доброго времени суток. А подкажите плиз дилетанту от tls смогу ли я использовать для postfix ssl сертификат с пометкой "X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication" ?по результатам издевательских (над сертификатом) тестов - это не совсем ясно:
пыталась проверить с помощью msmtp - не получается (в логах - no certificate, то есть сертификат не был отослан на сервер, соотв и fingerprint проверка не срабатывает и отказ на relay получаю), а вот при попытке отослать тоже самое через s_client - все шоколадно.. можно ли извратиться так чтобы этот сертификат работал и с обычными smtp клиентом?
Заранее благодарна за любой совет!
результаты тестов:
1) неудача с msmtp:
echo test | msmtp --tls=on --tls-cert-file=/tmp/test/mycert.crt --tls-key-file=/tmp/test/mykey.key --tls-certcheck=off --host=morse.mynet.net --tls-force-sslv3=on --domain=outlooktest.mynet.net --protocol=smtp --from=test@outlooktest.mynet.net taphy@mynet.net
postfix log:
Jul 15 14:30:25 morse postfix/smtpd[13042]: connect from nat.mynet.net[1.1.1.1]
Jul 15 14:30:25 morse postfix/smtpd[13042]: setting up TLS connection from nat.mynet.net[1.1.1.1]
Jul 15 14:30:25 morse postfix/smtpd[13042]: SSL_accept:before/accept initialization
Jul 15 14:30:25 morse postfix/smtpd[13042]: SSL_accept:error in SSLv2/v3 read client hello A
Jul 15 14:30:25 morse postfix/smtpd[13042]: SSL_accept:error in SSLv3 read client hello B
Jul 15 14:30:25 morse postfix/smtpd[13042]: SSL_accept:error in SSLv3 read client hello B
Jul 15 14:30:25 morse postfix/smtpd[13042]: SSL_accept:SSLv3 read client hello B
Jul 15 14:30:25 morse postfix/smtpd[13042]: SSL_accept:SSLv3 write server hello A
Jul 15 14:30:25 morse postfix/smtpd[13042]: SSL_accept:SSLv3 write certificate A
Jul 15 14:30:25 morse postfix/smtpd[13042]: SSL_accept:SSLv3 write key exchange A
Jul 15 14:30:25 morse postfix/smtpd[13042]: SSL_accept:SSLv3 write certificate request A
Jul 15 14:30:25 morse postfix/smtpd[13042]: SSL_accept:SSLv3 flush data
Jul 15 14:30:25 morse postfix/smtpd[13042]: SSL_accept:error in SSLv3 read client certificate A
Jul 15 14:30:25 morse postfix/smtpd[13042]: SSL_accept:error in SSLv3 read client certificate A
Jul 15 14:30:25 morse postfix/smtpd[13042]: SSL3 alert read:warning: no certificate
Jul 15 14:30:25 morse postfix/smtpd[13042]: SSL_accept:error in SSLv3 read client certificate A
Jul 15 14:30:25 morse postfix/smtpd[13042]: SSL_accept:error in SSLv3 read client certificate A
Jul 15 14:30:25 morse postfix/smtpd[13042]: SSL_accept:SSLv3 read client key exchange A
Jul 15 14:30:25 morse postfix/smtpd[13042]: SSL_accept:error in SSLv3 read certificate verify A
Jul 15 14:30:25 morse last message repeated 3 times Jul 15 14:30:25 morse postfix/smtpd[13042]: SSL_accept:SSLv3 read finished A
Jul 15 14:30:25 morse postfix/smtpd[13042]: SSL_accept:SSLv3 write change cipher spec A
Jul 15 14:30:25 morse postfix/smtpd[13042]: SSL_accept:SSLv3 write finished A
Jul 15 14:30:25 morse postfix/smtpd[13042]: SSL_accept:SSLv3 flush data
Jul 15 14:30:25 morse postfix/smtpd[13042]: TLS connection established from nat.mynet.net[1.1.1.1]: SSLv3 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Jul 15 14:30:26 morse postfix/smtpd[13042]: NOQUEUE: reject: TCPT from nat.mynet.net[1.1.1.1]: 554 5.7.1 <nat.mynet.net[1.1.1.1]>: Client host rejected: Access denied; from=<test@ssltest.mynet.net> to=<taphy@mynet.net> proto=ESMTP helo=<ssltest.mynet.net>
Jul 15 14:30:26 morse postfix/smtpd[13042]: lost connection after DATA from nat.mynet.net[1.1.1.1]
Jul 15 14:30:26 morse postfix/smtpd[13042]: disconnect from nat.mynet.net[1.1.1.1]
2) удачная отсылка с s_client (сертификат тот же):
openssl s_client -showcerts -cert /tmp/test/mycert.crt -key /tmp/test/mykey.key -starttls smtp -CAfile /tmp/test/"Thawte\ Server\ CA.cer" -connect morse.mynet.net:25
postfix log:
Jul 15 14:15:24 morse postfix/smtpd[12868]: connect from nat.mynet.net[1.1.1.1]
