Questions concerning TLS

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Questions concerning TLS

Darrell A. Sullivan, II
I am trying to implement TLS on our server for a client requirement. I
believe I have the TLS settings correct, but I am not certain about what I
am seeing in the logs and I am uncertain as to how to know if a message was
delivered using TLS.

Is there anything in the message headers that would indicate that it was
delivered using TLS?

I have the below log entries on some outgoing messages. I am certain that
the first one is a failure since the group's server is setup with the entry
"somecomp.com  MUST_NOPEERMATCH" is specified in tls_per_site and
consequently the message is not delivered when TLS fails. Is this because
they have a self signed certificate and we do not have the CA certificate
for their root?

In the second set of log entries, I am not certain if the message is
delivered over the TLS connection or not. Is there some entry I can search
my logs for to find out if any messages are being successfully transmitted
over TLS?



----------------------
Known Failure
----------------------
Aug 22 13:11:43 mail postfix/smtp[7593]: starting TLS engine
Aug 22 13:11:44 mail postfix/smtp[7593]: setting up TLS connection to
mail.somecomp.com
Aug 22 13:11:44 mail postfix/smtp[7593]: SSL_connect:before/connect
initialization
Aug 22 13:11:44 mail postfix/smtp[7593]: SSL_connect:SSLv2/v3 write client
hello A
Aug 22 13:11:44 mail postfix/smtp[7593]: SSL_connect:error in SSLv2/v3 read
server hello A
Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read
server hello A
Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read
server hello A
Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 read server hello
A
Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read
server certificate A
Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read
server certificate A
Aug 22 13:11:45 mail postfix/smtp[7593]: Peer cert verify depth=0
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/C
N=thistle.somecomp.com/emailAddress=[hidden email]
Aug 22 13:11:45 mail postfix/smtp[7593]: verify error:num=18:self signed
certificate
Aug 22 13:11:45 mail postfix/smtp[7593]: verify return:0
Aug 22 13:11:45 mail postfix/smtp[7593]: Peer cert verify depth=0
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/C
N=thistle.somecomp.com/emailAddress=[hidden email]
Aug 22 13:11:45 mail postfix/smtp[7593]: Peer verification: CommonName in
certificate does not match: thistle.somecomp.com != mail.somecomp.com
Aug 22 13:11:45 mail postfix/smtp[7593]: verify return:1
Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 read server
certificate A
Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read
server key exchange A
Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read
server key exchange A
Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 read server key
exchange A
Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read
server certificate request A
Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read
server certificate request A
Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 read server done
A
Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 write client key
exchange A
Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 write change
cipher spec A
Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 write finished A
Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 flush data
Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read
finished A
Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 read finished A
Aug 22 13:11:45 mail postfix/smtp[7593]: Unverified:
subject_CN=thistle.somecomp.com, issuer=thistle.somecomp.com
Aug 22 13:11:45 mail postfix/smtp[7593]: TLS connection established to
mail.somecomp.com: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Aug 22 13:11:45 mail postfix/smtp[7593]: Peer certficate could not be
verified
Aug 22 13:11:45 mail postfix/smtp[7593]: 85F4F504254:
to=<[hidden email]>, relay=mail.somecomp.com[xxx.yyy.zzz.aaa],
delay=2, status=deferred (TLS-failure: Could not verify certificate)

