|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Report: STARTTLS painful in the wild
From: Andrew Diederich (andrewdied
gmail.com)
Date: Tue Oct 24 2006 - 16:35:36 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Folks,
I'd received some good help here a few months back in setting up a
secure SMTP setup, so I thought I'd report back on how it went for the
good of the cause. My goal was to have a mailserver that was useful
for both regular in-house employees (engineering, finance, support) as
well as the road warriors (sales, other off-site), and send email
securely. POP/IMAP access was to be done on a completely different
server.
My first attempt was to use individual client certificates issued by
CAcert (http://www.cacert.org). Postfix accepted these just fine, and
I was able to use this for both Thunderbird and Opera M2 mail users.
However, outlook doesn't support TLS client authentication, so I had
to toss it out.
My second attempt was to use LOGIN with a secure connection. I hate
sending passwords in the plain, but it's easy to setup postfix to only
offer LOGIN after the connection was secured (smtpd_tls_auth_only =
yes). I still used a CAcert certificate in postfix, and I still had to
load in the CAcert root certificates on the laptops. For simplicity
(just a couple of dozen users) I made local unix accounts with a shell
of /bin/false for the SASL authentication. If my Active Directory
server was up I'd have used LDAP to authenticate users, and load in
the CAcert root certs on the workstations. I picked STARTTLS over SSL
on port 465 (smtpd_tls_wrappermode=yes) because I hoped it would be
more standard, and port 25 was more likely to be open in firewalls
than port 465.
Unfortunately, this also ran into problems. I'm not entirely sure if
it was outlook (2000 and 2003) or firewalls, but I'm leaning heavily
toward firewalls. What I found was for my laptop users I would
configure outlook and it would work in the office, work from their
home (no vpn), but as soon as they were at a random hotel they
couldn't send mail. Outlook would complain that either the SMTP host
didn't support SSL (obviously false) or that it couldn't login. Since
postfix didn't offer LOGIN until the TLS was established, therefore
the TLS connection was never made.
Through some post-mortem log analysis and having been bitten by bad
firewalls in the past (checkpoint, ugly virus scanners, a weird old
netscreen 10, etc.) I'm pretty sure that the hotels and wireless cafes
had a bad SMTP pass-through proxy. Outlook can do some really bad
things, but hopefully its behavior wouldn't change that much just
based on the IP address it had.
So, unfortunately, I'm back to making folks VPN in to send email
without sending their password plaintext over the Internet. Hopefully
this will help someone.
--
Best regards,
Andrew Diederich
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]