tlc client cert authentication -- fingerprint matches, but client's not trusted.

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

tlc client cert authentication -- fingerprint matches, but client's not trusted.

PGNet Dev
I'm locking down a postfix smarthost.

Goal is to only accept submissions to the smarthost from clients that
match known TLS fingerprints.

smarthost' service config is

    [172.30.6.19]:587  inet  n  -  n  -  -  smtpd
      -o syslog_name=postfix/smarthost
      -o smtp_helo_name=smarthost.${myhostname}
      -o smtpd_tls_loglevel=2
      -o smtpd_enforce_tls=yes
      -o smtpd_tls_auth_only=no
      -o smtpd_tls_security_level=encrypt
      -o smtpd_tls_mandatory_protocols=!TLSv1.1,!TLSv1,!SSLv3,!SSLv2
      -o smtpd_tls_mandatory_ciphers=high
      -o smtpd_sasl_auth_enable=no
      -o smtpd_tls_wrappermode=no
      -o relay_clientcerts=lmdb:/etc/postfix/smarthost_clientcerts
      -o smtpd_tls_req_ccert=yes
      -o smtpd_tls_ccert_verifydepth=2
      -o smtpd_tls_CApath=/etc/ssl/certs
      -o smtpd_tls_fingerprint_digest=sha1
      -o smtpd_client_restrictions=
      -o smtpd_helo_restrictions=
      -o smtpd_sender_restrictions=
      -o smtpd_relay_restrictions=permit_mynetworks,permit_tls_clientcerts,reject_unauth_destination
      -o smtpd_recipient_restrictions=
      -o smtpd_data_restrictions=
      -o smtpd_end_of_data_restrictions=
      -o smtpd_etrn_restrictions=
      -o alias_maps=
      -o alias_database=
      -o relayhost=
      -o relay_domains=
      -o content_filter=

The test client's crt fingerprint is

    openssl x509 -pubkey -noout -in commercial.crt | openssl pkey
-pubin -outform DER | openssl dgst -sha1 -c
        (stdin)= 17:32:c4:9c:1e:c7:3d:13:ff:09:ec:19:ef:d3:13:1c:96:d3:e4:c3

I've def'd

    cat /etc/postfix/smarthost_clientcerts
        17:32:c4:9c:1e:c7:3d:13:ff:09:ec:19:ef:d3:13:1c:96:d3:e4:c3
commercial.crt

On mail submit from the client via the smarthost, log on the smarthost reports

    May 18 19:14:56 border postfix/smarthost/smtpd[9615]:
internal.XXX.com[172.30.7.113]: subject_CN=*.XXX.com, issuer=COMODO
RSA Domain Validation Secure Server CA,
fingerprint=42:1C:FD:99:2F:81:B2:55:07:42:D5:1F:EF:49:6D:43:96:1E:BC:D9,
pkey_fingerprint=17:32:c4:9c:1e:c7:3d:13:ff:09:ec:19:ef:d3:13:1c:96:d3:e4:c3
    May 18 19:14:56 border postfix/smarthost/smtpd[9615]: Untrusted
TLS connection established from internal.XXX.com[172.30.7.113]:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
    May 18 19:14:56 border postfix/smarthost/smtpd[9615]: NOQUEUE:
abort: TLS from internal.XXX.com[172.30.7.113]: Client certificate not
trusted

The pkey_fingerprint= matches, but the Client's not trusted.

I've missed something.  Why's this not matching?

PGNd
Reply | Threaded
Open this post in threaded view
|

Re: tlc client cert authentication -- fingerprint matches, but client's not trusted.

Noel Jones-2
On 5/18/2015 10:08 PM, pgndev wrote:

