TLS outbound logged as "Anonymous"

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

TLS outbound logged as "Anonymous"

Rosenbaum, Larry M.
We are running Postfix 3.2.2 on RHEL6, with opportunistic TLS enabled. When our central servers connect to most of our other local non-Postfix systems, the connection is logged as Trusted:

Aug  7 08:00:01 emgwy1 postfix/smtp[2445]: Trusted TLS connection established to exchcs31.ornl.gov[128.219.12.145]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)

However, when they connect to another Postfix box, it's logged as Anonymous:

Aug  7 04:42:37 emgwy1 postfix/smtp[9798]: Anonymous TLS connection established to email.ornl.gov[160.91.4.92]:25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)

Is this a problem? If so, how do I fix it?

The remote TLS certs are signed by Thawte. Here are the local TLS settings:

# Incoming TLS
smtpd_tls_security_level = may
smtpd_tls_key_file = /etc/pki/tls/private/xyzz.key
smtpd_tls_cert_file = /etc/pki/tls/certs/xyzz-plus-inter.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
# Outgoing TLS
smtp_tls_security_level = may
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_loglevel = 1

Thanks,
Larry M. Rosenbaum
Oak Ridge National Laboratory

Linux emgwy1 2.6.32-696.6.3.el6.x86_64 #1 SMP Fri Jun 30 13:24:18 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux

postconf -n output:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
anvil_rate_time_unit = 10m
bounce_queue_lifetime = 1d
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
em2snpp_destination_recipient_limit = 1
enable_long_queue_ids = yes
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_queue_lifetime = 2d
message_size_limit = 26214400
meta_directory = /usr/share/postfix
mydestination = $myhostname, localhost.$mydomain, localhost, gotmail.ornl.gov
mydomain = ornl.gov
myhostname = emgwy1.ornl.gov
mynetworks = !cidr:${config_directory}/mynetworks_exclude, cidr:${config_directory}/mynetworks
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains = smtpd_access_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-3.2.2/README_FILES
recipient_delimiter = +
relay_domains = $mydestination, !hash:/etc/postfix/virtual_domains, hash:/etc/postfix/relay_domains
relay_generic_maps = hash:/etc/postfix/generic_rewrite
remote_header_rewrite_domain = ornl.gov
sample_directory = /usr/share/doc/postfix-3.2.2/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = no
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtpd_client_event_limit_exceptions = hash:/etc/postfix/nolimit
smtpd_client_message_rate_limit = 1000
smtpd_client_restrictions = check_client_access cidr:/etc/postfix/access_client
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/access_recipient, permit_mynetworks, reject_unauth_destination
smtpd_tls_cert_file = /etc/pki/tls/certs/xyzz-plus-inter.crt
smtpd_tls_key_file = /etc/pki/tls/private/xyzz.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtputf8_enable = no
transport_maps = hash:/etc/postfix/transport_bounce, hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual_domains
virtual_alias_maps = hash:/etc/postfix/virtual_static, hash:/home/x2l_xfer/virtual_offsite, hash:/etc/postfix/virtual_badhost, pcre:/etc/postfix/regex_rewrite, ldap:/etc/postfix/ldap-virtual.cf, ldap:/etc/postfix/ldap-virtual-atornl.cf
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS outbound logged as "Anonymous"

Bastian Blank-3
On Mon, Aug 07, 2017 at 06:59:52PM +0000, Rosenbaum, Larry M. wrote:
> However, when they connect to another Postfix box, it's logged as Anonymous:
> Aug  7 04:42:37 emgwy1 postfix/smtp[9798]: Anonymous TLS connection established to email.ornl.gov[160.91.4.92]:25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
> Is this a problem? If so, how do I fix it?

No, this is no problem.  Remember, you did not ask Postfix to verify the
peer, so Postfix decided to not try at all.

> # Outgoing TLS
> smtp_tls_security_level = may

Here.  Use "verify", and it will obey.

