TLS whoes

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS whoes

Paul Enlund-2
Hi list

I have a Ubuntu Postfix (2.11) setup which only delivers locally
submitted mail.
I have enabled outgoing TLS support

root@rowan:/etc/postfix# postconf -n | grep tls
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Postfix can establish Trusted connections to a variety of hosts
Mar  2 19:59:06 rowan postfix/smtp[17346]: Trusted TLS connection
established to
  mx01.gmx.net[212.227.17.4]:25: TLSv1.2 with cipher
DHE-RSA-AES256-GCM-SHA384 (2
56/256 bits)
Mar  2 20:15:53 rowan postfix/smtp[20057]: Trusted TLS connection
established to
  ASPMX.L.GOOGLE.COM[173.194.67.27]:25: TLSv1.2 with cipher
ECDHE-RSA-AES128-GCM-
SHA256 (128/128 bits)

However when connecting to another Postfix server I manage I get
Mar  2 20:20:07 rowan postfix/smtp[20386]: Untrusted TLS connection
established
to mail.netpresto.co.uk[213.210.16.25]:25: TLSv1.2 with cipher
AECDH-AES256-SHA
(256/256 bits)

My first assumption was I have not configured mail.netpresto.co.uk
correctly.
But several web based testing tools say all is OK with
mail.netpresto.co.uk TLS certificates.

Also posttls-finger appears to tell me everything is good with
mail.netpresto.co.uk

root@rowan:/etc/postfix# posttls-finger -F
/var/spool/postfix/etc/ssl/certs/ca-certificates.crt 213.210.16.25
posttls-finger: Connected to 213.210.16.25[213.210.16.25]:25
posttls-finger: < 220 mail.netpresto.co.uk ESMTP
posttls-finger: > EHLO rowan.netpresto.co.uk
posttls-finger: < 250-mail.netpresto.co.uk
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 20971520
posttls-finger: < 250-ETRN
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250 8BITMIME
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 Ready to start TLS
posttls-finger: 213.210.16.25[213.210.16.25]:25: subjectAltName:
*.netpresto.co.
uk
posttls-finger: 213.210.16.25[213.210.16.25]:25: subjectAltName:
netpresto.co.uk
posttls-finger: 213.210.16.25[213.210.16.25]:25 CommonName *.netpresto.co.uk
posttls-finger: 213.210.16.25[213.210.16.25]:25:
subject_CN=*.netpresto.co.uk, i
ssuer_CN=AlphaSSL CA - G2,
fingerprint=F7:93:83:FF:86:3E:3E:C6:D4:36:D9:E0:FB:A8
:F0:A2:26:EF:B5:B6,
pkey_fingerprint=D1:24:20:68:80:63:0F:BC:1C:9E:72:9D:6C:CA:8
2:06:C1:5F:88:05
posttls-finger: Trusted TLS connection established to
213.210.16.25[213.210.16.2
5]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
posttls-finger: > EHLO rowan.netpresto.co.uk
posttls-finger: < 250-mail.netpresto.co.uk
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 20971520
posttls-finger: < 250-ETRN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250 8BITMIME
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 Bye

Why are posttls-finger results different to what the postfix/smtp client
gets for this connection




Reply | Threaded
Open this post in threaded view
|

Re: TLS whoes

Wietse Venema
Paul:
> root@rowan:/etc/postfix# posttls-finger -F

You should never run this test as root, if only because the Postfix
SMTP client does not run as root.

If that does not explain the difference, try turning off chroot
in master.cf:

# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (50)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtp
relay     inet  n       -       n       -       -       smtp

Then execute "postfix reload" and see if the difference goes away.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: TLS whoes

Paul Enlund-2


On 02/03/2015 21:19, Wietse Venema wrote:

> Paul:
>> root@rowan:/etc/postfix# posttls-finger -F
> You should never run this test as root, if only because the Postfix
> SMTP client does not run as root.
>
> If that does not explain the difference, try turning off chroot
> in master.cf:
>
> # service type  private unpriv  chroot  wakeup  maxproc command + args
> #               (yes)   (yes)   (yes)   (never) (50)
> # ==========================================================================
> smtp      inet  n       -       n       -       -       smtp
> relay     inet  n       -       n       -       -       smtp
>
> Then execute "postfix reload" and see if the difference goes away.
>
> Wietse
>
>
Applying the  changes to master.cf you listed make no difference to the
smtp client results as does running
posttls-finger as a non root user make no difference in that its
connections being "Trusted"

