[exim-dev] [Bug 786] tls_verify_hosts not verifying X509 sig…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: 786
Dátum:  
Címzett: exim-dev
Tárgy: [exim-dev] [Bug 786] tls_verify_hosts not verifying X509 signed from Outlook 2007
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=786




--- Comment #2 from jwexler@??? 2008-12-02 09:04:58 ---
Thank you for your quick response.

Isn't this one additional a means to increase the security to further restrict
who is authorized to relay outgoing email through the server?
I have read as much as I can about this feature including
http://www.exim.org/lurker/message/20070610.123842.6610025d.en.html

If this is not what tls_verify_hosts is for then what is it intended for?

Outlook appears to send the server certificate that I loaded in Outlook's
trusted center. For example, when I send email from this same Outlook client
via an account at another machine running MS Exchange 2000 and then open the
email from another Outlook client machine, I am able to view the contents of
the server certificate that was sent.

Please don't misunderstand; my objective is not to check certificates of
inbound email. Rather, it is for Exim to validate whether or not the Outlook
2007 client is allowed to relay outgoing smtp email by (in addition to TLS
authentication) checking that the certificate that Outlook uses for
authentication (in the Outlook trusted center) is in
/etc/ssl/certs/ca-certificats.crt. MS Exchange has a feature for an
authentication layer via certificates; thus, I believe that Outlook should be
able to do its part.

(Please excuse my challenge with correct terminology below.)

I just did the following two tests.
TEST #1: Send an encrypted, signed email from Outlook 2007 via an account that
authenticates with the main Exim server. I.e., direct authentication with main
Exim server.

The error I just got is as follows:
2008-12-02 16:06:12 [31010] SMTP connection from [main_exim_server_ip]:3687
I=[originating_outlook_client_ip]:587 (TCP/IP connection count = 1)
2008-12-02 16:06:12 [31028] TLS error on connection from
originating_outlook_client_hostname.domain
(originating_outlook_client_hostname) [main_exim_server_ip]:3687
(gnutls_handshake): The peer did not send any certificate.
2008-12-02 16:06:12 [31028] SMTP connection from
originating_outlook_client_hostname.domain
(originating_outlook_client_hostname) [main_exim_server_ip]:3687
I=[originating_outlook_client_ip]:587 closed by EOF
2008-12-02 16:06:12 [31028] no MAIL in SMTP connection from
originating_outlook_client_hostname.domain
(originating_outlook_client_hostname) [main_exim_server_ip]:3687
I=[originating_outlook_client_ip]:587 D=0s C=EHLO,STARTTLS



TEST #2: Send an encrypted, signed email from Outlook 2007 via an account that
authenticates with a separate (interim) Exim server on another machine. Upon
authentication, this interim Exim server then relays the email to the main Exim
server for delivery to the local user. I.e., indirect sending via a separate
Exim server for inbound delivery at the main Exim server.

Main Exim Server Log:
I.e., Log from the main Exim server that receives the email for delivery from
the interim Exim server:

2008-12-02 16:26:30 [1865] SMTP connection from
[interim_exim_server_for_relay_from_separate_mta_ip]:44978
I=[originating_outlook_client_ip]:25 (TCP/IP connection count = 1)
2008-12-02 16:26:30 [1882] TLS error on connection from
interim_exim_server_for_relay_from_separate_mta_hostname.domain
[interim_exim_server_for_relay_from_separate_mta_ip]:44978 (gnutls_handshake):
The peer did not send any certificate.
2008-12-02 16:26:30 [1882] SMTP connection from
interim_exim_server_for_relay_from_separate_mta_hostname.domain
[interim_exim_server_for_relay_from_separate_mta_ip]:44978
I=[originating_outlook_client_ip]:25 closed by EOF
2008-12-02 16:26:30 [1882] no MAIL in SMTP connection from
interim_exim_server_for_relay_from_separate_mta_hostname.domain
[interim_exim_server_for_relay_from_separate_mta_ip]:44978
I=[originating_outlook_client_ip]:25 D=0s C=EHLO,STARTTLS
2008-12-02 16:26:30 [1865] SMTP connection from
[interim_exim_server_for_relay_from_separate_mta_ip]:44979
I=[originating_outlook_client_ip]:25 (TCP/IP connection count = 1)
2008-12-02 16:26:30 [1883]
H=interim_exim_server_for_relay_from_separate_mta_hostname.domain
[interim_exim_server_for_relay_from_separate_mta_ip]:44979
I=[originating_outlook_client_ip]:25 rejected MAIL
<user_who_relays_through_other_interim_exim_server@domain>
2008-12-02 16:26:30 [1883] SMTP connection from
interim_exim_server_for_relay_from_separate_mta_hostname.domain
[interim_exim_server_for_relay_from_separate_mta_ip]:44979
I=[originating_outlook_client_ip]:25 closed by QUIT


