NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2006-03

Clients that support certificate authentication

From: Andrew Diederich (andrewdiedgmail.com)
Date: Wed Mar 01 2006 - 18:17:14 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've been able to follow the TLS instructions far enough so that my
Thunderbird and Opera users who have x509 personal certificates can
use them to authenticate to the postfix server (2.2) to send mail. I
haven't had success with outlook, however. I suspect I could get
AUTH or LOGIN to work but I'm trying to avoid managing yet another
password database.

Does anyone know if outlook 2000 or 2003 supports using x509 certs for
authentication?

Postfix prompts the client for a client certificate, which was the
only way I could get Opera to present a client cert. I believe the
main difference between these two logs is with outlook, I never see
"postfix/smtpd[3139]: SSL_accept:SSLv3 write key exchange A".

opera:
postfix/smtpd[3139]: SSL_accept:before/accept initialization
postfix/smtpd[3139]: SSL_accept:error in SSLv2/v3 read client hello A
postfix/smtpd[3139]: SSL_accept:error in SSLv3 read client hello B
postfix/smtpd[3139]: SSL_accept:error in SSLv3 read client hello B
postfix/smtpd[3139]: SSL_accept:SSLv3 read client hello B
postfix/smtpd[3139]: SSL_accept:SSLv3 write server hello A
postfix/smtpd[3139]: SSL_accept:SSLv3 write certificate A
postfix/smtpd[3139]: SSL_accept:SSLv3 write key exchange A
postfix/smtpd[3139]: SSL_accept:SSLv3 write certificate request A
postfix/smtpd[3139]: SSL_accept:SSLv3 flush data
postfix/smtpd[3139]: SSL_accept:error in SSLv3 read client certificate A
postfix/smtpd[3139]: SSL_accept:error in SSLv3 read client certificate A
postfix/smtpd[3139]: SSL_accept:error in SSLv3 read client certificate A
postfix/smtpd[3139]: SSL_accept:error in SSLv3 read client certificate A
postfix/smtpd[3139]: SSL_accept:error in SSLv3 read client certificate A
postfix/smtpd[3139]: certificate verification depth=2 subject=/O=Root
CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=supportcacert.org
/smtpd[3139]: verify return: 1
postfix/smtpd[3139]: certificate verification depth=1
subject=/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
postfix/smtpd[3139]: verify return: 1
postfix/smtpd[3139]: certificate verification depth=0 subject=/CN=User
Test/emailAddress=user.testpatronsystems.com
postfix/smtpd[3139]: verify return: 1
postfix/smtpd[3139]: SSL_accept:SSLv3 read client certificate A
postfix/smtpd[3139]: SSL_accept:SSLv3 read client key exchange A
postfix/smtpd[3139]: SSL_accept:SSLv3 read certificate verify A
postfix/smtpd[3139]: SSL_accept:error in SSLv3 read finished A
postfix/smtpd[3139]: SSL_accept:error in SSLv3 read finished A
postfix/smtpd[3139]: SSL_accept:error in SSLv3 read finished A
postfix/smtpd[3139]: SSL_accept:error in SSLv3 read finished A
postfix/smtpd[3139]: SSL_accept:SSLv3 read finished A

When outlook connects I get a slightly different log set. The client
certificate just isn't presented to postfix.

postfix/smtpd[3139]: SSL_accept:before/accept initialization
postfix/smtpd[3139]: SSL_accept:error in SSLv2/v3 read client hello A
postfix/smtpd[3139]: SSL_accept:error in SSLv3 read client hello B
postfix/smtpd[3139]: SSL_accept:error in SSLv3 read client hello B
postfix/smtpd[3139]: SSL_accept:SSLv3 read client hello B
postfix/smtpd[3139]: SSL_accept:SSLv3 write server hello A
postfix/smtpd[3139]: SSL_accept:SSLv3 write certificate A
postfix/smtpd[3139]: SSL_accept:SSLv3 write certificate request A
postfix/smtpd[3139]: SSL_accept:SSLv3 flush data
postfix/smtpd[3139]: SSL_accept:error in SSLv3 read client certificate A
postfix/smtpd[3139]: SSL_accept:error in SSLv3 read client certificate A
postfix/smtpd[3139]: SSL_accept:SSLv3 read client certificate A
postfix/smtpd[3139]: SSL_accept:SSLv3 read client key exchange A
postfix/smtpd[3139]: SSL_accept:error in SSLv3 read certificate verify A
postfix/smtpd[3139]: SSL_accept:error in SSLv3 read certificate verify A
postfix/smtpd[3139]: SSL_accept:error in SSLv3 read certificate verify A
postfix/smtpd[3139]: SSL_accept:error in SSLv3 read certificate verify A
postfix/smtpd[3139]: SSL_accept:SSLv3 read finished A

postconf -n | grep tls
smtp_use_tls = no
smtpd_recipient_restrictions = permit_tls_clientcerts,
permit_mynetworks,reject_unauth_destination
smtpd_tls_CApath = /etc/postfix/CAdir
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/postfix/tango1.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom

So, if anyone has been able to make outlook 2000/2003 do x509 auth
with postfix, or knows for sure if it doesn't work, please let me
know.

--
Andrew Diederich

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]