[Postfixbuch-users] Senden per TLS von dynamischer IP

Michael Koehler bittehier at nurfuerspam.de
Mo Jul 21 10:57:35 CEST 2008 

Hallo,

ich möchte Postfix so konfigurieren, das ein Client (Exchange) mit dynamischer IP sicher per TLS beim Senden authentifiziert. Ich habe eine eigene CA und das Cert. Postfix mitgeteilt sowie dem Client das Zertifikat untergejubelt. Ausgabe von postconf -n ist unten dran. 

Das Logfile sagt folgendes:

Jul 21 10:52:39 vsxxxx postfix/smtpd[25788]: initializing the server-side TLS engine
Jul 21 10:52:39 vsxxxx postfix/smtpd[25788]: connect from port-87-234-124-xxx.dynamic.qsc.de[87.234.124.xxx]
Jul 21 10:52:39 vsxxxx postfix/smtpd[25788]: setting up TLS connection from port-87-234-124-xxx.dynamic.qsc.de[87.234.124.xxx]
Jul 21 10:52:39 vsxxxx postfix/smtpd[25788]: port-87-234-124-xxx.dynamic.qsc.de[87.234.124.xxx]: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
Jul 21 10:52:39 vsxxxx postfix/smtpd[25788]: SSL_accept:before/accept initialization
Jul 21 10:52:39 vsxxxx postfix/smtpd[25788]: port-87-234-124-xxx.dynamic.qsc.de[87.234.124.xxx]: looking up session B174EB8F943AABB641ADB27CFC971F7F1
39867ED091FF2E78B3687ACB94DCCBE&s=smtp in smtpd cache
Jul 21 10:52:39 vsxxxx postfix/tlsmgr[22394]: lookup smtpd session id=B174EB8F943AABB641ADB27CFC971F7F139867ED091FF2E78B3687ACB94DCCBE&s=smtp
Jul 21 10:52:39 vsxxxx postfix/tlsmgr[22394]: read smtpd TLS cache entry B174EB8F943AABB641ADB27CFC971F7F139867ED091FF2E78B3687ACB94DCCBE&s=smtp: tim
e=1216628837 [data 127 bytes]
Jul 21 10:52:39 vsxxxx postfix/smtpd[25788]: port-87-234-124-xxx.dynamic.qsc.de[87.234.124.xxx]: reloaded session B174EB8F943AABB641ADB27CFC971F7F139
867ED091FF2E78B3687ACB94DCCBE&s=smtp from smtpd cache
Jul 21 10:52:39 vsxxxx postfix/smtpd[25788]: SSL_accept:SSLv3 read client hello B
Jul 21 10:52:39 vsxxxx postfix/smtpd[25788]: SSL_accept:SSLv3 write server hello A
Jul 21 10:52:39 vsxxxx postfix/smtpd[25788]: SSL_accept:SSLv3 write change cipher spec A
Jul 21 10:52:39 vsxxxx postfix/smtpd[25788]: SSL_accept:SSLv3 write finished A
Jul 21 10:52:39 vsxxxx postfix/smtpd[25788]: SSL_accept:SSLv3 flush data
Jul 21 10:52:39 vsxxxx postfix/smtpd[25788]: SSL_accept:SSLv3 read finished A
Jul 21 10:52:39 vsxxxx postfix/smtpd[25788]: port-87-234-124-xxx.dynamic.qsc.de[87.234.124.xxx]: Reusing old session
Jul 21 10:52:39 vsxxxx postfix/smtpd[25788]: Anonymous TLS connection established from port-87-234-124-xxx.dynamic.qsc.de[87.234.124.xxx]: TLSv1 with
 cipher RC4-MD5 (128/128 bits)
Jul 21 10:52:40 vsxxxx postfix/smtpd[25788]: NOQUEUE: reject: RCPT from port-87-234-124-170.dynamic.qsc.de[87.234.124.xxx]: 554 5.7.1 <braunbaer at sonnenkind
er.org>: Recipient address rejected: Access denied; from=<sender at domain1.de> to=<braunbaer at sonnenkinder.org> proto=ESMTP helo=<domain1.de>
Jul 21 10:52:40 vsxxxx postfix/smtpd[25788]: disconnect from port-87-234-124-xxx.dynamic.qsc.de[87.234.124.xxx]

Warum erkennt er das Zertifikat nicht ("Anonymous TLS connection")?

Kommt jemand drauf, was genau da falsch ist?

Achso: den Inhalt der Datei relay-clientcerts habe ich mit "openssl x509 -noout -fingerprint -in sasl/self-cert.pem" erstellen lassen - der sollte stimmen.



>----- postconf -n -------<

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
local_recipient_maps =
mailbox_size_limit = 0
mydestination = xxxx.vserver4free.de, domain1.de, domain2.de, localhost
myhostname = xxxx.vserver4free.de
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relay_clientcerts = hash:/etc/postfix/relay_clientcerts
relayhost =
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_enforce_tls = yes
smtpd_recipient_restrictions = permit_mynetworks                permit_tls_clientcerts              reject
smtpd_tls_CAfile = /etc/postfix/sasl/cacert.pem
smtpd_tls_cert_file = /etc/postfix/sasl/self-cert.pem
smtpd_tls_key_file = /etc/postfix/sasl/self-key.pem
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport

Gruß,
Michael

-- 
GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen!
Jetzt dabei sein: http://www.shortview.de/wasistshortview.php?mc=sv_ext_mf@gmx

Mehr Informationen über die Mailingliste Postfixbuch-users