----------------------
Did this work or not?
----------------------
Aug 21 22:16:22 mail postfix/smtp[28731]: starting TLS engine
Aug 21 22:16:28 mail postfix/smtp[28731]: setting up TLS connection to
mail.somecomp2.com
Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:before/connect
initialization
Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv2/v3 write client
hello A
Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv2/v3 read
server hello A
Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv3 read
server hello A
Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv3 read
server hello A
Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 read server
hello A
Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv3 read
server certificate A
Aug 21 22:16:28 mail postfix/smtp[28731]: Peer cert verify depth=1
/C=US/ST=SC/L=NCHARLESTON/O=somecomp2/CN=Certificate Manager
Aug 21 22:16:28 mail postfix/smtp[28731]: verify error:num=19:self signed
certificate in certificate chain
Aug 21 22:16:28 mail postfix/smtp[28731]: verify return:0
Aug 21 22:16:28 mail postfix/smtp[28731]: Peer cert verify depth=1
/C=US/ST=SC/L=NCHARLESTON/O=somecomp2/CN=Certificate Manager
Aug 21 22:16:28 mail postfix/smtp[28731]: verify return:1
Aug 21 22:16:28 mail postfix/smtp[28731]: Peer cert verify depth=0
/C=US/ST=South Carolina/L=Charleston/O=somecomp2 Communications,
Inc./CN=mail.somecomp2.com/emailAddress=[hidden email]
Aug 21 22:16:28 mail postfix/smtp[28731]: verify return:1
Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 read server
certificate A
Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv3 read
server key exchange A
Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv3 read
server key exchange A
Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 read server key
exchange A
Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv3 read
server certificate request A
Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv3 read
server certificate request A
Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 read server
certificate request A
Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 read server done
A
Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 write client
certificate A
Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 write client key
exchange A
Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 write
certificate verify A
Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 write change
cipher spec A
Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 write finished A
Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 flush data
Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv3 read
finished A
Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 read finished A
Aug 21 22:16:28 mail postfix/smtp[28731]: Unverified:
subject_CN=mail.somecomp2.com, issuer=Certificate Manager
Aug 21 22:16:28 mail postfix/smtp[28731]: TLS connection established to
mail.somecomp2.com: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Aug 21 22:16:28 mail postfix/smtp[28731]: Peer certficate could not be
verified
Aug 21 22:18:10 mail postfix/smtp[28731]: 8D05D501C3C:
to=<[hidden email]>, relay=mail.somecomp2.com[xxx.yyy.zzz.aaa],
delay=8898, status=sent (250 2.0.0 m7LMVud8002947 Message accepted for
delivery)


Reply | Threaded
Open this post in threaded view
|

Re: Questions concerning TLS

Noel Jones-2
Darrell A. Sullivan, II wrote:
> I am trying to implement TLS on our server for a client requirement. I
> believe I have the TLS settings correct, but I am not certain about what I
> am seeing in the logs and I am uncertain as to how to know if a message was
> delivered using TLS.
>
> Is there anything in the message headers that would indicate that it was
> delivered using TLS?

The receiving system may indicate in a header if the message
was received via TLS, but there is no requirement to do so.
Some mailers follow RFC3848 or add a comment to indicate use
of TLS in the Received header.

When *sending* mail, postfix does not add anything to the
message indicating use of TLS, and it's unclear how postfix
might be able to indicate this in a header.

When *receiving* mail, you can request postfix add TLS
information to the Received header by setting
"smtpd_tls_received_header = yes"
Version 2.5 and newer postfix also add RFC3848 support,
indicating "with ESTMPS" in the Received header if TLS is used.

>
> I have the below log entries on some outgoing messages. I am certain that
> the first one is a failure since the group's server is setup with the entry
> "somecomp.com  MUST_NOPEERMATCH" is specified in tls_per_site and
> consequently the message is not delivered when TLS fails. Is this because
> they have a self signed certificate and we do not have the CA certificate
> for their root?

Are you still using postfix 2.2?  I hope not; TLS support was
significantly improved in postfix 2.3, and again in 2.4, with
further refinements in 2.5.

If you're using postfix 2.3 or later, use the newer and more
flexible smtp_tls_policy_maps parameter instead.

>
> In the second set of log entries, I am not certain if the message is
> delivered over the TLS connection or not. Is there some entry I can search
> my logs for to find out if any messages are being successfully transmitted
> over TLS?
>
>

TLS logging is hard to read at a high log level.  I would
suggest starting with
smtp_tls_loglevel = 1
And only increase if you need further debugging information.

>
> ----------------------
> Known Failure
> ----------------------
> Aug 22 13:11:45 mail postfix/smtp[7593]: Peer verification: CommonName in
> certificate does not match: thistle.somecomp.com != mail.somecomp.com

OK, looks like the hostname doesn't match what is in the
certificate.  Postfix contacted "mail.somecomp.com" but the
name in the certificate is "thistle.somecomp.com".