> I'm locking down a postfix smarthost.
>
> Goal is to only accept submissions to the smarthost from clients that
> match known TLS fingerprints.
>
> smarthost' service config is
>
>     [172.30.6.19]:587  inet  n  -  n  -  -  smtpd
>       -o syslog_name=postfix/smarthost
>       -o smtp_helo_name=smarthost.${myhostname}
>       -o smtpd_tls_loglevel=2
>       -o smtpd_enforce_tls=yes
>       -o smtpd_tls_auth_only=no
>       -o smtpd_tls_security_level=encrypt
>       -o smtpd_tls_mandatory_protocols=!TLSv1.1,!TLSv1,!SSLv3,!SSLv2
>       -o smtpd_tls_mandatory_ciphers=high
>       -o smtpd_sasl_auth_enable=no
>       -o smtpd_tls_wrappermode=no
>       -o relay_clientcerts=lmdb:/etc/postfix/smarthost_clientcerts
>       -o smtpd_tls_req_ccert=yes
>       -o smtpd_tls_ccert_verifydepth=2
>       -o smtpd_tls_CApath=/etc/ssl/certs
>       -o smtpd_tls_fingerprint_digest=sha1
>       -o smtpd_client_restrictions=
>       -o smtpd_helo_restrictions=
>       -o smtpd_sender_restrictions=
>       -o smtpd_relay_restrictions=permit_mynetworks,permit_tls_clientcerts,reject_unauth_destination
>       -o smtpd_recipient_restrictions=
>       -o smtpd_data_restrictions=
>       -o smtpd_end_of_data_restrictions=
>       -o smtpd_etrn_restrictions=
>       -o alias_maps=
>       -o alias_database=
>       -o relayhost=
>       -o relay_domains=
>       -o content_filter=
>
> The test client's crt fingerprint is
>
>     openssl x509 -pubkey -noout -in commercial.crt | openssl pkey
> -pubin -outform DER | openssl dgst -sha1 -c
>         (stdin)= 17:32:c4:9c:1e:c7:3d:13:ff:09:ec:19:ef:d3:13:1c:96:d3:e4:c3
>
> I've def'd
>
>     cat /etc/postfix/smarthost_clientcerts
>         17:32:c4:9c:1e:c7:3d:13:ff:09:ec:19:ef:d3:13:1c:96:d3:e4:c3
> commercial.crt
>
> On mail submit from the client via the smarthost, log on the smarthost reports
>
>     May 18 19:14:56 border postfix/smarthost/smtpd[9615]:
> internal.XXX.com[172.30.7.113]: subject_CN=*.XXX.com, issuer=COMODO
> RSA Domain Validation Secure Server CA,
> fingerprint=42:1C:FD:99:2F:81:B2:55:07:42:D5:1F:EF:49:6D:43:96:1E:BC:D9,
> pkey_fingerprint=17:32:c4:9c:1e:c7:3d:13:ff:09:ec:19:ef:d3:13:1c:96:d3:e4:c3
>     May 18 19:14:56 border postfix/smarthost/smtpd[9615]: Untrusted
> TLS connection established from internal.XXX.com[172.30.7.113]:
> TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>     May 18 19:14:56 border postfix/smarthost/smtpd[9615]: NOQUEUE:
> abort: TLS from internal.XXX.com[172.30.7.113]: Client certificate not
> trusted
>
> The pkey_fingerprint= matches, but the Client's not trusted.
>
> I've missed something.  Why's this not matching?
>
> PGNd
>



Have you tried with the default setting of smtpd_tls_ccert_verifydepth?



Reply | Threaded
Open this post in threaded view
|

Re: tlc client cert authentication -- fingerprint matches, but client's not trusted.

PGNet Dev
Noel

> Have you tried with the default setting of smtpd_tls_ccert_verifydepth?


No.

At

    http://www.postfix.org/postconf.5.html#smtpd_tls_ccert_verifydepth
        smtpd_tls_ccert_verifydepth (default: 9)

Changed

-    -o smtpd_tls_ccert_verifydepth=2
+    -o smtpd_tls_ccert_verifydepth=9

On submit, now

    May 18 20:23:57 border postfix/smarthost/smtpd[10391]: Trusted TLS
connection established ...

Works.  Possibly at lower depths, too; =5-9 looks safe.

I'd incorrectly carried over the =2 from an all self-signed/local-certs setup.

Thanks.

PGNd
Reply | Threaded
Open this post in threaded view
|

Re: tlc client cert authentication -- fingerprint matches, but client's not trusted.

Viktor Dukhovni
In reply to this post by PGNet Dev
On Mon, May 18, 2015 at 08:08:56PM -0700, pgndev wrote:

>     cat /etc/postfix/smarthost_clientcerts
>         17:32:c4:9c:1e:c7:3d:13:ff:09:ec:19:ef:d3:13:1c:96:d3:e4:c3 commercial.crt
>
> On mail submit from the client via the smarthost, log on the smarthost reports

This is an authorization record.

>     May 18 19:14:56 border postfix/smarthost/smtpd[9615]:
> internal.XXX.com[172.30.7.113]: subject_CN=*.XXX.com, issuer=COMODO
> RSA Domain Validation Secure Server CA,
> fingerprint=42:1C:FD:99:2F:81:B2:55:07:42:D5:1F:EF:49:6D:43:96:1E:BC:D9,
> pkey_fingerprint=17:32:c4:9c:1e:c7:3d:13:ff:09:ec:19:ef:d3:13:1c:96:d3:e4:c3

Excellent, it will match.

