Postfix TLS CACert.org/Thawte for Apache/Postfix/Courier

Discussion in 'Installation/Configuration' started by popper2001, Jul 22, 2007.

  1. popper2001

    popper2001 New Member

    Hi,

    since I'm kind of frustrated over my own stupidity, I hope you can help me understanding and perhaps solving some of my problems.

    I recently installed ISPConfig on a Strato Debian Etch following Falko's Perfect Setup. Right time to say thanks for all of your great work!!

    After that I made some additional configurations for SPAM prevention usinga mixture of How To Block Spam Before It Enters The Server (Postfix), How To Implement SPF In Postfix and How To Fight Spam Using Your Postfix Configuration, so my actual Postfix Configuration looks like this:

    Code:
    alias_database = hash:/etc/aliases
    alias_maps = hash:/etc/aliases
    append_dot_mydomain = no
    biff = no
    broken_sasl_auth_clients = yes
    config_directory = /etc/postfix
    disable_vrfy_command = yes
    home_mailbox = Maildir/
    inet_interfaces = all
    inet_protocols = all
    mailbox_command =
    mailbox_size_limit = 0
    mydestination = /etc/postfix/local-host-names
    myhostname = hXXXXXXX.serverkompetenz.net
    mynetworks = 127.0.0.0/8
    myorigin = /etc/mailname
    recipient_delimiter = +
    relayhost =
    smtp_tls_note_starttls_offer = yes
    smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
    smtp_use_tls = yes
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    smtpd_helo_required = yes
    smtpd_helo_restrictions = 
        permit_mynetworks,
        reject_invalid_hostname,
        regexp:/etc/postfix/helo.regexp,
        permit
    smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_unauth_pipelining,
        permit_mynetworks,
        reject_unauth_destination,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client ix.dnsbl.manitu.net,
        check_policy_service unix:private/policy,
        check_policy_service inet:127.0.0.1:60000,
        permit
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_local_domain =
    smtpd_sasl_security_options = noanonymous
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_auth_only = no
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
    smtpd_tls_session_cache_timeout = 3600s
    smtpd_use_tls = yes
    strict_rfc821_envelopes = yes
    tls_random_source = dev:/dev/urandom
    unknown_address_reject_code = 554
    unknown_client_reject_code = 554
    unknown_hostname_reject_code = 554
    
    Solved
    Now I have a problem with mail clients using SMTP with TLS (SSL). For example if I try to access the Server with Outlook 2003 and select "Server needs a secure connection (SSL)" in the connection properties of the SMTP-Server, I cant access the account. There is neither a failure notice nor a timeout. Outlook is just waiting. But POP3s and IMAPs work fine and if I don't use SSL, SMTP also does and I can send mails without any problems.
    Solved End

    So I tried Thunderbird with the result that it does not accept my self signed server certificate (Here I simply followed the steps of Falko's Tutorial). It seems, that Thunderbird evaluates the Courier certificate which was assigned to localhost (Automatically-generated POP3 SSL Key) and not the Postfix certificate.

    Now I'm looking for a way to have a secured E-Mail-Connection without any security notices so I want to substitute my self signed cerificates with some of a real CA, if possible from CACert.org because they are for free.

    But actually I have some problems understanding all necessarry steps for avoiding the certification notices and making SSL in Outlook work.

    Here some Questions:

    1. Does the HELO name (currently hXXXXXXX.serverkompetenz.net) of the mail server need to be identical with the CN on the certificyte?
    2. Is it true that I can only use one FQN as Mailserver as e.g. mail.example.com for all domains hosted on my server or is it possible that every domain uses it's own mail.domain.com as MX and thus doesn't produce certificate errors when assigning the server certificate to hXXXXXXX.serverkompetenz.net?
    3. Do I have to copy (parts of) the certificates to the clients in order to make the communication work?
    4. Does the SMTP (and POP3s/IMAPs)server name need to be exactly the same hostname as the CN of the certificate?
    5. Is it necessary to set the MX-Record also to exactely that name?
    6. Is reverse lookup needed for the confirmation of the certificate, so can I use any domain name that points to the server as MX, e.g. mail.example.com although my IP's reverse lookup is hXXXXXXX.serverkompetenz.net or do I have to set both, the MX and the CN in the certificate to hXXXXXXX.serverkompetenz.net
    7. Is it mandatory that the Courier certificate is for localhost or can I also use any CNAME here?
    8. Is it possible to use ONE certificate for Apache, Postfix, Courier like described here and also for the ISPConfig access and if yes, what configuration steps are neccessary to do so?
    9. Is it enough to use CACert.org as authority or do I need a Thawte, etc. certificate for avoiding those Thunderbird, Outlook and Browser popups?
    10. Does Outlook perhaps need another athentication mechanism, like DIGEST-MD5 or CRAM-MD5 for making TLS (and not SMTPS) work or is PLAIN LOGIN enough?
    11. Does Postfix automatically "know" all installed ca-certificates in /etc/ssl/certs/ like Verisign, Thawte, etc and can use them for TLS communication or do I have to copy them somewhere and set the smtp_tls_CApath or smtpd_tls_CApath?

