real-world issues with smtpd_tls_ask_ccert?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

real-world issues with smtpd_tls_ask_ccert?

Florin Andrei
I'm setting up SASL with TLS for remote clients. As an additional
security measure, I would like the server to ask the email clients to
present their client certificates. According to the docs, this is
accomplished with:

smtpd_tls_ask_ccert = yes

But there are some ominous warnings about broken MTAs which may have
problems when delivering to Postfix if this option is used. If I
understand correctly, the broken delivery should only occur when those
MTAs attempt to do TLS to Postfix. So, this should not be a problem for
all the regular, unencrypted email I receive normally, is that right?

Also, after enabling this option, I connected to Postfix with a
TLS-enabled email client with all the certificates installed. I saw this
line in the logs:

Aug 20 22:49:01 server postfix/smtpd[7724]: connect from
unknown[XXX.YYY.ZZZ.KKK]
Aug 20 22:49:02 server postfix/smtpd[7724]: setting up TLS connection
from unknown[XXX.YYY.ZZZ.KKK]
Aug 20 22:49:02 server postfix/smtpd[7724]: Anonymous TLS connection
established from unknown[XXX.YYY.ZZZ.KKK]: TLSv1 with cipher AES128-SHA
(128/128 bits)

Why does it say "Anonymous TLS connection"? I thought the anonymous
ciphers are disabled when client certs are used.
All the crypto stuff (CA, server cert, client cert) is ok, I tested it
already with the email client and Dovecot (secure IMAP).

--
Florin Andrei

http://florin.myip.org/
Reply | Threaded
Open this post in threaded view
|

Re: real-world issues with smtpd_tls_ask_ccert?

Barney Desmond
2009/8/21 Florin Andrei <[hidden email]>:
> I'm setting up SASL with TLS for remote clients. As an additional security
> measure, I would like the server to ask the email clients to present their
> client certificates. According to the docs, this is accomplished with:
>
> smtpd_tls_ask_ccert = yes

If you intend to extract "security" from this, I imagine you'd want to
enforce the use of client-certs, otherwise anyone can simply choose
not to. This will dependent on the rest of your config, which isn't
shown (postconf -n). Of course, you couldn't enforce this except on a
non-public-facing system, or on the submission port (587).

> Also, after enabling this option, I connected to Postfix with a TLS-enabled
> email client with all the certificates installed. I saw this line in the
> logs:
>
> Aug 20 22:49:01 server postfix/smtpd[7724]: connect from
> unknown[XXX.YYY.ZZZ.KKK]
> Aug 20 22:49:02 server postfix/smtpd[7724]: setting up TLS connection from
> unknown[XXX.YYY.ZZZ.KKK]
> Aug 20 22:49:02 server postfix/smtpd[7724]: Anonymous TLS connection
> established from unknown[XXX.YYY.ZZZ.KKK]: TLSv1 with cipher AES128-SHA
> (128/128 bits)
>
> Why does it say "Anonymous TLS connection"?

I don't know much about client-TLS with postfix, but I imagine there's
any number of reasons the client negotiated an anonymous TLS
connection. Perhaps it quietly doesn't like the server's self-signed
cert, perhaps there's a cipher negotiation mismatch, perhaps the
client doesn't bother supplying its own cert (assuming it has one).

> I thought the anonymous ciphers
> are disabled when client certs are used.

What makes you say that? ask_ccert should do exactly that, but nothing
more. I believe this behaviour would be governed by:
http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_ciphers
Reply | Threaded
Open this post in threaded view
|

Re: real-world issues with smtpd_tls_ask_ccert?

Florin Andrei
Barney Desmond wrote:
> Of course, you couldn't enforce this except on a
> non-public-facing system, or on the submission port (587).

Actually, that's exactly what I just did. I configured a separate
listener on 587 and moved all TLS stuff to it. I was reluctant to do so
at first (the client is an iPhone and the mail config is rather
primitive) but in the end it worked pretty well.

So, now I'm not worried about that option, since the listener on port 25
is non-TLS.

Thanks,

--
Florin Andrei

http://florin.myip.org/
Reply | Threaded
Open this post in threaded view
|

Re: real-world issues with smtpd_tls_ask_ccert?

