bug-mailfromd

Re: [Bug-mailfromd] Postfix TLS Macros?

To: "Mehmet Avcioglu" <mehmet@xxxxxxxxxxxxx>
Subject: Re: [Bug-mailfromd] Postfix TLS Macros?
From: "Sergey Poznyakoff" <gray@xxxxxxxxxx>
Date: Tue, 19 Nov 2024 11:44:26 +0100
Cc: "bug-mailfromd" <bug-mailfromd@xxxxxxxxxx>
Dkim-signature: v=1;a=rsa-sha256;d=gnu.org.ua;s=gray;c=relaxed/relaxed; q=dns/txt; h=From:From:Reply-To:Reply-To:Subject:Subject:Date:Date:To:Cc:Resent-Date :Resent-From:Resent-To:Resent-Cc:In-Reply-To:References:List-Id:List-Help :List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=/of/Swqpc1gh+rpdj6fla/10lheaFt9yMDfOmuCkwY8=; b=QGbt23rt7lFeoDZfRgndTDZOvEuDa+QMYq20io9QF8lyLIC/RVXf2TAlzAjtDs2hnMA5VGTVxBSQ yThhCUMOEPX2Qt9mMqJynauAoByDfgY/+5ENRRsAfTtb1e6fv/MaY52Q8DXispWEx/4BmSmwVE8reh /GAojesIvT7Pva6UQ27ug27udSt8nUzwMhMUpOwgEbl68l6HmWawCTvBQ5RfPN1oRp+oSKHqjPZD8Q aQRvQ+hrgPQGnLdEMyS8lIzrQlci9lciKEpMuX3s4CL3/EyY5o74qBnrTzQpVwFYNQ8A1ctFUcHBID FbHueiwumotdXODsM1tvraABWgnOHsIw==;
In-reply-to: Your message of Mon, 18 Nov 2024 22:58:36 +0300 <3C16E7DA-5EEF-4EAD-9E35-BDB3C74FD9CB@activecom.net>
References: <ECE40732-12F9-46E7-8201-F23A718AE945@activecom.net> <20241118163034.24449@pirx.gnu.org.ua> <2F3DF08C-6C4D-421C-A82B-34482CA81753@activecom.net> <20241118190556.30363@pirx.gnu.org.ua> <3C16E7DA-5EEF-4EAD-9E35-BDB3C74FD9CB@activecom.net>
User-agent: MH (GNU Mailutils 3.17.90)

Hi Mehmet,

> Any pointers on how I can check for that?

Use --gacopyz-log=proto option to mailfromd[1]. It produces a very
copious log (a detailed dump of each MTA milter command and response),
so take care if using it on a heavy loaded server.

Notice the following:

1. Postfix defines both cert_subject and cert_issuer only if the following
two conditions are met:

(a) postfix is configured with smtpd_tls_ask_ccert=yes or
smtpd_tls_req_ccert=yes and
(b) the client sends their certificate during TLS handshake.

That means that they are not defined during normal TLS sessions.

2. The (b) obviously takes effect only after STARTTLS has finished
successfully.

3. In TLS session, the EHLO command is issued twice: first time right
after establishing connection, and second time after STARTTLS.
Correspondingly, prog helo is invoked twice. Oviously, both macros are
not defined during the first call, and are defined during the second
one.

4. Provided that the condition 1.(a) is met, you can use the following
command to emulate the TLS session:

openssl s_client -connect HOST:25 -starttls smtp -key KFILE -cert CFILE

where HOST stands for the host name or IP of your SMTP server, KFILE for
the name of the client certificate key file, and CFILE for the name of
the client certificate file (both in PEM). Once the connection is
established, type

EHLO HOSTNAME

(replace HOSTNAME with any suitable host name). After that command,
you should see the cert_subject value printed in your mailfromd log
output.

5. You may wish to set smtpd_tls_loglevel=2 in your postfix
configuration to have it print out client certificate data during TLS
negotiation.

Hope that helps.

Regards,
Sergey

[1] https://www.gnu.org.ua/software/mailfromd/manual/Logging-and-Debugging-Options.html#gacopyz_002dlog-option

Follow-Ups:
- Re: [Bug-mailfromd] Postfix TLS Macros?
  - From: Mehmet Avcioglu

References:
- [Bug-mailfromd] Postfix TLS Macros?
  - From: Mehmet Avcioglu
- Re: [Bug-mailfromd] Postfix TLS Macros?
  - From: Sergey Poznyakoff
- Re: [Bug-mailfromd] Postfix TLS Macros?
  - From: Mehmet Avcioglu
- Re: [Bug-mailfromd] Postfix TLS Macros?
  - From: Sergey Poznyakoff
- Re: [Bug-mailfromd] Postfix TLS Macros?
  - From: Mehmet Avcioglu

Prev by Date: Re: [Bug-mailfromd] Postfix TLS Macros?
Next by Date: Re: [Bug-mailfromd] Postfix TLS Macros?
Previous by thread: Re: [Bug-mailfromd] Postfix TLS Macros?
Next by thread: Re: [Bug-mailfromd] Postfix TLS Macros?
Index(es):
- Date
- Thread