Mailinglist Archive: opensuse (2217 mails)
| < Previous | Next > |
Re: [opensuse] Postfix not recognising me (WAS: Postfix does not seem to be logging)
- From: John <John@xxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 19 Sep 2007 00:38:41 +0100
- Message-id: <46F06181.5020706@xxxxxxxxxxxxxxxxxxxxx>
Sandy Drobic wrote:
log_level: 3
mech_list: PLAIN LOGIN
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=PostOffice.DMJ-Consultancy.me.uk/emailAddress=CertificateMaster@xxxxxxxxxxxxxxxxxxxxx
i:/C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=DMJ-Consultancy/emailAddress=CertificateMaster@xxxxxxxxxxxxxxxxxxxxx
1 s:/C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=DMJ-Consultancy/emailAddress=CertificateMaster@xxxxxxxxxxxxxxxxxxxxx
i:/C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=DMJ-Consultancy/emailAddress=CertificateMaster@xxxxxxxxxxxxxxxxxxxxx
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDVDCCAr2gAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBozELMAkGA1UEBhMCVUsx
.......................................
qIRGNhhaclu7lwdDEtpNP2skqcz5VLVVcgwb3eM4TJ01yXFx8ZD8Pw==
-----END CERTIFICATE-----
subject=/C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=PostOffice.DMJ-Consultancy.me.uk/emailAddress=CertificateMaster@xxxxxxxxxxxxxxxxxxxxx
issuer=/C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=DMJ-Consultancy/emailAddress=CertificateMaster@xxxxxxxxxxxxxxxxxxxxx
---
Acceptable client certificate CA names
/C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=DMJ-Consultancy/emailAddress=CertificateMaster@xxxxxxxxxxxxxxxxxxxxx
---
SSL handshake has read 2500 bytes and written 383 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-A?6-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-A?6-SHA
Session-ID: 8872A2FA0F712B2BC2CFA301BE17D648944093293F266D209236F36579B2718D
Session-ID-ctx:
Master-Key: 8D133580FA......................................345B932674871F1
Key-Arg : None
Start Time: 1190157431
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
250-General.DMJ-Consultancy.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250 8BITMIME
ehlo localhost
250-General.DMJ-Consultancy.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250 8BITMIME
500 Error: bad syntax
Above was with smtpd_sasl_auth_enable = no
Setting it to yes and reloading gives
read:errno=32
to the openssl command above
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
Just a little question. In your config below I see two possibilities toHadn't realised there were two here. I'd like the most secure and least likely to allow someone else access to my server! (BTW I'm using Courier IMAP having set most of this up by working through 'Linux Email' by several authors including Patrick Koetter. My TLS certificate was built based on Chapter 13 of Kyle Dent's O'Reilly publication, 'Postfix - the definitive guide. It wouldn't surprise me if I've gotten into a muddle trying to work between these books and the readme files with Postfix itself!)
authenticate: either by using conventional user/pass or by using a client
certificate.
Which one are you trying to implement?
Did you test both of them?Er yes! - see below
postconf output follows:
broken_sasl_auth_clients = yes
mynetworks = 127.0.0.0/8, 192.168.74.0/24, 192.168.80.0/24, 10.0.0.0/24
relay_clientcerts = hash:/etc/postfix/relay_ccerts
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, permit_tls_clientcerts,
reject_unauth_destination
smtpd_sasl_application_name = smtpd
smtpd_sasl_auth_enable = no
Er, hello?!? If you want to use smtp auth you need to set this to "yes"!
smtpd_sasl_auth_enable = yes
The phone has a PKCS12 format key and trusted certificate, the fingerprint of which is the only entry in relay_ccerts alongside my forename as user. This key-and-relay_ccerts-fingerprint set was generated by openssl but I'm hesitant about posting a key on this list.smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_CAfile = /Certificates/ssl/Authority/CA.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file =
/Certificates/ssl/Certificate/PostOffice.DMJ-Consultancy.me.uk.unc
smtpd_tls_key_file =
/Certificates/ssl/Key/PostOffice.DMJ-Consultancy.me.uk.unc
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = yes
smtpd_use_tls = yes
The rest looks fine. If you are trying to use client certs, did you put
the client cert on your phone? I don't remember seeing a line in the tls
log where the client (your phone) is presenting a client certificate.
If you can't get saslfinger to work, please show the output of the lastsee below (sensitive info cut - hopefully!)
line of this command (the capabilities of your server after a tls
connection has been established and the ehlo command is invoked.
openssl s_client -starttls smtp -connect localhost:25
ehlo localhostpwcheck_method: saslauthd
Please also post the content of /usr/lib/sasl2/smtpd.conf.
log_level: 3
mech_list: PLAIN LOGIN
If you are trying to use client certificates for authentication pleasedepth=1 /C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=DMJ-Consultancy/emailAddress=CertificateMaster@xxxxxxxxxxxxxxxxxxxxx
also post the content of /etc/postfix/relay_ccerts and verify that it is
indeed the fingerprint of your client certificate.
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=PostOffice.DMJ-Consultancy.me.uk/emailAddress=CertificateMaster@xxxxxxxxxxxxxxxxxxxxx
i:/C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=DMJ-Consultancy/emailAddress=CertificateMaster@xxxxxxxxxxxxxxxxxxxxx
1 s:/C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=DMJ-Consultancy/emailAddress=CertificateMaster@xxxxxxxxxxxxxxxxxxxxx
i:/C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=DMJ-Consultancy/emailAddress=CertificateMaster@xxxxxxxxxxxxxxxxxxxxx
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDVDCCAr2gAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBozELMAkGA1UEBhMCVUsx
.......................................
qIRGNhhaclu7lwdDEtpNP2skqcz5VLVVcgwb3eM4TJ01yXFx8ZD8Pw==
-----END CERTIFICATE-----
subject=/C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=PostOffice.DMJ-Consultancy.me.uk/emailAddress=CertificateMaster@xxxxxxxxxxxxxxxxxxxxx
issuer=/C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=DMJ-Consultancy/emailAddress=CertificateMaster@xxxxxxxxxxxxxxxxxxxxx
---
Acceptable client certificate CA names
/C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=DMJ-Consultancy/emailAddress=CertificateMaster@xxxxxxxxxxxxxxxxxxxxx
---
SSL handshake has read 2500 bytes and written 383 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-A?6-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-A?6-SHA
Session-ID: 8872A2FA0F712B2BC2CFA301BE17D648944093293F266D209236F36579B2718D
Session-ID-ctx:
Master-Key: 8D133580FA......................................345B932674871F1
Key-Arg : None
Start Time: 1190157431
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
250-General.DMJ-Consultancy.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250 8BITMIME
ehlo localhost
250-General.DMJ-Consultancy.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250 8BITMIME
500 Error: bad syntax
Above was with smtpd_sasl_auth_enable = no
Setting it to yes and reloading gives
read:errno=32
to the openssl command above
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
| < Previous | Next > |