[gentoo-user] STARTTLS verification problem

[gentoo-user] STARTTLS verification problem

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 403 bytes --]

I am looking at the maillog of a machine which is happily sending out mail 
through comcast.  However, despite successful delivery of messages I can see a 
'verify=FAIL' in the logs:

Apr  9 21:45:47 my_box sendmail[4013]: STARTTLS=client, 
relay=smtp.comcast.net, version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-
AES256-SHA, bits=256/256

Any idea why this is happening?
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] STARTTLS verification problem

[Eray Aslan]

On 10.04.2010 11:08, Mick wrote:
> Apr  9 21:45:47 my_box sendmail[4013]: STARTTLS=client, 
> relay=smtp.comcast.net, version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-
> AES256-SHA, bits=256/256
> 
> Any idea why this is happening?

Nothing to worry about.  It just means you do not trust the certificate
issuer for smtp.comcast.net.  For smtp delivery, this is perfectly fine.
 See below:

$ openssl s_client -connect smtp.comcast.net:25 -starttls smtp
[...]
SSL-Session:
[...]
    Verify return code: 20 (unable to get local issuer certificate)

versus when I tell it to trust some CAs (including verisign) on the
local machine:

openssl s_client -connect smtp.comcast.net:25 -starttls smtp -CApath
/etc/ssl/certs/
[...]
SSL-Session:
[...]
    Verify return code: 0 (ok)

-- 
Eray

Re: [gentoo-user] STARTTLS verification problem

[Robin Atwood]

On Saturday 10 April 2010, Eray Aslan wrote:
> On 10.04.2010 11:08, Mick wrote:
> > Apr  9 21:45:47 my_box sendmail[4013]: STARTTLS=client,
> > relay=smtp.comcast.net, version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-
> > AES256-SHA, bits=256/256
> > 
> > Any idea why this is happening?
> 
> Nothing to worry about.  It just means you do not trust the certificate
> issuer for smtp.comcast.net.  For smtp delivery, this is perfectly fine.
>  See below:
> 
> $ openssl s_client -connect smtp.comcast.net:25 -starttls smtp
> [...]
> SSL-Session:
> [...]
>     Verify return code: 20 (unable to get local issuer certificate)
> 
> versus when I tell it to trust some CAs (including verisign) on the
> local machine:
> 
> openssl s_client -connect smtp.comcast.net:25 -starttls smtp -CApath
> /etc/ssl/certs/
> [...]
> SSL-Session:
> [...]
>     Verify return code: 0 (ok)

That's very interesting, I have puzzled about STARTTLS stuff for years! How do 
I make sendmail trust the CAs? At the moment my sendmail.mc looks like:

define(`CERT_DIR',`/etc/mail/certs')
define(`confCACERT_PATH',`CERT_DIR')
define(`confCACERT',`CERT_DIR/cacert.pem')
define(`confSERVER_CERT',`CERT_DIR/cert.pem')
define(`confSERVER_KEY',`CERT_DIR/key.pem')
define(`confCLIENT_CERT',`CERT_DIR/cert.pem')
define(`confCLIENT_KEY',`CERT_DIR/key.pem')

where I made the certs with the TinyCA package.

TIA
-Robin
-- 
----------------------------------------------------------------------
Robin Atwood.

"Ship me somewheres east of Suez, where the best is like the worst,
 Where there ain't no Ten Commandments an' a man can raise a thirst"
         from "Mandalay" by Rudyard Kipling
----------------------------------------------------------------------

Re: [gentoo-user] STARTTLS verification problem

[Eray Aslan]

On 10.04.2010 18:12, Robin Atwood wrote:
> That's very interesting, I have puzzled about STARTTLS stuff for years! How do 
> I make sendmail trust the CAs?

This is neither necessary nor recommended for TLS.

> define(`CERT_DIR',`/etc/mail/certs')
> define(`confCACERT_PATH',`CERT_DIR')
> define(`confCACERT',`CERT_DIR/cacert.pem')
> define(`confSERVER_CERT',`CERT_DIR/cert.pem')
> define(`confSERVER_KEY',`CERT_DIR/key.pem')
> define(`confCLIENT_CERT',`CERT_DIR/cert.pem')
> define(`confCLIENT_KEY',`CERT_DIR/key.pem')

These 3 files (cacert.pem, cert.pem, key.pem) are for your own server.
It has been awhile since I used sendmail, but adding CA certificates to
CACERT_PATH should make sendmail trust them.

