fun with postfix tls and user certs

hipsterSo you have a dane (my blog) compatible dnssec setup (my blog) running on all the mx’s in the domain list which entails at least two certificate authorities so what else can you do ?

Well being a bored ape one day i decide to test user certificates in postfix not simply three extra lines to enable tls support in postfix which requires more steps with some hairy eyeballs on the postfix tls support document.

danehttpsresultIt does work although its just mentioned in the headers. Reports can be semi informative

8 Anonymous: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
1 Untrusted: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)

mafia run the british red crossThat is a self certified tls with ‘Untrusted’. Signed tls (eg bought) it seems impossible to issue client certificates like you can with self signed ssl. so it seems unlikely that i will ever get ‘Trusted’.   The setiing ‘Anonymous’ is dane tls in default.

Bloody mafia (my blog).

Self certified user certs are nice if a little extra mile and something that does need a mammal at a keyboard.  So it sort of explains why it is not popular although our friends at the nsa (my blog) probably helped.

No wonder user certificates (opposed to server instances) are missing from most postfix setups and even Google get untrusted status.

Received: from mail-* (unknown [ip])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
(Client CN "", Issuer "Google Internet Authority G2" (not verified))
by mail2.zoo (Postfix) with ESMTPS id x

So dane will only get you so far.The mafia wont help either.

DSN’s are a handled oddly too. example

postfix/smtp[x]: xyz: to=<553@zoo>, relay=zoo[ip.addr]:25, delay=x, delays=1018/0.01/0.09/0, dsn=4.7.5, status=deferred (Server certificate not verified)

which in postfix is classed as

4.7.5: Transient failure: Security/policy status: Cryptographic failure

by golly but...

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.