Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

postfix: Server certificate is used as client certificate too #88817

Open
asbachb opened this issue May 24, 2020 · 4 comments · May be fixed by #89178
Open

postfix: Server certificate is used as client certificate too #88817

asbachb opened this issue May 24, 2020 · 4 comments · May be fixed by #89178
Labels
0.kind: bug 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md 6.topic: nixos

Comments

@asbachb
Copy link
Contributor

asbachb commented May 24, 2020

The server certificate is also used as client certificate:

# grep -r 'smtpd_tls_' /etc/postfix/*
/etc/postfix/main.cf:smtpd_tls_CAfile = 
/etc/postfix/main.cf:smtpd_tls_cert_file = /var/cert/domain.xyz/cert.pem
/etc/postfix/main.cf:smtpd_tls_key_file = /var/cert/domain.xyz/key.pem
...

# grep -r 'smtp_tls_' /etc/postfix/*
/etc/postfix/main.cf:smtp_tls_CAfile = 
/etc/postfix/main.cf:smtp_tls_cert_file = /var/cert/domain.xyz/cert.pem
/etc/postfix/main.cf:smtp_tls_key_file = /var/cert/domain.xyz/key.pem
...

Do not configure client certificates unless you must present client TLS certificates to one or more servers. Client certificates are not usually needed, and can cause problems in configurations that work well without them.
http://www.postfix.org/postconf.5.html#smtp_tls_cert_file

see

nixpkgs/nixos/modules/services/mail/postfix.nix

Lines 775 to 777 in e92b11d

smtp_tls_CAfile = cfg.sslCACert;
smtp_tls_cert_file = cfg.sslCert;
smtp_tls_key_file = cfg.sslKey;

Downstream bug: https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/183
@asbachb
Copy link
Contributor Author

asbachb commented May 24, 2020

cc: @rickynils @globin

@asbachb asbachb changed the title Server certificate is used as client certificate too postfix: Server certificate is used as client certificate too May 24, 2020
@flokli
Copy link
Contributor

flokli commented May 27, 2020

Could you file a PR fixing this?

You can add a release note entry, explaining how to get back to the old behaviour if someone is using this on purpose, but this really sounds like a bug.

@asbachb
Copy link
Contributor Author

asbachb commented May 27, 2020
edited

@flokli I currently working on a fix. The plan was to deprecate sslCACert, sslCert and sslKey and introduce something like tlsServerCACert, tlsClientCACert and so on.
But this takes some time since I'm not fluent with nix yet.

In addition I saw that postfix does not configure a trust store by default. Which prevent tls certification validation on server to server mail delivery.
I guess the best default configuration would be to trust the system trust store and enable opportunistic tls communication for server to server communication. Otherwise we promote the unencrypted smtp communication which should die asap.

@asbachb asbachb linked a pull request May 29, 2020 that will close this issue
Draft
10 tasks
asbachb added a commit to asbachb/nixpkgs that referenced this issue Jun 7, 2020
@asbachb
postfix: refactored tls certificate configuration
a277892 
The change fixes NixOS#88817 and can be separated into following tasks:

## Encourage usage of encrypted connections for outgoing traffic
This was done by configuring a trust store and enabling opportunistic usage of tls for outgoing traffic.

## Depreaction of old configuration

## Removed client certificate configuration on server certificate configuration
Previously the ssl certificate and key were used for smtpd (incoming mail) and for smtp (ougoing) mail.
Using a certifcate for outgoing mail traffic is quite uncommon and most likely not wanted when setting `sslCert`. The postfix documentation request to configure certificates for outgoing traffic only when you "must present client TLS certificates".

`smtpd_tls_chain_files` was used in favour of `smtpd_tls_cert` and `smtpd_tls_key` since this is the postfix recommended configuration since `3.4`.
@stale
Copy link

stale bot commented Nov 23, 2020

I marked this as stale due to inactivity. → More info

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Nov 23, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0.kind: bug 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md 6.topic: nixos
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

wip: postfix: refactored tls certificate configuration asbachb/nixpkgs
3 participants
@flokli @veprbl @asbachb