also sprach Viktor Dukhovni <postfix-us...@dukhovni.org> [2017-09-17 21:49 +0200]: > I think you're saying your organization places machines you > (collectively) build on other people's networks, but the machines > need to send call home to send email, which is sometimes outbound > to other domains?
I'll go with that. > You don't have to the same key/cert across the board, the client > certificate for submission does not need to be (and perhaps should > not be) the one that's issued by Let's Encrypt (LE). True. We could create a CA for this purpose, but tbh, we've done this in the past and — given that 2 of the 3 organisations I'm dealing with are non-profit and hence resource-limited, managing all aspects of a CA was always just too hard. > Are you using LE to obtain certificates that are trusted by other > parties, or using LE because "certbot", ... make it easy to > automate renewal? A little bit of that, and a little bit of "it's just easier that way". > How does one of these far-flug clients get an LE certificate in > your domain in the first place? We control the DNS infrastructure centrally in all cases (using DNSSEC, of course), and so we issue them centrally. They are currently deployed over SSH tunnels to the hosts. > > Given that we trust Letsencrypt (for benefit of doubt) — > > I am trying to understand why you want to delegate relay control > decisions for your domain to LE. It's a valid question, for sure. But I wouldn't say we delegate relay control decisions to LE per se. Of course they'd become part of the equation and could abuse it, but that'd be the end of their story, too. I'm intending to make relay control decisions based on information LE has authenticated. And yes, I wouldn't do this with high security requirements, but an SMTP smarthost just doesn't fall into that domain for me, especially not if constantly monitored. > > Given that LE's challenge-response means that only we can issue > > certs that contain example.org in the CN or SubjectAltNames list — > > Can you explain a bit more detail here? In order to obtain an LE certificate with foo.example.org in CN/SAN, I have to regularly prove that I control foo.example.org towards LE. That's their trust model. It's similar to CACert's, except it's automated and there's a trust path to the existing set of CA certs as distributed by e.g. Mozilla. > > Why do I have to give postfix the fingerprints. Wouldn't it be just > > as safe and a lot easier to say "certs matching¹ .example.org issued > > by LE" and be done with it. > > Well, it isn't typically "just as safe", the LE enrollment process > is often vulnerable to on-path or BGP-route forgery MiTM attacks > between the CA and the domain for which the certificates are being > issued. DNSSEC does address this somewhat. Nevertheless, in my security-vs-cost calculation, getting relay access to a smarthost is not worth the price it'd cost to infiltrate the enrollment process as you say. Apart, the current way by which Postfix uses cert fingerprints is just as vulnerable to those kinds of attacks, no? > > So there exists no longer a canonical name/identity of > > a certificate? > > The canonical identity is the issuer DN + serial number. > The subject DN can be an empty RDN sequence. Mind you, > at the moment all the LE certificates I've seen have > a nonempty CN as the sole component of the subject DN, > and this may not change for a long time, but it is not > guaranteed indefinitely... Indeed. The problem with including the serial number means that the ID of the certificate changes on every reissue. Part of the idea I'm after is of course to have a canonical identity (i.e. the primary DNS name, or whatever you want it to be) which just gets reauthenticated at regular intervals, but doesn't change. Thanks for your challenging questions. I'm well aware that this isn't exactly postfix-users material, but it's helping me tremendously, and I hope others also find this interesting. I do hope Postfix will benefit from this long-term, by way of docs, or something like check_certname_access or whatever we come up with. Cheers, -- @martinkrafft | http://madduck.net/ | http://two.sentenc.es/ "the mind of the thoroughly well-informed man is a dreadful thing. it is like a bric-à-brac shop, all monsters and dust, with everything priced above its proper value." -- oscar wilde spamtraps: madduck.bo...@madduck.net
digital_signature_gpg.asc
Description: Digital GPG signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
