[pfx] Re: Let's Encrypt question (maybe EKU?)

Sat, 11 Apr 2026 08:02:05 -0700 

Byunghee HWANG:
Checking application/pgp-signature: FAILURE
> Until April 9, it worked well as shown below:
> 
> <quote>
> Received: from yw-0919.doraji.xyz (yw-0919.doraji.xyz [34.138.9.181])
> (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
> key-exchange X25519 server-signature RSA-PSS (2048 bits)
> client-signature ECDSA (P-256))
> (Client CN "yw-0919.doraji.xyz", Issuer "E7" (verified OK))
> by yw-1204.doraji.xyz (Postfix) with ESMTPS id
> D5D8C69A for <[email protected]>; Wed, 8 Apr 2026 19:12:55 +0000
> (UTC)
> </quote>
> 
> However, starting from April 10, it fails as follows:
> 
> <quote>
> Received: from yw-0919.doraji.xyz (yw-0919.doraji.xyz [34.138.9.181])
> (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
> key-exchange X25519 server-signature RSA-PSS (2048 bits)
> client-signature ECDSA (P-256))
> (Client CN "yw-0919.doraji.xyz", Issuer "E8" (not verified))
> by yw-1204.doraji.xyz (Postfix) with ESMTPS id
> 4EF278F8 for <[email protected]>; Fri, 10 Apr 2026 16:58:25 +0000
> (UTC)
> </quote>
> 
> short summary: "verified OK" -> "not verified"
> 
> Is this related to the LE announcement [1] by any chance?
> [1] https://letsencrypt.org/2025/05/14/ending-tls-client-authentication

Yes, if yw-0919.doraji.xyz sends a server-only certificate.

Postfix 3.12 implements a feature for that case. If needed then it
can be back-ported to Postfix 3.9-11.

        Wietse

20260323

        Feature: specify "tls_trust_server_ccerts = yes" to trust
        client certificates whose extended key usage (EKU) lists
        only serverAuth and not clientAuth as valid TLS client
        certificates. This parameter is used only in the Postfix
        SMTP server, when client certificates are requested via
        smtpd_tls_ask_ccert or smtpd_tls_req_ccert. It is a workaround
        for policy changes at the major WebPKI CAs that preclude
        the issuance of certificates with a clientAuth EKU. Viktor
        Dukhovni. Files: proto/postconf.proto, global/mail_params.h,
        tls/tls_misc.c, tls/tls_server.c.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to