OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Client Certificate check and panic while trying to contact the SMTP Access Policy Delegation

From: Henri (groscastorgmail.com)
Date: Wed Apr 02 2008 - 04:08:59 CDT

Hello,

I set TLS encryption with Postfix, everything is working fine.
But I wanted to check the MAIL FROM address with the data from the
client certificate.

So I followed the advices given in this thread :
http://groups.google.com/group/list.postfix.users/browse_thread/threa...

According to Victor Duchovni, a possible solution was to use a SMTPD
Policy Server and use the client CN to make access decisions.
So I configured my installation to use one, and proceed to some tests.

With my first Client certificate whith a CN, I had no problems. The
Policy Server is correctly contacted.

But with my second test Client Certificate, with no CN provided, I
encountered the following bug :

# LOG /var/mail/mail.log

Mar 19 12:07:21 smtp-tls postfix/smtpd[14035]: <
unknown[192.168.6.107]: STARTTLS
Mar 19 12:07:21 smtp-tls postfix/smtpd[14035]: >
unknown[192.168.6.107]: 220 2.0.0 Ready to start TLS
[ ... ]
Mar 19 12:07:23 smtp-tls postfix/smtpd[14035]: SSL_accept:SSLv3 flush
data
[ ... ]
Mar 19 12:07:23 smtp-tls postfix/smtpd[14035]: warning: peer
certificate has no subject CN
Mar 19 12:07:23 smtp-tls postfix/smtpd[14035]: Verified: subject_CN=,
issuer=XXXXXXX
Mar 19 12:07:23 smtp-tls postfix/smtpd[14035]: TLS connection
established from unknown[192.168.X.XXX]: TLSv1 with cipher DHE-RSA-
AES256-SHA (256/256 bits)
[ ... ]
Mar 19 12:07:23 smtp-tls postfix/smtpd[14035]: >>> START Sender
address RESTRICTIONS <<<
Mar 19 12:07:23 smtp-tls postfix/smtpd[14035]: generic_checks:
name=check_policy_service
Mar 19 12:07:23 smtp-tls postfix/smtpd[14035]: panic: vstring_alloc:
bad length 0
Mar 19 12:07:24 smtp-tls postfix/master[13978]: warning: process /usr/
lib/postfix/smtpd pid 14035 killed by signal 6

With the second test Client Certificate, when I deactivate the
check_policy_service I had no problems. The mail is successfully sent.

Any idea? is my postfix version outdated?

Thank you,

Henri

# dpkg -l | grep postfix
ii postfix 2.3.8-2+b1 A
high-
performance mail transport agent
ii postfix-ldap 2.3.8-2+b1 LDAP
map support for Postfix
ii postfix-pcre 2.3.8-2+b1 PCRE
map support for Postfix

# dpkg -l | grep openssl
ii openssl 0.9.8c-4etch1 Secure
Socket Layer (SSL) binary and related

# postconf -n
alias_database =
alias_maps =
always_bcc = gnarwlXXX
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
disable_dns_lookups = no
duplicate_filter_limit = 5000
home_mailbox = Maildir/
in_flow_delay = 0
inet_interfaces = all
mailbox_size_limit = 0
mime_header_checks = pcre:/etc/postfix/mime_header_logs
mydestination = localhost,XXX
mydomain = XXX
myhostname = XXX
mynetworks = 127.0.0.0/8 192.168.X.XXX
myorigin = $mydomain
propagate_unmatched_extensions =
readme_directory = no
recipient_delimiter = +
relay_domains = XXX
relayhost =
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_helo_required = yes
smtpd_recipient_limit = 4000
smtpd_recipient_overshoot_limit = 25000
smtpd_recipient_restrictions = check_recipient_access hash:/etc/
postfix/restricted_domains, permit_mynetworks,
reject_unauth_destination
smtpd_reject_unlisted_sender = yes
smtpd_restriction_classes = protected_user
smtpd_sender_restrictions = check_policy_service inet:127.0.0.1:9963,
permit_mynetworks, reject_non_fqdn_sender, reject_unlisted_sender
smtpd_tls_CAfile = /etc/postfix/ca.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/postfix/server.crt
smtpd_tls_key_file = /etc/postfix/server.key
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = yes
smtpd_tls_security_level = encrypt
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = ldap:/etc/postfix/XXX
virtual_alias_expansion_limit = 25000
virtual_alias_maps =
        ldap:/etc/postfix/XXX
        ldap:/etc/postfix/XXX
        ldap:/etc/postfix/XXX
        ldap:/etc/postfix/XXX
        ldap:/etc/postfix/XXX
virtual_gid_maps = static:5000
virtual_mailbox_domains = XXX, XXX, XXX
virtual_mailbox_maps = hash:/etc/postfix/XXX, ldap:/etc/postfix/XXX
virtual_transport = maildrop
virtual_uid_maps = static:5000