NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2008-04

Re: Client Certificate check and panic while trying to contact the SMTP Access Policy Delegation

From: Henri (groscastorgmail.com)
Date: Wed Apr 02 2008 - 05:27:05 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Apr 2, 2008 at 11:08 AM, Henri <groscastorgmail.com> wrote:

> Hello,
>
> I set TLS encryption with Postfix, everything is working fine.
> But I wanted to check the MAIL FROM address with the data from the
> client certificate.
>
> So I followed the advices given in this thread :
> http://groups.google.com/group/list.postfix.users/browse_thread/threa...
>
> According to Victor Duchovni, a possible solution was to use a SMTPD
> Policy Server and use the client CN to make access decisions.
> So I configured my installation to use one, and proceed to some tests.
>
> With my first Client certificate whith a CN, I had no problems. The
> Policy Server is correctly contacted.
>
> But with my second test Client Certificate, with no CN provided, I
> encountered the following bug :
>
> # LOG /var/mail/mail.log
>
> Mar 19 12:07:21 smtp-tls postfix/smtpd[14035]: <
> unknown[192.168.6.107]: STARTTLS
> Mar 19 12:07:21 smtp-tls postfix/smtpd[14035]: >
> unknown[192.168.6.107]: 220 2.0.0 Ready to start TLS
> [ ... ]
> Mar 19 12:07:23 smtp-tls postfix/smtpd[14035]: SSL_accept:SSLv3 flush
> data
> [ ... ]
> Mar 19 12:07:23 smtp-tls postfix/smtpd[14035]: warning: peer
> certificate has no subject CN
> Mar 19 12:07:23 smtp-tls postfix/smtpd[14035]: Verified: subject_CN=,
> issuer=XXXXXXX
> Mar 19 12:07:23 smtp-tls postfix/smtpd[14035]: TLS connection
> established from unknown[192.168.X.XXX]: TLSv1 with cipher DHE-RSA-
> AES256-SHA (256/256 bits)
> [ ... ]
> Mar 19 12:07:23 smtp-tls postfix/smtpd[14035]: >>> START Sender
> address RESTRICTIONS <<<
> Mar 19 12:07:23 smtp-tls postfix/smtpd[14035]: generic_checks:
> name=check_policy_service
> Mar 19 12:07:23 smtp-tls postfix/smtpd[14035]: panic: vstring_alloc:
> bad length 0
> Mar 19 12:07:24 smtp-tls postfix/master[13978]: warning: process /usr/
> lib/postfix/smtpd pid 14035 killed by signal 6
>
> With the second test Client Certificate, when I deactivate the
> check_policy_service I had no problems. The mail is successfully sent.
>
> Any idea? is my postfix version outdated?
>
> Thank you,
>
> Henri
>
> # dpkg -l | grep postfix
> ii postfix 2.3.8-2+b1 A
> high-
> performance mail transport agent
> ii postfix-ldap 2.3.8-2+b1 LDAP
> map support for Postfix
> ii postfix-pcre 2.3.8-2+b1 PCRE
> map support for Postfix
>
> # dpkg -l | grep openssl
> ii openssl 0.9.8c-4etch1 Secure
> Socket Layer (SSL) binary and related
>
> # postconf -n
> alias_database =
> alias_maps =
> always_bcc = gnarwlXXX
> append_dot_mydomain = no
> biff = no
> config_directory = /etc/postfix
> disable_dns_lookups = no
> duplicate_filter_limit = 5000
> home_mailbox = Maildir/
> in_flow_delay = 0
> inet_interfaces = all
> mailbox_size_limit = 0
> mime_header_checks = pcre:/etc/postfix/mime_header_logs
> mydestination = localhost,XXX
> mydomain = XXX
> myhostname = XXX
> mynetworks = 127.0.0.0/8 192.168.X.XXX
> myorigin = $mydomain
> propagate_unmatched_extensions =
> readme_directory = no
> recipient_delimiter = +
> relay_domains = XXX
> relayhost =
> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
> smtpd_helo_required = yes
> smtpd_recipient_limit = 4000
> smtpd_recipient_overshoot_limit = 25000
> smtpd_recipient_restrictions = check_recipient_access hash:/etc/
> postfix/restricted_domains, permit_mynetworks,
> reject_unauth_destination
> smtpd_reject_unlisted_sender = yes
> smtpd_restriction_classes = protected_user
> smtpd_sender_restrictions = check_policy_service inet:127.0.0.1:9963,
> permit_mynetworks, reject_non_fqdn_sender, reject_unlisted_sender
> smtpd_tls_CAfile = /etc/postfix/ca.crt
> smtpd_tls_ask_ccert = yes
> smtpd_tls_cert_file = /etc/postfix/server.crt
> smtpd_tls_key_file = /etc/postfix/server.key
> smtpd_tls_loglevel = 3
> smtpd_tls_received_header = yes
> smtpd_tls_req_ccert = yes
> smtpd_tls_security_level = encrypt
> smtpd_use_tls = yes
> tls_random_source = dev:/dev/urandom
> transport_maps = ldap:/etc/postfix/XXX
> virtual_alias_expansion_limit = 25000
> virtual_alias_maps =
> ldap:/etc/postfix/XXX
> ldap:/etc/postfix/XXX
> ldap:/etc/postfix/XXX
> ldap:/etc/postfix/XXX
> ldap:/etc/postfix/XXX
> virtual_gid_maps = static:5000
> virtual_mailbox_domains = XXX, XXX, XXX
> virtual_mailbox_maps = hash:/etc/postfix/XXX, ldap:/etc/postfix/XXX
> virtual_transport = maildrop
> virtual_uid_maps = static:5000
>
Sorry, the correct link is :
http://groups.google.com/group/list.postfix.users/browse_thread/thread/7eb56085b1832d96/e163d52250b220e3?lnk=gst&q=client+certificate+#e163d52250b220e3

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]