[exim-dev] [Bug 786] New: tls_verify_hosts not verifying X50…

Top Page
Delete this message
Reply to this message
Author: 786
Date:  
To: exim-dev
New-Topics: [exim-dev] [Bug 786] tls_verify_hosts not verifying X509 signed from Outlook 2007, [exim-dev] [Bug 786] tls_verify_hosts not verifying X509 signed from Outlook 2007
Subject: [exim-dev] [Bug 786] New: tls_verify_hosts not verifying X509 signed from Outlook 2007
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=786
           Summary: tls_verify_hosts not verifying X509 signed from Outlook
                    2007
           Product: Exim
           Version: 4.68
          Platform: x86
        OS/Version: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: TLS
        AssignedTo: nigel@???
        ReportedBy: jwexler@???
                CC: exim-dev@???



Objective: Only allow outgoing mail relaying from clients (Outlook 2007) which
authenticate with a certificate that the Exim server recognizes.

This does not appear to work.

Client: Outlook 2007 (12.0.6316.5000) SP1 MSO (12.0.6320.5000)
CA certificate is in the root CA section of IE7
Server certificate and each test email client certificate are in the
Individuals and Others of IE7 certificates area
Server certificate included as trusted certificate and as default email
certificate in Outlook 2007 trusted center
Client certificates all saved in respective users entries in Outlook address
book

Server: Ubuntu 8.04.1 Installed Packages include exim4-daemon-heavy (4.68),
libmail-spf-query-perl, mailx
ldap (openldap2.3) via http://ubuntuforums.org/showthread.php?t=640760

Signed Certificates:
Attempted certificates generated via openssl (0.9.8g) as well as certificates
generated via gnutls (2.0.4). Tried both 1024 bits and 4096 bit certificates.
CA: ca, cert_signing_key
Server (Signed by above CA): ca, signing_key, encryption_key, dns_name =
hostname, ip_address = server ip address
Clients: ca, signing_key, encryption_key

Contents of server certificate settings:
X.509 Certificate Information, version 3
Issuer and Subject: C, O, OU, L, ST, CN (Exim server hostname), EMAIL all
defined
Subject Public Key Algorithm: RSA
Basic Constraints (critical): Certificate Authority (CA): TRUE
Subject Alternative Name (not critical): RFC822name is same as Email in Subject
Subject Key Identifier (not critical) and Authority Key Identifier (not
critical) defined
Signature Algorithm: RSA-SHA
MD5 fingerprint, SHA-1 fingerprint, Public Key Id defined

Client certificates also created with CN = Email.
Server certificate and client certicates copied to /usr/share/ca-certificates
and added to /etc/ssl/certs/ca-certificates.crt via dpkg-reconfigure
ca-certificates
Server certificate and key also copied to /etc/exim4 with chmod properties same
as /etc/exim4/exim.crt and exim.key

exim4.conf.template properties
MAIN_TLS_ENABLE = yes
MAIN_TLS_VERIFY_HOSTS = *
MAIN_RELAY_NETS = (a number of networks including the network of the test
Outlook 2007 client)
MAIN_TLS_ADVERTISE_HOSTS = MAIN_RELAY_NETS
MAIN_TLS_CERTIFICATE = /etc/exim4/(the name of the server certificate file)
MAIN_TLS_PRIVATEKEY = /etc/exim4/(the name of the server key file)


The following is an example from /var/log/exim4/mainlog when
MAIN_TLS_VERIFY_HOSTS = * is set. Encrypted, signed (via client certificates)
TLS email is not relayed to local ldap users.

2008-12-01 16:07:15 [23561] SMTP connection from [client_ip]:3000
I=[server_ip]:587 (TCP/IP connection count = 1)
2008-12-01 16:07:15 [23570] TLS error on connection from client_FQDN
(client_hostname_short) [client_ip]:3000 (gnutls_handshake): The peer did not
send any certificate.
2008-12-01 16:07:15 [23570] SMTP connection from client_FQDN
(client_hostname_short) [client_ip]:3000 I=[server_ip]:587 closed by EOF
2008-12-01 16:07:15 [23570] no MAIL in SMTP connection from client_FQDN
(client_hostname_short) [client_ip]:3000 I=[server_ip]:587 D=0s C=EHLO,STARTTLS
(END)



The following is an example from /var/log/exim4/mainlog when
MAIN_TLS_VERIFY_HOSTS = * is commented out. Encrypted, signed (via client
certificates) TLS email is relayed to local ldap users without issue. The DN in
mainlog is blank for some reason.

/var/log/exim4/mainlog:
2008-12-01 16:06:29 [30486] SMTP connection from [client_ip]:2999
I=[server_ip]:587 (TCP/IP connection count = 1)
2008-12-01 16:06:29 [23038] 1L72rV-0005za-O1
"testaccount02@virtual_domain-pre-rewrite" from env-to rewritten as
"post_rewrite_prefix_testaccount02@domain" by rule 7
2008-12-01 16:06:29 [23038] 1L72rV-0005za-O1 <=
testaccount01@virtual_domain-pre-rewrite H=client_FQDN (client_hostname_short)
[client_ip]:2999 I=[server_ip]:587 P=smtps X=TLS-1.0:RSA_ARCFOUR_MD5:16 CV=no
DN="" S=12242 id=002201c95383$5a6d3f20$0f47bd60$@com T="tls_verify_hosts not
set test 02" from <testaccount01@virtual_domain-pre-rewrite> for
testaccount02@virtual_domain-pre-rewrite
2008-12-01 16:06:29 [23039] cwd=/var/spool/exim4 3 args: /usr/sbin/exim4 -Mc
1L72rV-0005za-O1
2008-12-01 16:06:30 [23039] 1L72rV-0005za-O1 =>
post_rewrite_prefix_testaccount02 <post_rewrite_prefix_testaccount02@domain>
F=<testaccount01@virtual_domain-pre-rewrite>
P=<testaccount01@virtual_domain-pre-rewrite> R=local_user T=maildir_home
S=12385 QT=1s DT=1s
2008-12-01 16:06:30 [23039] 1L72rV-0005za-O1 Completed QT=1s
2008-12-01 16:06:32 [23038] SMTP connection from client_FQDN
(client_hostname_short) [client_ip]:2999 I=[server_ip]:587 closed by QUIT


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email