Ralf Hildebrandt
In reply to this post by Florin Andrei
* Florin Andrei <[hidden email]>:

> I'm setting up SASL with TLS for remote clients. As an additional
> security measure, I would like the server to ask the email clients to
> present their client certificates. According to the docs, this is
> accomplished with:
>
> smtpd_tls_ask_ccert = yes
>
> But there are some ominous warnings about broken MTAs which may have
> problems when delivering to Postfix if this option is used. If I
> understand correctly, the broken delivery should only occur when
> those MTAs attempt to do TLS to Postfix. So, this should not be a
> problem for all the regular, unencrypted email I receive normally, is
> that right?

Yes.
 

> Also, after enabling this option, I connected to Postfix with a
> TLS-enabled email client with all the certificates installed. I saw
> this line in the logs:
>
> Aug 20 22:49:01 server postfix/smtpd[7724]: connect from
> unknown[XXX.YYY.ZZZ.KKK]
> Aug 20 22:49:02 server postfix/smtpd[7724]: setting up TLS connection
> from unknown[XXX.YYY.ZZZ.KKK]
> Aug 20 22:49:02 server postfix/smtpd[7724]: Anonymous TLS connection
> established from unknown[XXX.YYY.ZZZ.KKK]: TLSv1 with cipher
> AES128-SHA (128/128 bits)
>
> Why does it say "Anonymous TLS connection"?

Because the TLS certificate is not signed by a trusted CA.

--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  CharitĂ© - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  [hidden email] | http://www.charite.de
           
Reply | Threaded
Open this post in threaded view
|

Re: real-world issues with smtpd_tls_ask_ccert?

Noel Jones-2
Ralf Hildebrandt wrote:

>>
>> Aug 20 22:49:01 server postfix/smtpd[7724]: connect from
>> unknown[XXX.YYY.ZZZ.KKK]
>> Aug 20 22:49:02 server postfix/smtpd[7724]: setting up TLS connection
>> from unknown[XXX.YYY.ZZZ.KKK]
>> Aug 20 22:49:02 server postfix/smtpd[7724]: Anonymous TLS connection
>> established from unknown[XXX.YYY.ZZZ.KKK]: TLSv1 with cipher
>> AES128-SHA (128/128 bits)
>>
>> Why does it say "Anonymous TLS connection"?
>
> Because the TLS certificate is not signed by a trusted CA.
>

No, it's because an anonymous cipher is used when there is no
client certificate.  If it was a certificate trust problem,
the connection would be labeled "Untrusted".

   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: real-world issues with smtpd_tls_ask_ccert?

Victor Duchovni
On Fri, Aug 21, 2009 at 06:09:52AM -0500, Noel Jones wrote:

> Ralf Hildebrandt wrote:
>>>
>>> Aug 20 22:49:01 server postfix/smtpd[7724]: connect from
>>> unknown[XXX.YYY.ZZZ.KKK]
>>> Aug 20 22:49:02 server postfix/smtpd[7724]: setting up TLS connection
>>> from unknown[XXX.YYY.ZZZ.KKK]
>>> Aug 20 22:49:02 server postfix/smtpd[7724]: Anonymous TLS connection
>>> established from unknown[XXX.YYY.ZZZ.KKK]: TLSv1 with cipher
>>> AES128-SHA (128/128 bits)
>>>
>>> Why does it say "Anonymous TLS connection"?
>> Because the TLS certificate is not signed by a trusted CA.
>
> No, it's because an anonymous cipher is used when there is no client
> certificate.  If it was a certificate trust problem, the connection would
> be labeled "Untrusted".

No, it is because the client did not provide a certificate. The cipher
AES128-SHA is not an "anonymous" cipher, the server did provide a
certificate to the client, but the converse was false.

Don't confuse anonymous ciphers, with anonymous clients using a cipher
that (if the client bothers, ...) authenticates the server.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: real-world issues with smtpd_tls_ask_ccert?