> Aug 22 13:11:45 mail postfix/smtp[7593]: Unverified:
> subject_CN=thistle.somecomp.com, issuer=thistle.somecomp.com

I think the mismatched name is the reason this certificate
could not be verified.

> Aug 22 13:11:45 mail postfix/smtp[7593]: TLS connection established to
> mail.somecomp.com: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

TLS is established.

> Aug 22 13:11:45 mail postfix/smtp[7593]: Peer certficate could not be
> verified
> Aug 22 13:11:45 mail postfix/smtp[7593]: 85F4F504254:
> to=<[hidden email]>, relay=mail.somecomp.com[xxx.yyy.zzz.aaa],
> delay=2, status=deferred (TLS-failure: Could not verify certificate)

You told postfix to fail if it couldn't verify the
certificate, so it failed.  This looks as if you've specified
MUST in your tls_per_site table.

Using the newer smtp_tls_policy_maps, you probably want to
specify a level of "encrypt", or you may want to use "secure
match=thistle.somecomp.com"


> ----------------------
> Did this work or not?
> ----------------------
> /C=US/ST=SC/L=NCHARLESTON/O=somecomp2/CN=Certificate Manager
> Aug 21 22:16:28 mail postfix/smtp[28731]: verify error:num=19:self signed
> certificate in certificate chain

They use a self-signed certificate.  Generally self-signed
certificates are fine for mail unless you need to verify the
client identity.

> Aug 21 22:16:28 mail postfix/smtp[28731]: Unverified:
> subject_CN=mail.somecomp2.com, issuer=Certificate Manager
> Aug 21 22:16:28 mail postfix/smtp[28731]: TLS connection established to
> mail.somecomp2.com: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
> Aug 21 22:16:28 mail postfix/smtp[28731]: Peer certficate could not be
> verified

TLS is established.  Postfix can't verify /who/ it's talking
to, but it's encrypted.

> Aug 21 22:18:10 mail postfix/smtp[28731]: 8D05D501C3C:
> to=<[hidden email]>, relay=mail.somecomp2.com[xxx.yyy.zzz.aaa],
> delay=8898, status=sent (250 2.0.0 m7LMVud8002947 Message accepted for
> delivery)

Mail is sent over the established TLS channel.


--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

RE: Questions concerning TLS

Darrell A. Sullivan, II
Thanks Noel,

I double checked and even reran postmap on the tls_per_site file and did a
"postfix stop" "postfix start" just to make sure that "MUST_NOPEERMATCH" was
specified and everything was getting reset, but it is still giving me a
result of (TLS-failure: Could not verify certificate) when I attempt to send
to the destination e-mail address.


-----Original Message-----
From: Noel Jones [mailto:[hidden email]]
Sent: Friday, August 22, 2008 12:02 PM
To: Darrell A. Sullivan, II; [hidden email]
Subject: Re: Questions concerning TLS


Darrell A. Sullivan, II wrote:
> I am trying to implement TLS on our server for a client requirement. I
> believe I have the TLS settings correct, but I am not certain about
> what I am seeing in the logs and I am uncertain as to how to know if a
> message was delivered using TLS.
>
> Is there anything in the message headers that would indicate that it
> was delivered using TLS?

The receiving system may indicate in a header if the message
was received via TLS, but there is no requirement to do so. Some mailers
follow RFC3848 or add a comment to indicate use
of TLS in the Received header.

When *sending* mail, postfix does not add anything to the
message indicating use of TLS, and it's unclear how postfix
might be able to indicate this in a header.

When *receiving* mail, you can request postfix add TLS
information to the Received header by setting
"smtpd_tls_received_header = yes"
Version 2.5 and newer postfix also add RFC3848 support,
indicating "with ESTMPS" in the Received header if TLS is used.

>
> I have the below log entries on some outgoing messages. I am certain
> that the first one is a failure since the group's server is setup with
> the entry "somecomp.com  MUST_NOPEERMATCH" is specified in
> tls_per_site and consequently the message is not delivered when TLS
> fails. Is this because they have a self signed certificate and we do
> not have the CA certificate for their root?