    I'm very sorry for all of these stupid questions but perhaps someone of you can help me? Possible I've also only made a small configuration mistake and simply don't know it...

    Thanks for your help in advance.

    Regards,
    popper2001
     
    Last edited: Jul 22, 2007
  2. popper2001

    popper2001 New Member

    OK, I meanwhile "solved" the problem with Outlook (c above) by activating smtps with smtpd_tls_wrappermode on port 465 in master.cf. But as posted here Outlook seems to be able to use TLS also without SSL over 465 so is this really the best possible sollution?

    Code:
    vi /etc/postfix/master.cf
    Code:
    smtps     inet  n       -       -       -       -       smtpd
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    Isn't anybody out there, who knows something about my other problems and likes to share her/his knowledge with me?

    I really need some help since I'm getting more and more confused and frustrated... :confused:
     
    Last edited: Jul 22, 2007
  3. popper2001

    popper2001 New Member

    Ok, perhaps I was able to take the next step. I meanwhile installed a new server certificate for postfix signed by CACert.org and reconfigured Postfix to use the combined ca-certificates as CAfile.

    Code:
    smtpd_tls_cert_file = /etc/postfix/ssl/cacert.org/server.crt
    smtpd_tls_key_file = /etc/postfix/ssl/cacert.org/server.key
    smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
    smtpd_use_tls = yes
    smtpd_tls_auth_only = no
    smtpd_tls_loglevel = 2
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
    
    smtp_tls_cert_file = /etc/postfix/ssl/cacert.org/server.crt
    smtp_tls_key_file = /etc/postfix/ssl/cacert.org/server.key
    smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
    smtp_use_tls = yes
    smtp_tls_loglevel = 2
    smtp_tls_note_starttls_offer = yes
    smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
    
    tls_random_source = dev:/dev/urandom
    myhostname = mail.example.com
    Correct?

    As far as I can see the connection is not established normaly due to the SSL_accept:error(s).
    The CN in the certificate is mail.example.com, the MX of the domain is mail.example.com and also the postfix myhostname is mail.example.com as you can see in the code so my questions above shouldn't actually be importent.

    Can somebody please tell me, what to do against the following problem?

    Code:
    Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: initializing the server-side TLS engine
    Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: connect from pXXXXXXXX.dip0.t-ipconnect.de[XXX.XXX.XXX.XXX]
    Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: setting up TLS connection from pXXXXXXXX.dip0.t-ipconnect.de[XXX.XXX.XXX.XXX]
    Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:before/accept initialization
    Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:error in SSLv2/v3 read client hello A
    Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:error in SSLv3 read client hello B
    Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:error in SSLv3 read client hello B
    Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: looking up session 6E17FDAA046957C35305A1F540DB1300A6AE5DDED9F9B77EF86B3AB3CFC2DDFF in smtpd cache
    Jul 22 19:19:30 hXXXXXXX postfix/tlsmgr[3930]: lookup smtpd session id=6E17FDAA046957C35305A1F540DB1300A6AE5DDED9F9B77EF86B3AB3CFC2DDFF
    Jul 22 19:19:30 hXXXXXXX postfix/tlsmgr[3930]: read smtpd TLS cache entry 6E17FDAA046957C35305A1F540DB1300A6AE5DDED9F9B77EF86B3AB3CFC2DDFF: time=1185124125 [data 127 bytes]
    Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: reloaded session 6E17FDAA046957C35305A1F540DB1300A6AE5DDED9F9B77EF86B3AB3CFC2DDFF from smtpd cache
    Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:SSLv3 read client hello B
    Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:SSLv3 write server hello A
    Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:SSLv3 write change cipher spec A
    Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:SSLv3 write finished A
    Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:SSLv3 flush data
    Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:error in SSLv3 read finished A
    Jul 22 19:19:30 hXXXXXXX last message repeated 3 times
    Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:SSLv3 read finished A
    Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: Reusing old session
    Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: TLS connection established from pXXXXXXX.dip0.t-ipconnect.de[XXX.XXX.XXX.XXX]: TLSv1 with cipher RC4-MD5 (128/128 bits)
    Jul 22 19:19:31 hXXXXXXX postfix/smtpd[4340]: 1C3E71B418C: client=pXXXXXXXX.dip0.t-ipconnect.de[XXX.XXX.XXX.XXX], sasl_method=LOGIN, sasl_username=XXXXXXXX
    Jul 22 19:19:31 hXXXXXXX postfix/cleanup[4344]: 1C3E71B418C: message-id=<4FFC247129774D4FB391E7DDAE0AD270096DB0@mail.example.com>
    
    Are my other questions so confusion or just too stupid simple? I really tried my best to find a working sollution by myself but I didn't succeed so far. So I really appreciate your help.
     
    Last edited: Jul 22, 2007
  4. popper2001

    popper2001 New Member

    I can't believe that nobody is around here knowing something about certificates within postfix and courier or abour CRS with CACert.org.

    I could really need some help here...
     

Share This Page