>     May 18 19:14:56 border postfix/smarthost/smtpd[9615]: Untrusted
> TLS connection established from internal.XXX.com[172.30.7.113]:
> TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

This is expected, the client certificate issuer CA is not "trusted",
but that's a CA PKI authentication issue, that has nothing to do
with how Postfix authorizes clients.

>     May 18 19:14:56 border postfix/smarthost/smtpd[9615]: NOQUEUE:
> abort: TLS from internal.XXX.com[172.30.7.113]: Client certificate not
> trusted

Don't use restrictions that require "trusted" client certificates.
Postfix does not impost such restrictions by default.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: tlc client cert authentication -- fingerprint matches, but client's not trusted.

Viktor Dukhovni
On Tue, May 19, 2015 at 08:53:59AM +0000, Viktor Dukhovni wrote:


> >     May 18 19:14:56 border postfix/smarthost/smtpd[9615]: NOQUEUE:
> > abort: TLS from internal.XXX.com[172.30.7.113]: Client certificate not
> > trusted
>
> Don't use restrictions that require "trusted" client certificates.
> Postfix does not impost such restrictions by default.

In particular don't use:

        smtpd_tls_req_ccert = yes

that form requires a certificate issued by a trusted CA.  Perhaps
that's not obvious, and not even the best interface, but it is
backwards compatible.  So that's what we have.

Instead use:

        smtpd_tls_ask_ccert = yes

and use "check_ccert_access" or similar, to deny access to clients
that don't present a suitable certificate.

There is not yet in Postfix a way to require a client certificate,
without requiring that it's issuing chain be trusted.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: tlc client cert authentication -- fingerprint matches, but client's not trusted.

PGNet Dev
Viktor

That's consistent with, and explains, what I've been seeing -- that,
with smtpd_tls_req_ccert = yes
, ccert restriction works with a commercial crt's fingerprint
specified, but not with my self-signed cert.

I was digging in the self-signed cert itself, and having trouble
figuring out what the problem is.  Since I have a commercial crt
handy, I simply dropped in it for the outbound smarthost relay's
use/check.

The smtpd_tls_ask_ccert = yes + check_ccert_access etc does work in
the self-signed case.  The need for this usage was not clear to me.

Thanks.
Reply | Threaded
Open this post in threaded view
|

Re: tlc client cert authentication -- fingerprint matches, but client's not trusted.

Viktor Dukhovni
On Tue, May 19, 2015 at 04:25:52PM -0700, pgndev wrote:

> That's consistent with, and explains, what I've been seeing -- that,
> with smtpd_tls_req_ccert = yes
> ccert restriction works with a commercial crt's fingerprint
> specified, but not with my self-signed cert.
>
> I was digging in the self-signed cert itself, and having trouble
> figuring out what the problem is.  Since I have a commercial crt
> handy, I simply dropped in it for the outbound smarthost relay's
> use/check.
>
> The smtpd_tls_ask_ccert = yes + check_ccert_access etc does work in
> the self-signed case.  The need for this usage was not clear to me.

A good habit with Postfix is to read the documentation of each
parameter that you explicitly set in your main.cf file.

    http://www.postfix.org/postconf.5.html#smtpd_tls_req_ccert

        smtpd_tls_req_ccert (default: no)
            With mandatory TLS encryption, require a trusted remote
            SMTP client certificate in order to allow TLS connections
            to proceed.  This option implies "smtpd_tls_ask_ccert = yes".

The key word there is "trusted".  Perhaps the text could be a bit
less concise, and add a comment to the effect that 'trusted' means
issued by a trusted CA (see smtpd_tls_CAfile, smtpd_tls_CApath).

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: tlc client cert authentication -- fingerprint matches, but client's not trusted.

PGNet Dev
Already read, with an apparent bad assumption on my part.

In this case, since the check's against the ccert's fingerprint,  I'd
assumed 'trusted' to mean "trusted if the fprint matches".  Having
added the ccert's fingerprint to a lookup table on the server seemed
appropriate, similar to trust in openssh connection where a client's
trusted once its pubkey is added to authorized_keys on the
checking-server.

Prior to your posted explanation I did not understand that trust
required a trusted CA -- either with built-in trust for standard
commercial certs, or trust added by adding to the appropriate cert
bundle on the server.

The additional comment could have been of some help.