OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: SMTP+TLS and Mail.app

From: Lou Picciano (LouPiccianocomcast.net)
Date: Sun Mar 02 2008 - 12:24:42 CST

Steve! How nice to see another Mac user on the list...

Although we're slogging through some other issues with Postfix, we had virtually no trouble setting up successful TLS sessions originating from Mail.app (Version 3.2 (919/919.2) running on Leopard (10.5.2). We are also using a self-signed cert - at least for testing, having no troubles.

You will get the 'certificate signed by an unknown authority' message, but this is to be expected.
Be sure that your 'common name' field matches exactly the name of your server; you've probably already run into this.

One key gotcha might be the smtpd_tls_security option; note that 'yes' is now deprecated. Use 'encrypt' instead for Postfix 2.3 and later.
A snippet of our main.cf follows:

# TLS Support -----------------------------------------------------------
# --------- TESTING:
# postconf had reported this NO:
smtpd_use_tls = yes
# ------------------
# smtpd_tls_auth_only = yes
smtpd_tls_key_file = /path/to/key/mail.key.pem
smtpd_tls_cert_file = /path/to/certs/mail.cert.pem
smtpd_tls_CAfile = /path/to/CAcert/SelfSignedCAcert.pem
# is the CA directory needed?
smtpd_tls_CApath = /path/to/CAcert
# smtpd_use_tls = may (COMMAND DEPRECATED by smtpd_tls_security_level in v>2.3)
# Postfix 2.3 and later: ('yes' is obsolete; 'encrypt' ENFORCES use of TLS for clients):
smtpd_tls_security_level = encrypt

smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

# --------- TESTING:
# this command was apparently unnecessary
#smtpd_tls_note_starttls = yes
# ------------------
# This would only maintain compatibility with non-TLS clients:
# smtpd_tls_auth_only = yes

LOG OUTPUT:
Mar 2 13:20:14 <servername> postfix/smtpd[17193]: [ID 197553 mail.info] SSL_accept:SSLv3 write finished A
Mar 2 13:20:14 <servername> postfix/smtpd[17193]: [ID 197553 mail.info] SSL_accept:SSLv3 flush data
Mar 2 13:20:14 <servername> postfix/smtpd[17193]: [ID 197553 mail.info] Anonymous TLS connection established from unknown[internal IP Address]: TLSv1 with cipher AES128-SHA (128/128 bits)

Hope this helps - please keep me posted! Lou

 -------------- Original message ----------------------
From: "Steve Finkelstein" <sfstevefink.net>
> By the way, hate to follow up on my own post. But I did make one finding.
>
> When I set the following:
>
> smtpd_tls_auth_only = no
>
> Mail.app is able to relay using my server. Unfortunately this also
> means passwords being sent over in cleartext, so I'd like to figure
> out a way to get the client working with TLS enabled auth.
>
> Thanks again all.
>
> /sf
>
> On 3/1/08, Steve Finkelstein <sfstevefink.net> wrote:
> > Hi all,
> >
> > This probably applies more to some OS/X forum, and if so, I sincerely
> > apologize. I just figured someone active in the Postfix community has
> > dealt with the same issue as I'm dealing with now. I'm running a
> > postfix based MTA, and enforce TLS over SMTP for authentication with
> > SASL. Works wonderful with all MUAs including Thunderbird, etc. I'm
> > having a ton of trouble with Mail.app. For one odd reason or another,
> > it doesn't wish to deal with self-signed certificates. I'm going to be
> > purchasing a GoDaddy certificate shortly, but regardless, this is kind
> > of silly of Mail.app.
> >
> > Here's how the SSL logs:
> >
> > Mar 1 21:52:41 catalyst postfix/smtpd[26513]: SSL_accept:SSLv3 flush data
> > Mar 1 21:52:41 catalyst postfix/smtpd[26513]: read from 080D6CF8
> > [080E0408] (5 bytes => -1 (0xFFFFFFFF))
> > Mar 1 21:52:41 catalyst postfix/smtpd[26513]: SSL_accept:error in
> > SSLv3 read client certificate A
> > Mar 1 21:52:41 catalyst postfix/smtpd[26513]: SSL_accept error from
> > ool-44c19145.dyn.optonline.net[68.193.145.69]: -1
> >
> > Here are my TLS settings:
> >
> > rootcatalyst:/etc/postfix# postconf -n | grep -i tls
> > smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
> > smtpd_tls_CAfile = /etc/postfix/ca-bundle.crt
> > smtpd_tls_ask_ccert = no
> > smtpd_tls_auth_only = yes
> > smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
> > smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
> > smtpd_tls_loglevel = 9
> > smtpd_tls_received_header = yes
> > smtpd_tls_req_ccert = no
> > smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
> > smtpd_use_tls = yes
> > tls_random_source = dev:/dev/urandom
> >
> > Thanks for taking a look!
> >
> >
> > /sf
> >