Noel Jones-2
Victor Duchovni wrote:

> On Fri, Aug 21, 2009 at 06:09:52AM -0500, Noel Jones wrote:
>
>> Ralf Hildebrandt wrote:
>>>> Aug 20 22:49:01 server postfix/smtpd[7724]: connect from
>>>> unknown[XXX.YYY.ZZZ.KKK]
>>>> Aug 20 22:49:02 server postfix/smtpd[7724]: setting up TLS connection
>>>> from unknown[XXX.YYY.ZZZ.KKK]
>>>> Aug 20 22:49:02 server postfix/smtpd[7724]: Anonymous TLS connection
>>>> established from unknown[XXX.YYY.ZZZ.KKK]: TLSv1 with cipher
>>>> AES128-SHA (128/128 bits)
>>>>
>>>> Why does it say "Anonymous TLS connection"?
>>> Because the TLS certificate is not signed by a trusted CA.
>> No, it's because an anonymous cipher is used when there is no client
>> certificate.  If it was a certificate trust problem, the connection would
>> be labeled "Untrusted".
>
> No, it is because the client did not provide a certificate. The cipher
> AES128-SHA is not an "anonymous" cipher, the server did provide a
> certificate to the client, but the converse was false.
>
> Don't confuse anonymous ciphers, with anonymous clients using a cipher
> that (if the client bothers, ...) authenticates the server.
>

Bah!  I always mess that up, maybe next time I'll get it
right.  Thanks for the clarification and glad to have you back.

   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: real-world issues with smtpd_tls_ask_ccert?

Wietse Venema
Noel Jones:

> Victor Duchovni wrote:
> > On Fri, Aug 21, 2009 at 06:09:52AM -0500, Noel Jones wrote:
> >
> >> Ralf Hildebrandt wrote:
> >>>> Aug 20 22:49:01 server postfix/smtpd[7724]: connect from
> >>>> unknown[XXX.YYY.ZZZ.KKK]
> >>>> Aug 20 22:49:02 server postfix/smtpd[7724]: setting up TLS connection
> >>>> from unknown[XXX.YYY.ZZZ.KKK]
> >>>> Aug 20 22:49:02 server postfix/smtpd[7724]: Anonymous TLS connection
> >>>> established from unknown[XXX.YYY.ZZZ.KKK]: TLSv1 with cipher
> >>>> AES128-SHA (128/128 bits)
> >>>>
> >>>> Why does it say "Anonymous TLS connection"?
> >>> Because the TLS certificate is not signed by a trusted CA.
> >> No, it's because an anonymous cipher is used when there is no client
> >> certificate.  If it was a certificate trust problem, the connection would
> >> be labeled "Untrusted".
> >
> > No, it is because the client did not provide a certificate. The cipher
> > AES128-SHA is not an "anonymous" cipher, the server did provide a
> > certificate to the client, but the converse was false.
> >
> > Don't confuse anonymous ciphers, with anonymous clients using a cipher
> > that (if the client bothers, ...) authenticates the server.
>
> Bah!  I always mess that up, maybe next time I'll get it
> right.  Thanks for the clarification and glad to have you back.

I looked up TLS_README, and it would not hurt to have a short
sentence here and there to define terminology.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: real-world issues with smtpd_tls_ask_ccert?

Victor Duchovni
On Fri, Aug 21, 2009 at 12:35:38PM -0400, Wietse Venema wrote:

> I looked up TLS_README, and it would not hurt to have a short
> sentence here and there to define terminology.

Will the following do?

Index: proto/TLS_README.html
--- proto/TLS_README.html 28 Apr 2009 21:44:30 -0000 1.1.1.2
+++ proto/TLS_README.html 21 Aug 2009 17:28:25 -0000
@@ -425,10 +425,40 @@
 <blockquote>
 <pre>
 /etc/postfix/main.cf:
-    smtpd_tls_loglevel = 0
+    smtpd_tls_loglevel = 1
 </pre>
 </blockquote>
 
