Re: Verisign Cert
On Wed, Jul 15, 2009 at 3:07 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Wed, Jul 15, 2009 at 02:33:46PM -0400, Linux Addict wrote: I ran openssl test command that you provided and doesn't look like my cert config is good. [r...@mx01 ~]# openssl s_client -starttls smtp -connect localhost:25 CONNECTED(0003) --- Certificate chain 0 s:/C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX i:/C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX --- No client certificate CA names sent --- SSL handshake has read 1595 bytes and written 350 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit --- 220 XXX ESMTP This is exactly what you would expect. Everything is working fine. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly. I am reading TLS page on postfix and here http://www.state-of-mind.de/assets/postfix_tls.pdf. I have one last question. What I am trying to setup is, I have set of hosts in LAN which use postfix relay servers in DMZ to send (secure) mails to one of our external client. The external client insists on using verisign cert. On this scenario my postfix server will send mails to the external client's server, so should I configure the Client Certificate on my postfix. Thank you,
Re: Verisign Cert
On Thu, Jul 16, 2009 at 09:33:24AM -0400, Linux Addict wrote: I am reading TLS page on postfix and here http://www.state-of-mind.de/assets/postfix_tls.pdf. I have one last question. What I am trying to setup is, I have set of hosts in LAN which use postfix relay servers in DMZ to send (secure) mails to one of our external client. The external client insists on using verisign cert. This is not sufficiently precise, what does using mean? Printing it on a piece of paper and using it as bathroom wallpaper? :-) You need to understand what role the private key and associated (Verisign or other CA) certificate is to play in your communications with this party. On this scenario my postfix server will send mails to the external client's server, so should I configure the Client Certificate on my postfix. If they restrict access to their server, and allow only (certain) TLS authenticated clients to connect, then indeed you may need to configure a client certificate. This is never true for MX hosts, but if this is a dedicated gateway used only by specially configured clients, it may be one of the exceptions where SMTP client certs are useful. You'll need to understand how they use it, so that you can do the right thing when the cert expires and needs to be replaced. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Verisign Cert
On Thu, Jul 16, 2009 at 12:03 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Thu, Jul 16, 2009 at 09:33:24AM -0400, Linux Addict wrote: I am reading TLS page on postfix and here http://www.state-of-mind.de/assets/postfix_tls.pdf. I have one last question. What I am trying to setup is, I have set of hosts in LAN which use postfix relay servers in DMZ to send (secure) mails to one of our external client. The external client insists on using verisign cert. This is not sufficiently precise, what does using mean? Printing it on a piece of paper and using it as bathroom wallpaper? :-) :-) Honestly I haven't spoke to them directly, just working based on using piece of mail I got. You need to understand what role the private key and associated (Verisign or other CA) certificate is to play in your communications with this party. On this scenario my postfix server will send mails to the external client's server, so should I configure the Client Certificate on my postfix. If they restrict access to their server, and allow only (certain) TLS authenticated clients to connect, then indeed you may need to configure a client certificate. This is never true for MX hosts, but if this is a dedicated gateway used only by specially configured clients, it may be one of the exceptions where SMTP client certs are useful. Being secure, I think they allow only specific clients to connect. The postfix TLS doc says the key should be in .pem format, but I see many howtos usng .key or .crt as well. I used the openssl command to generate keys, and they both .pem and .key seems to be just rsa encryption with BEGIN and END. I assume the extension can be .pem or .crt or can be anything. Is that right?