Interim Exim Server Log:
Log from the interim Exim Server that authenticates and then relays to the main
Exim Server following:

2008-12-02 16:26:30 [4880] SMTP connection from [main_exim_server_ip]:3705
I=[interim_exim_server_for_relay_from_separate_mta_ip]:25 (TCP/IP connection
count = 1)
2008-12-02 16:26:30 [6272] 1L7PeQ-0001dA-8c <=
user_who_relays_through_other_interim_exim_server@domain
H=originating_outlook_client_hostname.domain
(originating_outlook_client_hostname) [main_exim_server_ip]:3705
I=[interim_exim_server_for_relay_from_separate_mta_ip]:25 P=esmtp S=12177
id=02ca01c9544f$495c11d0$dc143570$@com T="For delivery. Sent from another exim
server. tls_verify_hosts Expect: OK 002" from
<user_who_relays_through_other_interim_exim_server@domain> for
testuser02@local_virtual_domain_pre-rewrite
2008-12-02 16:26:30 [6273] cwd=/var/spool/exim4 3 args: /usr/sbin/exim4 -Mc
1L7PeQ-0001dA-8c
2008-12-02 16:26:30 [6274] 1L7PeQ-0001dA-8c TLS error on connection to
local_virtual_domain_pre-rewrite [originating_outlook_client_ip]
(gnutls_handshake): Error in the push function.
2008-12-02 16:26:30 [6274] 1L7PeQ-0001dA-8c TLS session failure: delivering
unencrypted to local_virtual_domain_pre-rewrite [originating_outlook_client_ip]
(not in hosts_require_tls)
2008-12-02 16:26:30 [6273] 1L7PeQ-0001dA-8c **
testuser02@local_virtual_domain_pre-rewrite
F=<user_who_relays_through_other_interim_exim_server@domain>
P=<user_who_relays_through_other_interim_exim_server@domain>
R=dnslookup_relay_to_domains T=remote_smtp: SMTP error from remote mail server
after MAIL FROM:<user_who_relays_through_other_interim_exim_server@domain>
SIZE=13370: host local_virtual_domain_pre-rewrite
[originating_outlook_client_ip]: 550 Administrative prohibition
2008-12-02 16:26:30 [6275] cwd=/var/spool/exim4 7 args: /usr/sbin/exim4 -t -oem
-oi -f <> -E1L7PeQ-0001dA-8c
2008-12-02 16:26:31 [6275] 1L7PeQ-0001dD-QU <= <> R=1L7PeQ-0001dA-8c
U=Debian-exim P=local S=13157 T="Mail delivery failed: returning message to
sender" from <> for user_who_relays_through_other_interim_exim_server@domain
2008-12-02 16:26:31 [6276] cwd=/var/spool/exim4 3 args: /usr/sbin/exim4 -Mc
1L7PeQ-0001dD-QU
2008-12-02 16:26:31 [6273] 1L7PeQ-0001dA-8c Completed QT=1s
2008-12-02 16:26:31 [6276] 1L7PeQ-0001dD-QU =>
user_who_relays_through_other_interim_exim_server
<user_who_relays_through_other_interim_exim_server@domain> F=<> P=<>
R=ldap_user T=maildir_home S=13252 QT=1s DT=0s
2008-12-02 16:26:31 [6276] 1L7PeQ-0001dD-QU Completed QT=1s
2008-12-02 16:26:33 [6272] SMTP connection from
originating_outlook_client_hostname.domain
(originating_outlook_client_hostname) [main_exim_server_ip]:3705
I=[interim_exim_server_for_relay_from_separate_mta_ip]:25 closed by QUIT


TEST #3: Same as Test #2 except that I commented out MAIN_RELAY_NETS so that
neither the Client nor the Interim Exim relay server are in MAIN_RELAY_NETS.