Paul



Reply | Threaded
Open this post in threaded view
|

Re: TLS whoes

Viktor Dukhovni
In reply to this post by Paul Enlund-2
On Mon, Mar 02, 2015 at 08:40:17PM +0000, Paul wrote:

> I have a Ubuntu Postfix (2.11) setup which only delivers locally submitted
> mail.  I have enabled outgoing TLS support

It seems to be working just fine.

    http://permalink.gmane.org/gmane.mail.postfix.user/249429
    http://permalink.gmane.org/gmane.mail.postfix.user/249436

> Postfix can establish Trusted connections to a variety of hosts
>
> Mar  2 19:59:06 rowan postfix/smtp[17346]:
>   Trusted TLS connection established to mx01.gmx.net[212.227.17.4]:25:
>   TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>
> Mar  2 20:15:53 rowan postfix/smtp[20057]:
>   Trusted TLS connection established to ASPMX.L.GOOGLE.COM[173.194.67.27]:25:
>   TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

These servers do not support anon-(EC)DH cipher-suites, so their
"Trusted" (but not "Verified"!) certificates are reported as such:

    http://www.postfix.org/FORWARD_SECRECY_README.html#status

> However when connecting to another Postfix server I manage I get
>
> Mar  2 20:20:07 rowan postfix/smtp[20386]:
>   Untrusted TLS connection established to mail.netpresto.co.uk[213.210.16.25]:25:
>   TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)

This server does support anon-ECDH cipher-suites, so its anonymous
connection is misreported as untrusted.

    http://permalink.gmane.org/gmane.mail.postfix.user/243747

> My first assumption was I have not configured mail.netpresto.co.uk
> correctly.

Nothing is wrong, there is nothing misconfigured and nothing to fix.

> Why are posttls-finger results different to what the postfix/smtp client
> gets for this connection

Because the primary purpose of posttls-finger(1) is to report peer
certificate information, its default security level is "secure"
not "may", and anonymous ciphers are disabled as a result.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: TLS whoes

Paul Enlund-2
Viktor

Thank you for your response which clarifies all my concerns.

Paul



On 02/03/2015 22:05, Viktor Dukhovni wrote:

> On Mon, Mar 02, 2015 at 08:40:17PM +0000, Paul wrote:
>
>> I have a Ubuntu Postfix (2.11) setup which only delivers locally submitted
>> mail.  I have enabled outgoing TLS support
> It seems to be working just fine.
>
>      http://permalink.gmane.org/gmane.mail.postfix.user/249429
>      http://permalink.gmane.org/gmane.mail.postfix.user/249436
>
>> Postfix can establish Trusted connections to a variety of hosts
>>
>> Mar  2 19:59:06 rowan postfix/smtp[17346]:
>>    Trusted TLS connection established to mx01.gmx.net[212.227.17.4]:25:
>>    TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>>
>> Mar  2 20:15:53 rowan postfix/smtp[20057]:
>>    Trusted TLS connection established to ASPMX.L.GOOGLE.COM[173.194.67.27]:25:
>>    TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
> These servers do not support anon-(EC)DH cipher-suites, so their
> "Trusted" (but not "Verified"!) certificates are reported as such:
>
>      http://www.postfix.org/FORWARD_SECRECY_README.html#status
>
>> However when connecting to another Postfix server I manage I get
>>
>> Mar  2 20:20:07 rowan postfix/smtp[20386]:
>>    Untrusted TLS connection established to mail.netpresto.co.uk[213.210.16.25]:25:
>>    TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
> This server does support anon-ECDH cipher-suites, so its anonymous
> connection is misreported as untrusted.
>
>      http://permalink.gmane.org/gmane.mail.postfix.user/243747
>
>> My first assumption was I have not configured mail.netpresto.co.uk
>> correctly.
> Nothing is wrong, there is nothing misconfigured and nothing to fix.
>
>> Why are posttls-finger results different to what the postfix/smtp client
>> gets for this connection
> Because the primary purpose of posttls-finger(1) is to report peer
> certificate information, its default security level is "secure"
> not "may", and anonymous ciphers are disabled as a result.
>