an additional top-level
> "postfix" sub-directory, so the file in question is in
> postfix/proto/postconf.proto.

I added a warning to the check_ccert_access implementation, when
there is no client certificate, and tlsproxy_tls_ask_ccert is
disabled.

Also added a hint to the check_ccert_access documentation.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Client cert based relaying setup not working

Viktor Dukhovni
On Wed, Mar 11, 2020 at 10:46:03AM -0400, Wietse Venema wrote:

> > > I think Postfix doc could be improved, mentioning "smtpd_tls_ask_ccert"
> > > here http://www.postfix.org/postconf.5.html#permit_tls_clientcerts would
> > > have been helpful.
> >
> > Feel free to post a patch.  The relevant source file is
> > "proto/postconf.proto", from which both the HTML and the manpage are
> > machine-generated.  You can find the source at either:
> >
> >     http://www.postfix.org/download.html
> >
> > or clone it via git from:
> >
> >     https://github.com/vdukhovni/postfix
> >
> > In that repository all the upstream files are in an additional top-level
> > "postfix" sub-directory, so the file in question is in
> > postfix/proto/postconf.proto.
>
> I added a warning to the check_ccert_access implementation, when
> there is no client certificate, and tlsproxy_tls_ask_ccert is
> disabled.
>
> Also added a hint to the check_ccert_access documentation.

I assume that also covers permit_tls_clientcerts, used by the OP,
and even "permit_tls_all_clientcerts".

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Client cert based relaying setup not working

Adam Cecile
On 3/11/20 3:59 PM, Viktor Dukhovni wrote:

> On Wed, Mar 11, 2020 at 10:46:03AM -0400, Wietse Venema wrote:
>
>>>> I think Postfix doc could be improved, mentioning "smtpd_tls_ask_ccert"
>>>> here http://www.postfix.org/postconf.5.html#permit_tls_clientcerts would
>>>> have been helpful.
>>> Feel free to post a patch.  The relevant source file is
>>> "proto/postconf.proto", from which both the HTML and the manpage are
>>> machine-generated.  You can find the source at either:
>>>
>>>      http://www.postfix.org/download.html
>>>
>>> or clone it via git from:
>>>
>>>      https://github.com/vdukhovni/postfix
>>>
>>> In that repository all the upstream files are in an additional top-level
>>> "postfix" sub-directory, so the file in question is in
>>> postfix/proto/postconf.proto.
>> I added a warning to the check_ccert_access implementation, when
>> there is no client certificate, and tlsproxy_tls_ask_ccert is
>> disabled.
>>
>> Also added a hint to the check_ccert_access documentation.
> I assume that also covers permit_tls_clientcerts, used by the OP,
> and even "permit_tls_all_clientcerts".
>
Thanks a lot, hopefully nobody else is going to ask the same question
anymore