Re: Verisign Cert
On Thu, Jul 16, 2009 at 01:52:10PM -0400, Linux Addict wrote: This is not sufficiently precise, what does using mean? Printing it on a piece of paper and using it as bathroom wallpaper? :-) :-) Honestly I haven't spoke to them directly, just working based on using piece of mail I got. You need to talk to them and find out + understand their requirements. If they restrict access to their server, and allow only (certain) TLS authenticated clients to connect, then indeed you may need to configure a client certificate. This is never true for MX hosts, but if this is a dedicated gateway used only by specially configured clients, it may be one of the exceptions where SMTP client certs are useful. Being secure, I think they allow only specific clients to connect. The work secure is not synonymous with discriminating. It rather depends on the threat-model that gives an actual meaning to the word secure (the threats within the model are appropriately addressed). If to be secure their server needs to maintain an access list of authorized clients and to discriminate between connections by authorized and unauthorized clients, then yes, otherwise no. The postfix TLS doc says the key should be in .pem format, but I see many howtos usng .key or .crt as well. I used the openssl command to generate keys, and they both .pem and .key seems to be just rsa encryption with BEGIN and END. I assume the extension can be .pem or .crt or can be anything. Is that right? The file names are completely irrelevant, but the file *encoding* for keys and certificates used with Postfix needs to be PEM. Encodings: PEM - base64 encoding of ASN.1 payload with an ASCII envelope that provides type information about the enclosed object. DER - DER/BER binary ASN.1 object Object types: RSA private key X.509 certificate - .cer/.crt files on Windows systems PKCS#7 certificate chain- .spc file on Windows systems PKCS#12 private key + certs - .p12 file on Windows systems ... -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Verisign Cert
On Wed, July 15, 2009 19:58, Victor Duchovni wrote: openssl s_client -starttls stmp -connect 192.0.2.1:25 typo, will most likely be smtp -- xpoint
Re: Verisign Cert
I assume you're using this certificate for TLS, so the answer is NO, no single mails will be encrypted - TLS is only there to allow MTA's to encrypt their transport layer. If no restrictions are configured this happens automagically if both endpoints support TLS. Best regards, Thomas Gelf Linux Addict wrote: Hello Gurus, Currently my postfix server runs with self-signed cert, but now I was asked to implement verisign cert for some of the outgoing mails. My question is when the verisign is cert installed, will all the outgoing mails such as toyahoo.com http://yahoo.com/, gmail.com http://gmail.com/ will be encrypted? Do the clients neeeds any certificate information? I am not very clear. Please throw some light.. ~LA
Re: Verisign Cert
On Wed, Jul 15, 2009 at 10:38:55AM -0400, Linux Addict wrote: Hello Gurus, Currently my postfix server runs with self-signed cert, but now I was asked to implement verisign cert for some of the outgoing mails. You are mightily confused. X.509 certificates with SMTP STARTTLS are for *incoming* mail, so that *senders* can authenticate your server: http://www.postfix.org/TLS_README.html#client_tls_secure The *server installs* a certificate signed by a trusted CA, and the *client verifies* it. My question is when the verisign is cert installed, will all the outgoing mails such as toyahoo.com, gmail.com will be encrypted? Do the clients neeeds any certificate information? I am not very clear. Please throw some light.. Your client certificate play no role in the delivery of email to other domains, and will almost never be used, because the vast majority of MX hosts that support STARTTLS do not request client certificates. The recommended configuration for TLS enabled Postfix servers is: # SMTP Server TLS (cert + key): smtpd_tls_cert_file = /etc/postfix/your-cert.pem smtpd_tls_key_file = /etc/postfix/your-key.pem # SMTP Client TLS (no cert or key): smtp_tls_cert_file = smtp_tls_key_file = -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Verisign Cert