Jul 15 14:15:24 morse postfix/smtpd[12868]: setting up TLS connection from nat.mynet.net[1.1.1.1]
Jul 15 14:15:24 morse postfix/smtpd[12868]: SSL_accept:before/accept initialization
Jul 15 14:15:24 morse postfix/smtpd[12868]: SSL_accept:error in SSLv2/v3 read client hello A
Jul 15 14:15:24 morse postfix/smtpd[12868]: SSL_accept:error in SSLv2/v3 read client hello B
Jul 15 14:15:24 morse postfix/smtpd[12868]: SSL_accept:SSLv3 read client hello A
Jul 15 14:15:24 morse postfix/smtpd[12868]: SSL_accept:SSLv3 write server hello A
Jul 15 14:15:24 morse postfix/smtpd[12868]: SSL_accept:SSLv3 write certificate A
Jul 15 14:15:24 morse postfix/smtpd[12868]: SSL_accept:SSLv3 write key exchange A
Jul 15 14:15:24 morse postfix/smtpd[12868]: SSL_accept:SSLv3 write certificate request A
Jul 15 14:15:24 morse postfix/smtpd[12868]: SSL_accept:SSLv3 flush data
Jul 15 14:15:24 morse postfix/smtpd[12868]: SSL_accept:error in SSLv3 read client certificate A
Jul 15 14:15:25 morse last message repeated 3 times
Jul 15 14:15:25 morse postfix/smtpd[12868]: certificate verification depth=1 subject=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Вivision/CN=Thawte Server CA/emailAddress=server-certs@thawte.com
Jul 15 14:15:25 morse postfix/smtpd[12868]: verify return: 1
Jul 15 14:15:25 morse postfix/smtpd[12868]: certificate verification depth=0 subject=/O=ssltest.mynet.net/OU=Go to https://www.thawte.com/repository/index.html /OU=Thawte SSL123 certificate/OU=Domain Validated/CN=ssltest.mynet.net
Jul 15 14:15:25 morse postfix/smtpd[12868]: verify return: 1
Jul 15 14:15:25 morse postfix/smtpd[12868]: SSL_accept:SSLv3 read client certificate A
Jul 15 14:15:25 morse postfix/smtpd[12868]: SSL_accept:error in SSLv3 read client key exchange A
Jul 15 14:15:25 morse postfix/smtpd[12868]: SSL_accept:error in SSLv3 read client key exchange A
Jul 15 14:15:25 morse postfix/smtpd[12868]: SSL_accept:SSLv3 read client key exchange A
Jul 15 14:15:25 morse postfix/smtpd[12868]: SSL_accept:error in SSLv3 read certificate verify A
Jul 15 14:15:25 morse postfix/smtpd[12868]: SSL_accept:error in SSLv3 read certificate verify A
Jul 15 14:15:25 morse postfix/smtpd[12868]: SSL_accept:SSLv3 read certificate verify A
Jul 15 14:15:25 morse postfix/smtpd[12868]: SSL_accept:error in SSLv3 read finished A
Jul 15 14:15:25 morse last message repeated 3 times
Jul 15 14:15:25 morse postfix/smtpd[12868]: SSL_accept:SSLv3 read finished A
Jul 15 14:15:25 morse postfix/smtpd[12868]: SSL_accept:SSLv3 write change cipher spec A
Jul 15 14:15:25 morse postfix/smtpd[12868]: SSL_accept:SSLv3 write finished A
Jul 15 14:15:25 morse postfix/smtpd[12868]: SSL_accept:SSLv3 flush data
Jul 15 14:15:25 morse postfix/smtpd[12868]: subject=/O=ssltest.mynet.net/OU=Go to
https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=ssltest.mynet.net
Jul 15 14:15:25 morse postfix/smtpd[12868]: issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=server-certs@thawte.com
Jul 15 14:15:25 morse postfix/smtpd[12868]: fingerprint=<here is correct fingerprint>
Jul 15 14:15:25 morse postfix/smtpd[12868]: Verified: subject_CN=ssltest.mynet.net, issuer=Thawte Server CA
Jul 15 14:15:25 morse postfix/smtpd[12868]: TLS connection established from nat.mynet.net[1.1.1.1]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Jul 15 14:16:03 morse postfix/smtpd[12868]: 38C46438A4B: client=nat.mynet.net[1.1.1.1]
Jul 15 14:16:11 morse postfix/cleanup[12875]: 38C46438A4B: message-id=<20090715211603.38C46438A4B@morse.mynet.net>
Jul 15 14:16:11 morse postfix/qmgr[12865]: 38C46438A4B: from=<test@host.mynet.net>, size=526, nrcpt=1 (queue active)
Jul 15 14:16:15 morse postfix/smtpd[12868]: disconnect from nat.mynet.net[60.234.49.2]
Jul 15 14:16:23 morse postfix/smtp[12877]: 38C46438A4B: to=<taphy@mynet.net>, relay=relay.mynet.net[1.1.1.1]:25, delay=30,
delays=18/0.01/0.42/11, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3EF3717CB0)
Jul 15 14:16:23 morse postfix/qmgr[12865]: 38C46438A4B: removed