+<p> With log levels 1 and higher, the TLS handshake status is logged
+as follows (example using syslog-ng with ISO date timestamps): </p>
+
+<blockquote>
+<pre>
+2009-08-21T12:00:00-0400 amnesiac postfix/smtpd[30440]: Anonymous TLS connection established from smtpout.example.com[192.0.2.1]: TLSv1 with cipher RC4-SHA (128/128 bits)
+</pre>
+</blockquote>
+
+<p> Here, "Anonymous" means that the remote SMTP client did not present
+a certificate to "prove" its identity, which is the usual case, since by
+default the Postfix SMTP server does not ask for a client certificate, and
+so none is sent even if the SMTP client is configured with a certificate
+(many are not). </p>
+
+<p> Do not confuse "Anonymous" clients (as above) with anonymous TLS
+ciphers.  With anonymous TLS ciphers, neither the server nor the client
+use certificates. Such ciphers have "ADH" (Anonymous Diffie-Hellman)
+or "AECDH" (Anonymous Elliptic Curve Diffie-Hellman) in their name,
+and in this case the Postfix SMTP <b>client</b> records the remote SMTP
+server as "Anonymous". </p>
+
+<p> When the Postfix SMTP server asks for a client certificate and
+the remote SMTP client presents one, "Anonymous" will be replaced by
+"Trusted" if the client certificate trust chain is valid and certificate
+is not expired, or "Untrusted" otherwise. Client certificates are never
+"Verified", as the Postfix SMTP server does not expect any particular
+client identity that it can verify. Postfix uses client certificates
+only for access control, not identity verification. </p>
+
 <p> To include information about the protocol and cipher used as
 well as the client and issuer CommonName into the "Received:"
 message header, set the smtpd_tls_received_header variable to true.
@@ -1102,10 +1132,39 @@
 <blockquote>
 <pre>
 /etc/postfix/main.cf:
-    smtp_tls_loglevel = 0
+    smtp_tls_loglevel = 1
 </pre>
 </blockquote>
 
+<p> With log levels 1 and higher, the TLS handshake status is logged
+as follows (example using syslog-ng with ISO date timestamps): </p>
+
+<blockquote>
+<pre>
+2009-08-21T00:00:06-0400 amnesiac postfix/smtp[3592]: Untrusted TLS connection established to smtpin.example.com[192.0.2.1]:25: TLSv1 with cipher RC4-MD5 (128/128 bits)
+</pre>
+</blockquote>
+
+<p> Here, "Untrusted" means that the remote SMTP server certificate is
+not signed by a trusted root CA, or is expired, or required intermediate
+certificates are not sent by the remote SMTP server, or some other issue
+makes it impossible to determine the server identity. This is the normal
+case with a self-signed remote server certificate. </p>
+
+<p> When the Postfix SMTP client is not configured to verify the
+server certificate (smtp_tls_security_level = "may" or "encrypt") some
+connections will use anonymous TLS ciphers, where the server does not
+present any certificate. In this case, "Untrusted" will be replaced by
+"Anonymous". </p>
+
+<p> When the remote SMTP server certificate is signed by a trusted root
+CA and is not expired, the connection will be logged as "Trusted" or
+"Verified". The latter means that the client is configured to verify the
+server's identity (smtp_tls_security_level = "fingerprint", "verify" or
+"secure") and the certificate matched the configured criteria. If the
+Postfix SMTP client is not verifying the server identity, the connection
+is logged as "Trusted". </p>
+
 <h3><a name="client_tls_cache">Client-side TLS session cache</a> </h3>
 
 <p> The remote SMTP server and the Postfix SMTP client negotiate a

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: real-world issues with smtpd_tls_ask_ccert?

Wietse Venema
Victor Duchovni:
> On Fri, Aug 21, 2009 at 12:35:38PM -0400, Wietse Venema wrote:
>
> > I looked up TLS_README, and it would not hurt to have a short
> > sentence here and there to define terminology.
>
> Will the following do?

Yes, that helps.