On Wed, Jul 15, 2009 at 12:52 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Wed, Jul 15, 2009 at 10:38:55AM -0400, Linux Addict wrote: Hello Gurus, Currently my postfix server runs with self-signed cert, but now I was asked to implement verisign cert for some of the outgoing mails. You are mightily confused. X.509 certificates with SMTP STARTTLS are for *incoming* mail, so that *senders* can authenticate your server: http://www.postfix.org/TLS_README.html#client_tls_secure The *server installs* a certificate signed by a trusted CA, and the *client verifies* it. My question is when the verisign is cert installed, will all the outgoing mails such as toyahoo.com, gmail.com will be encrypted? Do the clients neeeds any certificate information? I am not very clear. Please throw some light.. Your client certificate play no role in the delivery of email to other domains, and will almost never be used, because the vast majority of MX hosts that support STARTTLS do not request client certificates. The recommended configuration for TLS enabled Postfix servers is: # SMTP Server TLS (cert + key): smtpd_tls_cert_file = /etc/postfix/your-cert.pem smtpd_tls_key_file = /etc/postfix/your-key.pem # SMTP Client TLS (no cert or key): smtp_tls_cert_file = smtp_tls_key_file = -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly. On Wed, Jul 15, 2009 at 10:46 AM, Thomas Gelf tho...@gelf.net wrote: I assume you're using this certificate for TLS, so the answer is NO, no single mails will be encrypted - TLS is only there to allow MTA's to encrypt their transport layer. If no restrictions are configured this happens automagically if both endpoints support TLS. Best regards, Thomas Gelf Linux Addict wrote: Hello Gurus, Currently my postfix server runs with self-signed cert, but now I was asked to implement verisign cert for some of the outgoing mails. My question is when the verisign is cert installed, will all the outgoing mails such as toyahoo.com http://yahoo.com/, gmail.com http://gmail.com/ will be encrypted? Do the clients neeeds any certificate information? I am not very clear. Please throw some light.. ~LA Thank you. Looks like I need to stand up another postfix instance since the outgoing mails domain will different from the one on $mydomain. On the current instance(self-signed), when I do telnet to port 25, I get the below. 250-PIPELINING 250-SIZE 1024 250-ETRN 250-STARTTLS 250-AUTH PLAIN DIGEST-MD5 LOGIN CRAM-MD5 250-AUTH=PLAIN DIGEST-MD5 LOGIN CRAM-MD5 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN The postconf output is below smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_tls_CAfile = /usr/share/ssl/certs/cacert.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /usr/share/ssl/certs/cert.pem smtpd_tls_key_file = /usr/share/ssl/certs/key.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_exchange_name = /var/lib/postfix/prng_exch tls_random_source = dev:/dev/urandom I read on one of the doc, http://palmcoder.net/files/howtos/Postfix%20SSL/Postfix_SSL-HOWTO-2.html#ss2.1, for a successfull TLS setup, the last line shud be 220 Ready to start TLS. I dont see any error on the logs, does my current setup really has TLS enabled? thanks LA
Re: Verisign Cert