Bastian

--
Kirk to Enterprise -- beam down yeoman Rand and a six-pack.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS outbound logged as "Anonymous"

Viktor Dukhovni
On Mon, Aug 07, 2017 at 09:31:09PM +0200, Bastian Blank wrote:

> On Mon, Aug 07, 2017 at 06:59:52PM +0000, Rosenbaum, Larry M. wrote:
> > However, when they connect to another Postfix box, it's logged as Anonymous:
> > Aug  7 04:42:37 emgwy1 postfix/smtp[9798]: Anonymous TLS connection established to email.ornl.gov[160.91.4.92]:25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
> > Is this a problem? If so, how do I fix it?
>
> No, this is no problem.  Remember, you did not ask Postfix to verify the
> peer, so Postfix decided to not try at all.

Correct.  See:

    http://www.postfix.org/FORWARD_SECRECY_README.html#status

> > # Outgoing TLS
> > smtp_tls_security_level = may
>
> Here.  Use "verify", and it will obey.

No, the "verify" level is vulnerable to DNS MiTM, because it defaults
to verifying the insecurely obtained MX hostname.  It was a mistake
on my part to provide both "verify" and "secure" that differ only
in the default "match" criteria.  

The "verify" level should be deprecated in some future version of
Postfix.  Perhaps at the next "compatibility level" we can set the
default match criteria for "verify" to be the same as "secure",
making the two levels synonymous.

A option would be for both "verify" and "secure" to trust the MX
hostname when it is DNSSEC validated (which requires the Postfix
administrator to also set "smtp_dns_support_level = dnssec", but
we'd be trusting that the /etc/resolv.conf has been set correctly
to only list loopback addresses for nameservers.

Another option is to use the "res_ninit/res_nsearch" API when
available, which makes it possible to specify the nameserver list
explicitly and bypass the namerver list in /etc/resolv.conf.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: TLS outbound logged as "Anonymous"

Rosenbaum, Larry M.
> -----Original Message-----
> From: [hidden email] [mailto:owner-postfix-
> [hidden email]] On Behalf Of Viktor Dukhovni
> Sent: Monday, August 7, 2017 3:42 PM
> To: [hidden email]
> Subject: Re: TLS outbound logged as "Anonymous"
>
> On Mon, Aug 07, 2017 at 09:31:09PM +0200, Bastian Blank wrote:
>
> > On Mon, Aug 07, 2017 at 06:59:52PM +0000, Rosenbaum, Larry M. wrote:
> > > However, when they connect to another Postfix box, it's logged as
> Anonymous:
> > > Aug  7 04:42:37 emgwy1 postfix/smtp[9798]: Anonymous TLS connection
> established to email.ornl.gov[160.91.4.92]:25: TLSv1.2 with cipher AECDH-
> AES256-SHA (256/256 bits)
> > > Is this a problem? If so, how do I fix it?
> >
> > No, this is no problem.  Remember, you did not ask Postfix to verify the
> > peer, so Postfix decided to not try at all.
>
> Correct.  See:
>
>     http://www.postfix.org/FORWARD_SECRECY_README.html#status

Thank you for the explanation.

> > > # Outgoing TLS
> > > smtp_tls_security_level = may
> >
> > Here.  Use "verify", and it will obey.
>
> No, the "verify" level is vulnerable to DNS MiTM, because it defaults
> to verifying the insecurely obtained MX hostname.  It was a mistake
> on my part to provide both "verify" and "secure" that differ only
> in the default "match" criteria.
>
> The "verify" level should be deprecated in some future version of
> Postfix.  Perhaps at the next "compatibility level" we can set the
> default match criteria for "verify" to be the same as "secure",
> making the two levels synonymous.
>
> A option would be for both "verify" and "secure" to trust the MX
> hostname when it is DNSSEC validated (which requires the Postfix
> administrator to also set "smtp_dns_support_level = dnssec", but
> we'd be trusting that the /etc/resolv.conf has been set correctly
> to only list loopback addresses for nameservers.
>
> Another option is to use the "res_ninit/res_nsearch" API when
> available, which makes it possible to specify the nameserver list
> explicitly and bypass the namerver list in /etc/resolv.conf.
>
> --
> Viktor.

Loading...