On Thu, Sep 30, 2021 at 12:45:31AM +1000, raf wrote:
> > postconf: warning: /etc/postfix/master.cf: undefined parameter:
> > submission_sender_restrictions
> > smtp inet n - n - - smtpd
> > submission inet n - n - - smtpd
> > -o syslog_name=postfix/submission
> > -o smtpd_recipient_restrictions=permit_tls_clientcerts,reject
> > -o smtpd_tls_req_ccert=yes
> > -o smtpd_tls_auth_only=no
> > -o smtpd_tls_security_level=encrypt
> > -o smtpd_tls_cert_file=/etc/postfix/ssl/submission.cert
> > -o smtpd_tls_key_file=/etc/postfix/ssl/submission.key
>
> The above two parameters are overriding the corresponding parameters
> in main.cf for incoming mail on port 587. That's probably not what you
> are intending. Normally, you would just set these in main.cf so that
> the same certificate is used on ports 25 and 587. But perhaps you want
> two different certificates for the same purpose. That's not
> necessarily a problem (but see below).
Given the of names, the choice to use separate certificates for
submission vs. port 25 is rather apparent.
> > I'm able to create and sign certs with those CA certificates? What
> > is it exactly that's breaking down here? Any pointers would be
> > greatly appreciated here.
>
> The main problem is that you are using two different certificates
> for the same purpose (server), but you seem to have created one for
> server use and the other one for client use.
Please don't just make stuff up, this helps noone. The reported
error logging was:
Sep 29 07:16:02 centos8mx-dev postfix/submission/smtpd[17603]: \
issuer=/C=US/ST=Pennsylvania/L=Philadelphia/O=LHProjects Information \
Network/OU=LHProjects Certificate Authority/CN=LHP MX CA \
V1/emailAddress=admin...@lhpmail.us
Sep 29 07:16:02 centos8mx-dev postfix/submission/smtpd[17603]: \
unknown[192.168.103.201]: subject_CN=smtp.lhpmail.us, issuer=LHP MX CA
V1, \
fingerprint=87:0F:12:04:F3:A1:BD:3A:E1:38:33:3E:62:65:8E:B1:A6:4D:A5:60, \
pkey_fingerprint=00:AC:ED:99:56:33:22:A0:CA:75:9D:69:4B:C4:E5:2B:45:7C:1E:6D
Sep 29 07:16:02 centos8mx-dev postfix/submission/smtpd[17603]: certificate \
verification failed for unknown[192.168.103.201]: not designated for
use as a CA \
certificate
The last of these indicates that "LHP MX CA V1" lacks the proper
extensions to be an X.509v3 CA for issuing TLS client certificates. The
underlying error from OpenSSL is "X509_V_ERR_INVALID_PURPOSE".
The CA's extended key usage almost certainly specifies only "serverAuth"
and not also "clientAuth", so it is rejected as a client cert issuer.
> Passing the "openssl verify -purpose sslclient ..."
> test is only appropriate for the smtp_tls_cert_file
> parameter (i.e. used by the local postfix smtp client for
> outgoing mail), which you aren't using anywhere. The
> certificate in smtpd_tls_cert_file is being used by the
> local postfix smtp server for incoming mail.
The client certificates in question are those of various
MUAs, not the Postfix server in question.
> Was your intention to use submission.cert as a client
> certificate when making outgoing connections to the
> relay_transport (smtp:smtp.lhpmail.us:587)?
No, it was clearly to support client cert authenticated submission.
Best to not muddy the waters.
--
Viktor.