On Wed, Jul 15, 2009 at 1:58 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Wed, Jul 15, 2009 at 01:49:24PM -0400, Linux Addict wrote: smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_tls_CAfile = /usr/share/ssl/certs/cacert.pem Make that: smtp_tls_CAfile = ... you don't need an smtpd_tls_CAfile, unless your cert file is missing the intermediate CA issuing certificates that are found in this file. The right solution is to include your trust chain in the cert.pem file (in the right order, subject cert before issuer cert, leaf to root). smtpd_tls_session_cache_timeout = 3600s No need if you don't also specify a btree cache database. smtpd_use_tls = yes Make that: smtpd_tls_security_level = may I read on one of the doc, http://palmcoder.net/files/howtos/Postfix%20SSL/Postfix_SSL-HOWTO-2.html#ss2.1 , for a successfull TLS setup, the last line should be 220 Ready to start TLS. No, this is not the case. To test: openssl s_client -starttls stmp -connect 192.0.2.1:25 where 192.0.2.1 is replaced by the IP address of your SMTP server. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly. I think I lack knowledge on this.. I gotta do some reading. I ran openssl test command that you provided and doesn't look like my cert config is good. [r...@mx01 ~]# openssl s_client -starttls smtp -connect localhost:25 CONNECTED(0003) depth=0 /C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX i:/C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX --- Server certificate -BEGIN CERTIFICATE- MIIDvzCCAyigAwIBAgIBATANBgkqhkiG9w0BAQQFADCBkzELMAkGA1UEBhMCVVMx CzAJBgNVBAgTAk5ZMQswCQYDVQQHEwJOWTEOMAwGA1UEChMFV2ViTUQxDzANBgNV BAsTBnN5c29wczEjMCEGA1UEAxMabXgwMXgtb3BzLTAxLnBvZC53ZWJtZC5uZXQx JDAiBgkqhkiG9w0BCQEWFW1rYW50aGFzYW15QHdlYm1kLm5ldDAeFw0wODA5MTIx NjM1MzRaFw0wOTA5MTIxNjM1MzRaMIGTMQswCQYDVQQGEwJVUzELMAkGA1UECBMC TlkxCzAJBgNVBAcTAk5ZMQ4wDAYDVQQKEwVXZWJNRDEPMA0GA1UECxMGc3lzb3Bz MSMwIQYDVQQDExpteDAxeC1vcHMtMDEucG9kLndlYm1kLm5ldDEkMCIGCSqGSIb3 DQEJARYVbWthbnRoYXNhbXlAd2VibWQubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQC9FTsWjPgYo6mxFVwuEkS9VkAdzZCpWHjx1Dyu+LhNdGhatz309tiw lMo45z+DhIm0mlm8GoIsWRneZSQMHWAL6Jq1uDg5BaATtntsZAF+29oLeB5CsCZL IScdGs0NI5gnV4OC8r/Ne5mH47gKMSXVifhR9TGGF/rweuXYuK3CdwIDAQABo4IB HzCCARswCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0 ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFMzUytMgpvHMtuIvrPwl86EIYsKLMIHA BgNVHSMEgbgwgbWAFGNNJBeYOV6PTYePdDE1mDPyd8bioYGZpIGWMIGTMQswCQYD VQQGEwJVUzELMAkGA1UECBMCTlkxCzAJBgNVBAcTAk5ZMQ4wDAYDVQQKEwVXZWJN RDEPMA0GA1UECxMGc3lzb3BzMSMwIQYDVQQDExpteDAxeC1vcHMtMDEucG9kLndl Ym1kLm5ldDEkMCIGCSqGSIb3DQEJARYVbWthbnRoYXNhbXlAd2VibWQubmV0ggEA MA0GCSqGSIb3DQEBBAUAA4GBAKValmAURkIp3r17tNbehKsRCsYsEjtUDGE9T+EB 4Ig9N2G8JztAWeXIltDRgpS1j2sKVrXTxxA5UntrB0T7nYRzPpEG6B7wl4pu4jHf iq+hUiiPU8vdED4/d5xiM0bpn9TdFRpgqI+0DNNBE34613P5Hw8iqwH1KTJE2/nU PZ6H -END CERTIFICATE- subject=/C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX issuer=/C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX --- No client certificate CA names sent --- SSL handshake has read 1595 bytes and written 350 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA Session-ID: E73EFFA5B6E8331A2571E2B15E43189D1F585D4B9D64128E6C09CE67190E2B64 Session-ID-ctx: Master-Key: BD77CCB997AFCD42BDFDC750763FD56FD82237E09686F6E596A9E885AD5B46C5FD99E9C5B45A7BBDE25A183F8BAA05D5 Key-Arg : None Krb5 Principal: None Start Time: 1247682108 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- 220 XXX ESMTP
Re: Verisign Cert
On Wed, Jul 15, 2009 at 02:33:46PM -0400, Linux Addict wrote: I ran openssl test command that you provided and doesn't look like my cert config is good. [r...@mx01 ~]# openssl s_client -starttls smtp -connect localhost:25 CONNECTED(0003) --- Certificate chain 0 s:/C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX i:/C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX --- No client certificate CA names sent --- SSL handshake has read 1595 bytes and written 350 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit --- 220 XXX ESMTP This is exactly what you would expect. Everything is working fine. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.