Again, this is contrary to "best practices".  Do not trust third party
CA certificates unnecessarily.  It might come back and bite you.

-- 
Eray

Re: [gentoo-user] STARTTLS verification problem

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1035 bytes --]

On Saturday 10 April 2010 16:32:37 Eray Aslan wrote:
> On 10.04.2010 18:12, Robin Atwood wrote:
> > That's very interesting, I have puzzled about STARTTLS stuff for years!
> > How do I make sendmail trust the CAs?
> 
> This is neither necessary nor recommended for TLS.

Why would that be?
 
> > define(`CERT_DIR',`/etc/mail/certs')
> > define(`confCACERT_PATH',`CERT_DIR')
> > define(`confCACERT',`CERT_DIR/cacert.pem')
> > define(`confSERVER_CERT',`CERT_DIR/cert.pem')
> > define(`confSERVER_KEY',`CERT_DIR/key.pem')
> > define(`confCLIENT_CERT',`CERT_DIR/cert.pem')
> > define(`confCLIENT_KEY',`CERT_DIR/key.pem')
> 
> These 3 files (cacert.pem, cert.pem, key.pem) are for your own server.
> It has been awhile since I used sendmail, but adding CA certificates to
> CACERT_PATH should make sendmail trust them.
> 
> Again, this is contrary to "best practices".  Do not trust third party
> CA certificates unnecessarily.  It might come back and bite you.

Can you please explain this?

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] STARTTLS verification problem

[Robin Atwood]

On Saturday 10 April 2010, Mick wrote:
> On Saturday 10 April 2010 16:32:37 Eray Aslan wrote:
> > On 10.04.2010 18:12, Robin Atwood wrote:
> > > That's very interesting, I have puzzled about STARTTLS stuff for years!
> > > How do I make sendmail trust the CAs?
> > 
> > This is neither necessary nor recommended for TLS.
> 
> Why would that be?
> 
> > > define(`CERT_DIR',`/etc/mail/certs')
> > > define(`confCACERT_PATH',`CERT_DIR')
> > > define(`confCACERT',`CERT_DIR/cacert.pem')
> > > define(`confSERVER_CERT',`CERT_DIR/cert.pem')
> > > define(`confSERVER_KEY',`CERT_DIR/key.pem')
> > > define(`confCLIENT_CERT',`CERT_DIR/cert.pem')
> > > define(`confCLIENT_KEY',`CERT_DIR/key.pem')
> > 
> > These 3 files (cacert.pem, cert.pem, key.pem) are for your own server.
> > It has been awhile since I used sendmail, but adding CA certificates to
> > CACERT_PATH should make sendmail trust them.
> > 
> > Again, this is contrary to "best practices".  Do not trust third party
> > CA certificates unnecessarily.  It might come back and bite you.
> 
> Can you please explain this?

I am curious too!

-Robin
-- 
----------------------------------------------------------------------
Robin Atwood.

"Ship me somewheres east of Suez, where the best is like the worst,
 Where there ain't no Ten Commandments an' a man can raise a thirst"
         from "Mandalay" by Rudyard Kipling
----------------------------------------------------------------------

Re: [gentoo-user] STARTTLS verification problem

[Eray Aslan]

On 10.04.2010 19:04, Mick wrote:
> On Saturday 10 April 2010 16:32:37 Eray Aslan wrote:
>> On 10.04.2010 18:12, Robin Atwood wrote:
>>> That's very interesting, I have puzzled about STARTTLS stuff for years!
>>> How do I make sendmail trust the CAs?
>>
>> This is neither necessary nor recommended for TLS.
> 
> Why would that be?

Who do you trust and for what?  Adding various third party CA
certificates, i.e. using a PKI infrastructure for SMTP for the general
public:

Pros:
    None

Cons:
    * If you ever do certificate based access control, you will be in
for a surprise.
    * MTA's TLS codes are well known for the more populer ones.
However, code paths that deal with a lot of CA certs are seldom used.
There might be corner cases.

On a more general note, please ask yourself "Do I really need a PKI?"
and avoid PKI if you can.  It is a mess and is not the way forward.

-- 
Eray