Are you still using postfix 2.2?  I hope not; TLS support was
significantly improved in postfix 2.3, and again in 2.4, with
further refinements in 2.5.

If you're using postfix 2.3 or later, use the newer and more
flexible smtp_tls_policy_maps parameter instead.

>
> In the second set of log entries, I am not certain if the message is
> delivered over the TLS connection or not. Is there some entry I can
> search my logs for to find out if any messages are being successfully
> transmitted over TLS?
>
>

TLS logging is hard to read at a high log level.  I would
suggest starting with
smtp_tls_loglevel = 1
And only increase if you need further debugging information.

>
> ----------------------
> Known Failure
> ----------------------
> Aug 22 13:11:45 mail postfix/smtp[7593]: Peer verification: CommonName
> in certificate does not match: thistle.somecomp.com !=
> mail.somecomp.com

OK, looks like the hostname doesn't match what is in the
certificate.  Postfix contacted "mail.somecomp.com" but the
name in the certificate is "thistle.somecomp.com".

> Aug 22 13:11:45 mail postfix/smtp[7593]: Unverified:
> subject_CN=thistle.somecomp.com, issuer=thistle.somecomp.com

I think the mismatched name is the reason this certificate
could not be verified.

> Aug 22 13:11:45 mail postfix/smtp[7593]: TLS connection established to
> mail.somecomp.com: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

TLS is established.

> Aug 22 13:11:45 mail postfix/smtp[7593]: Peer certficate could not be
> verified Aug 22 13:11:45 mail postfix/smtp[7593]: 85F4F504254:
> to=<[hidden email]>, relay=mail.somecomp.com[xxx.yyy.zzz.aaa],
> delay=2, status=deferred (TLS-failure: Could not verify certificate)

You told postfix to fail if it couldn't verify the
certificate, so it failed.  This looks as if you've specified
MUST in your tls_per_site table.

Using the newer smtp_tls_policy_maps, you probably want to
specify a level of "encrypt", or you may want to use "secure
match=thistle.somecomp.com"


> ----------------------
> Did this work or not?
> ----------------------
> /C=US/ST=SC/L=NCHARLESTON/O=somecomp2/CN=Certificate Manager Aug 21
> 22:16:28 mail postfix/smtp[28731]: verify error:num=19:self signed
> certificate in certificate chain

They use a self-signed certificate.  Generally self-signed
certificates are fine for mail unless you need to verify the
client identity.

> Aug 21 22:16:28 mail postfix/smtp[28731]: Unverified:
> subject_CN=mail.somecomp2.com, issuer=Certificate Manager Aug 21
> 22:16:28 mail postfix/smtp[28731]: TLS connection established to
> mail.somecomp2.com: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256
> bits) Aug 21 22:16:28 mail postfix/smtp[28731]: Peer certficate could
> not be verified

TLS is established.  Postfix can't verify /who/ it's talking
to, but it's encrypted.

> Aug 21 22:18:10 mail postfix/smtp[28731]: 8D05D501C3C:
> to=<[hidden email]>, relay=mail.somecomp2.com[xxx.yyy.zzz.aaa],
> delay=8898, status=sent (250 2.0.0 m7LMVud8002947 Message accepted for
> delivery)

Mail is sent over the established TLS channel.


--
Noel Jones


Reply | Threaded
Open this post in threaded view
|

Re: Questions concerning TLS

Noel Jones-2
Darrell A. Sullivan, II wrote:
> Thanks Noel,
>
> I double checked and even reran postmap on the tls_per_site file and did a
> "postfix stop" "postfix start" just to make sure that "MUST_NOPEERMATCH" was
> specified and everything was getting reset, but it is still giving me a
> result of (TLS-failure: Could not verify certificate) when I attempt to send
> to the destination e-mail address.
>
>

Please don't top-post.

I suggest using the newer smtp_tls_policy_maps parameter
instead.  If you are using postfix 2.2 or earlier, I strongly
suggest upgrading.
http://www.postfix.org/TLS_README.html#client_tls_policy


--
Noel Jones