        Wietse

> Index: proto/TLS_README.html
> --- proto/TLS_README.html 28 Apr 2009 21:44:30 -0000 1.1.1.2
> +++ proto/TLS_README.html 21 Aug 2009 17:28:25 -0000
> @@ -425,10 +425,40 @@
>  <blockquote>
>  <pre>
>  /etc/postfix/main.cf:
> -    smtpd_tls_loglevel = 0
> +    smtpd_tls_loglevel = 1
>  </pre>
>  </blockquote>
>  
> +<p> With log levels 1 and higher, the TLS handshake status is logged
> +as follows (example using syslog-ng with ISO date timestamps): </p>
> +
> +<blockquote>
> +<pre>
> +2009-08-21T12:00:00-0400 amnesiac postfix/smtpd[30440]: Anonymous TLS connection established from smtpout.example.com[192.0.2.1]: TLSv1 with cipher RC4-SHA (128/128 bits)
> +</pre>
> +</blockquote>
> +
> +<p> Here, "Anonymous" means that the remote SMTP client did not present
> +a certificate to "prove" its identity, which is the usual case, since by
> +default the Postfix SMTP server does not ask for a client certificate, and
> +so none is sent even if the SMTP client is configured with a certificate
> +(many are not). </p>
> +
> +<p> Do not confuse "Anonymous" clients (as above) with anonymous TLS
> +ciphers.  With anonymous TLS ciphers, neither the server nor the client
> +use certificates. Such ciphers have "ADH" (Anonymous Diffie-Hellman)
> +or "AECDH" (Anonymous Elliptic Curve Diffie-Hellman) in their name,
> +and in this case the Postfix SMTP <b>client</b> records the remote SMTP
> +server as "Anonymous". </p>
> +
> +<p> When the Postfix SMTP server asks for a client certificate and
> +the remote SMTP client presents one, "Anonymous" will be replaced by
> +"Trusted" if the client certificate trust chain is valid and certificate
> +is not expired, or "Untrusted" otherwise. Client certificates are never
> +"Verified", as the Postfix SMTP server does not expect any particular
> +client identity that it can verify. Postfix uses client certificates
> +only for access control, not identity verification. </p>
> +
>  <p> To include information about the protocol and cipher used as
>  well as the client and issuer CommonName into the "Received:"
>  message header, set the smtpd_tls_received_header variable to true.
> @@ -1102,10 +1132,39 @@
>  <blockquote>
>  <pre>
>  /etc/postfix/main.cf:
> -    smtp_tls_loglevel = 0
> +    smtp_tls_loglevel = 1
>  </pre>
>  </blockquote>
>  
> +<p> With log levels 1 and higher, the TLS handshake status is logged
> +as follows (example using syslog-ng with ISO date timestamps): </p>
> +
> +<blockquote>
> +<pre>
> +2009-08-21T00:00:06-0400 amnesiac postfix/smtp[3592]: Untrusted TLS connection established to smtpin.example.com[192.0.2.1]:25: TLSv1 with cipher RC4-MD5 (128/128 bits)
> +</pre>
> +</blockquote>
> +
> +<p> Here, "Untrusted" means that the remote SMTP server certificate is
> +not signed by a trusted root CA, or is expired, or required intermediate
> +certificates are not sent by the remote SMTP server, or some other issue
> +makes it impossible to determine the server identity. This is the normal
> +case with a self-signed remote server certificate. </p>
> +
> +<p> When the Postfix SMTP client is not configured to verify the
> +server certificate (smtp_tls_security_level = "may" or "encrypt") some
> +connections will use anonymous TLS ciphers, where the server does not
> +present any certificate. In this case, "Untrusted" will be replaced by
> +"Anonymous". </p>
> +
> +<p> When the remote SMTP server certificate is signed by a trusted root
> +CA and is not expired, the connection will be logged as "Trusted" or
> +"Verified". The latter means that the client is configured to verify the
> +server's identity (smtp_tls_security_level = "fingerprint", "verify" or
> +"secure") and the certificate matched the configured criteria. If the
> +Postfix SMTP client is not verifying the server identity, the connection
> +is logged as "Trusted". </p>
> +
>  <h3><a name="client_tls_cache">Client-side TLS session cache</a> </h3>
>  
>  <p> The remote SMTP server and the Postfix SMTP client negotiate a
>
> --
> Viktor.
>
> Disclaimer: off-list followups get on-list replies or get ignored.
> Please do not ignore the "Reply-To" header.
>
> To unsubscribe from the postfix-users list, visit
> http://www.postfix.org/lists.html or click the link below:
> <mailto:[hidden email]?body=unsubscribe%20postfix-users>
>
> If my response solves your problem, the best way to thank me is to not
> send an "it worked, thanks" follow-up. If you must respond, please put
> "It worked, thanks" in the "Subject" so I can delete these quickly.
>
>