MAIN EXIM SERVER LOG:
2008-12-02 17:25:40 [3153] SMTP connection from
[interim_exim_server_for_relay_from_separate_mta_ip]:41397
I=[main_exim_server_ip]:25 (TCP/IP connection count = 1)
2008-12-02 17:25:40 [3167] "testuser02@local_virtual_domain_pre-rewrite" from
env-to rewritten as "post_rewrite_prefix_testuser02@domain" by rule 7
2008-12-02 17:25:40 [3167]
H=interim_exim_server_for_relay_from_separate_mta_hostname.domain
[interim_exim_server_for_relay_from_separate_mta_ip]:41397
I=[main_exim_server_ip]:25
F=<user_who_relays_through_other_interim_exim_server@domain> rejected RCPT
<testuser02@local_virtual_domain_pre-rewrite>
2008-12-02 17:25:40 [3167]
H=interim_exim_server_for_relay_from_separate_mta_hostname.domain
[interim_exim_server_for_relay_from_separate_mta_ip]:41397
I=[main_exim_server_ip]:25 incomplete transaction (QUIT) from
<user_who_relays_through_other_interim_exim_server@domain>
2008-12-02 17:25:40 [3167] SMTP connection from
interim_exim_server_for_relay_from_separate_mta_hostname.domain
[interim_exim_server_for_relay_from_separate_mta_ip]:41397
I=[main_exim_server_ip]:25 closed by QUIT


INTERIM RELAYING EXIM SERVER LOG:
2008-12-02 17:25:40 [4880] SMTP connection from
[originating_outlook_client_ip]:3820
I=[interim_exim_server_for_relay_from_separate_mta_ip]:25 (TCP/IP connection
count = 1)
2008-12-02 17:25:40 [6363] 1L7QZg-0001ed-GO <=
user_who_relays_through_other_interim_exim_server@domain
H=originating_outlook_client_hostname.domain
(originating_outlook_client_hostname) [originating_outlook_client_ip]:3820
I=[interim_exim_server_for_relay_from_separate_mta_ip]:25 P=esmtp S=11982
id=02db01c95457$8d3c5880$a7b50980$@com T="For delivery. Sent from another exim
server. tls_verify_hosts Expect: OK 003" from
<user_who_relays_through_other_interim_exim_server@domain> for
testuser02@local_virtual_domain_pre-rewrite
2008-12-02 17:25:40 [6364] cwd=/var/spool/exim4 3 args: /usr/sbin/exim4 -Mc
1L7QZg-0001ed-GO
2008-12-02 17:25:40 [6364] 1L7QZg-0001ed-GO **
testuser02@local_virtual_domain_pre-rewrite
F=<user_who_relays_through_other_interim_exim_server@domain>
P=<user_who_relays_through_other_interim_exim_server@domain>
R=dnslookup_relay_to_domains T=remote_smtp: SMTP error from remote mail server
after RCPT TO:<testuser02@local_virtual_domain_pre-rewrite>: host
local_virtual_domain_pre-rewrite [main_exim_server_ip]: 550 Administrative
prohibition
2008-12-02 17:25:40 [6366] cwd=/var/spool/exim4 7 args: /usr/sbin/exim4 -t -oem
-oi -f <> -E1L7QZg-0001ed-GO
2008-12-02 17:25:41 [6366] 1L7QZg-0001eg-Qx <= <> R=1L7QZg-0001ed-GO
U=Debian-exim P=local S=12959 T="Mail delivery failed: returning message to
sender" from <> for user_who_relays_through_other_interim_exim_server@domain
2008-12-02 17:25:41 [6367] cwd=/var/spool/exim4 3 args: /usr/sbin/exim4 -Mc
1L7QZg-0001eg-Qx
2008-12-02 17:25:41 [6364] 1L7QZg-0001ed-GO Completed QT=1s
2008-12-02 17:25:41 [6367] 1L7QZg-0001eg-Qx =>
user_who_relays_through_other_interim_exim_server
<user_who_relays_through_other_interim_exim_server@domain> F=<> P=<>
R=ldap_user T=maildir_home S=13054 QT=1s DT=0s
2008-12-02 17:25:41 [6367] 1L7QZg-0001eg-Qx Completed QT=1s
2008-12-02 17:25:43 [6363] SMTP connection from
originating_outlook_client_hostname.domain
(originating_outlook_client_hostname) [originating_outlook_client_ip]:3820
I=[interim_exim_server_for_relay_from_separate_mta_ip]:25 closed by QUIT


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email