Re: TLS for dummies
On 26.08.2010 02:47, Security Admin (NetSec) wrote: Is there an existing file or a weblink that would list the current accepted global root CAs? Since the only one in the exchange.pem file is from my Exchange Server, I could append to this file all the necessary trusted root CAs. Don't do it. Your system works correctly by warning you that the issuer is not trusted but encrypting the link anyway. Blindly trusting some CA that you do not control is never a good idea (even in HTTP context let alone SMTP). Having said that, look into /etc/ssl/certs or somesuch dir where root CA certificates are usually kept. Also check http://www.postfix.org/postconf.5.html#smtpd_tls_CApath if you really want to go that route. -- Eray
Re: TLS for dummies
On Wed, 25 Aug 2010 16:47:46 -0700 Security Admin (NetSec) secad...@netsecdesign.com articulated: smtp_tls_CAfile = /etc/postfix/exchange.pem You can list more CAs in this file if you wish. Is there an existing file or a weblink that would list the current accepted global root CAs? Since the only one in the exchange.pem file is from my Exchange Server, I could append to this file all the necessary trusted root CAs. Several places exist. You might want to try Googling for Root Certificates. A few examples: http://www.geotrust.com/resources/root-certificates/ http://www.cacert.org/index.php?id=3 http://www.entrust.net/developer/index.cfm http://dodpki.c3pki.chamb.disa.mil/rootca.html If you have access to a windows machine, you can export the certificates there and import them into you distro. I have done it and it works quite well. Microsoft has apparently done a good job of keeping their CAs current. -- Jerry ✌ postfix-u...@seibercom.net _ TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html
Re: TLS for dummies
On 08/25/2010 02:59 PM, Security Admin (NetSec) wrote: This is more of an annoyance than anything else. When my Postfix (v 2.6.7) attempts to send a message via TLS the following warning is received: postfix/smtp[28338]: certificate verification failed for mail.x.org[xxx.xxx.xxx.xxx]:25: untrusted issuer /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority Mail is still sent despite warning. Suspect that problem is either: 1. Using a self-signed certificate and need to purchase one to use with mail server. What does that have to do with your mail server logging a remote issue ? If this is the case, would appreciate recommendations/weblinks on good places to purchase. 2. Configuration error. Partial main.cf is below: /smtpd_use_tls = yes/ /smtp_use_tls = yes/ That is the problem. Are you only sending to one relayhost, and does this require TLS ? FYI, the internet at large does not use TLS for normal mail transport. J.
Re: TLS for dummies
On Wed, Aug 25, 2010 at 05:59:10AM -0700, Security Admin (NetSec) wrote: postfix/smtp[28338]: certificate verification failed for mail.x.org[xxx.xxx.xxx.xxx]:25: untrusted issuer /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority This public root CA is not listed in your smtp_tls_CAfile or smtp_tls_CApath. Mail is still sent despite warning. Suspect that problem is either: Opportunistic TLS works as advertised. 1.Using a self-signed certificate and need to purchase one to use with mail server. If this is the case, would appreciate recommendations/weblinks on good places to purchase. Irrelevant. The certificate in question is on a remote server, not yours. 2. Configuration error. Partial main.cf is below: smtpd_use_tls = yes smtp_use_tls = yes Obsolete, use smtp_tls_security_level and smtpd_tls_security_level. smtp_tls_security_level = may Good, you don't need the obsolete smtp_use_tls setting. smtp_tls_CAfile = /etc/postfix/exchange.pem You can list more CAs in this file if you wish. smtp_tls_policy_maps = hash:/etc/postfix/tls_policy Fine. smtpd_tls_mandatory_ciphers = high This is unlikely to have any effect, unless you have a submission service defined in master.cf. smtpd_tls_loglevel = 2 Too verbose for production use. smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache Clearly, only one of these is used, specifically the last. Drop the needless sdbm setting. -- Viktor.
RE: TLS for dummies
smtp_tls_CAfile = /etc/postfix/exchange.pem You can list more CAs in this file if you wish. Is there an existing file or a weblink that would list the current accepted global root CAs? Since the only one in the exchange.pem file is from my Exchange Server, I could append to this file all the necessary trusted root CAs.