On 16.05.23 14:27, Sean Gallagher wrote:
I have a created a CA for the sole purpose of signing the certificate of the LMTPS client. I regard this as a horrible horrible kludge.
... how do you figure that? *Someone*, and that means you, has to specify which clients are allowed to connect. Which leaves three possibilities:
a) You run the CA and thus, the CA can do the selection for you. Which means that in order to deal with a single-permissible-client situation, you need the CA to issue client certs to just that one entity. b) The CA does *not* and issues (client) certs to entities you do *not* want to grant access. Then the selection job remains yours and, assuming that requiring a client cert from that CA makes any sense in the first place, auth_ssl_username_from_cert is there to help you (by making sure that the username will be "the ID" from the cert so that you can base some additional filtering on that). c) The CA is willing to enrich the certs it issues with DN parts, X509v3 extensions or the like signalling access rights as granted beforehand by a *fourth* party, as in, you. Which is a terrible can of worms as soon as things, especially the number of such fourth parties to support by the same CA, start to scale up IMHO. Which promptly brings us back to you running the CA yourself ...
Kind regards,
Jochen Bern Systemingenieur
Binect GmbH
<<Reiterate original post in new thread>>
In my config, I forward deliveries to Dovecot over LMTPS. The machine (there is just one for now) forwarding the mail has a certificate from a well known and trusted CA. How can I configure Dovecot to accept mail deliveries from that one machine?
Currently I have:
protocol lmtp{ login_trusted_networks = 192.168.x.y 0011:2233:4455:6677:8899:aabb:ccdd:eeff auth_ssl_require_client_cert = yes ssl_verify_client_cert = yes ssl_ca = (a private - single purpose CA) ...
The IP addresses are the addresses of the LMTPS client machine.
I have a created a CA for the sole purpose of signing the certificate of the LMTPS client. I regard this as a horrible horrible kludge.
I would like to be able to set ssl_ca to the root certificate of the public trusted CA but can't work out how to get Dovecot to check the name on the certificate.
<<End original post>>
On 17/05/2023 12:13 am, Jochen Bern wrote:
On 16.05.23 14:27, Sean Gallagher wrote:
I have a created a CA for the sole purpose of signing the certificate of the LMTPS client. I regard this as a horrible horrible kludge.
... how do you figure that? *Someone*, and that means you, has to specify which clients are allowed to connect. Which leaves three possibilities:
a) You run the CA and thus, the CA can do the selection for you. Which means that in order to deal with a single-permissible-client situation, you need the CA to issue client certs to just that one entity. b) The CA does *not* and issues (client) certs to entities you do *not* want to grant access. Then the selection job remains yours and, assuming that requiring a client cert from that CA makes any sense in the first place, auth_ssl_username_from_cert is there to help you (by making sure that the username will be "the ID" from the cert so that you can base some additional filtering on that). c) The CA is willing to enrich the certs it issues with DN parts, X509v3 extensions or the like signalling access rights as granted beforehand by a *fourth* party, as in, you. Which is a terrible can of worms as soon as things, especially the number of such fourth parties to support by the same CA, start to scale up IMHO. Which promptly brings us back to you running the CA yourself ...
We can start by ruling out possibility "c". If there was code in Dovecot to check esoteric X509v3 extensions, then surely there could be code to check the certificate name. There are obviously many other problems with getting third party CA's to do anything special for one client but exploring that won't add to this discussion.
Of the other two options, I currently have "a" but would prefer to have "b" - if it can be implemented securely.
Before going into reasons, I would like to make an assertion that guides my thinking on this: Complexity is the enemy of security. Complexity implies large attack surfaces. It implies more code that is harder to debug. It implies fewer people willing and able to understand it and therefore, a more complex solution to any given problem is more likely to have vulnerabilities. Case in point: CVE-2019-3814. That said, any two people may weight "complexity" differently and so there is still room for personal preference.
possibility "a" has the advantage of a trivially simple security analysis. If the server requires a certificate from a specific CA, and that CA has only ever signed one certificate, you don't need to read the certificate to know what it says. The disadvantage of "a" is that it is not how PKI is understood to work. In fact it is Pre-Shared-Keys, dressed up as PKI. Maintaining different CA's for each service requires ongoing knowledge and effort. This is complexity that is best avoided. If systems are configured to work the "normal" way, they are more easily understood and maintained securely.
possibility "b" has the advantage of being immediately recognizable to anyone familiar with PKI. However it is not obvious that it will even work on Dovecot. as pointed out the "auth_ssl_username_from_cert" is generally used in Dovecot to do certificate based client authentication. This authentication happens in the "-login" process associated with each service, however the LMTP server does not have a login process and does not require explicit authentication. My current config accepts deliveries from Postfix. Postfix does not issue the AUTH command and deliveries proceed as expected. It is not obvious the this setting has any effect on the LMTP server. Even if we DID set the USERNAME to the certificate name, we still need to validate it somehow.
Perhaps I am missing some key piece of the puzzle, in which case please correct me, but it seems Dovecot is deficient in the authentication of LMTP client certificates. It continues to surprise me that this is not given a higher priority.
Sean.
-- This email has been checked for viruses by AVG antivirus software. www.avg.com
We are indeed listening. And Dovecot actually can check the name on the certificate, if you ask it to do so.
https://doc.dovecot.org/settings/core/#core_setting-auth_ssl_username_from_c...
I've been studying the code, looking for any way the "auth_ssl_username_from_cert" setting could be used by the LMTP server and have been unable to find any. Could someone at least confirm that Dovecot, in it's present form, CAN NOT in fact check the name on a client certificate presented to the LMTP server. If nothing else, this misleading post needs to be corrected.
-- This email has been checked for viruses by AVG antivirus software. www.avg.com
On 19/05/2023 05:54 EEST Sean Gallagher sean@teletech.com.au wrote:
We are indeed listening. And Dovecot actually can check the name on the certificate, if you ask it to do so.
https://doc.dovecot.org/settings/core/#core_setting-auth_ssl_username_from_c...
I've been studying the code, looking for any way the "auth_ssl_username_from_cert" setting could be used by the LMTP server and have been unable to find any. Could someone at least confirm that Dovecot, in it's present form, CAN NOT in fact check the name on a client certificate presented to the LMTP server. If nothing else, this misleading post needs to be corrected.
Somehow my mind didn't register that we are talking about LMTP. No, LMTP has no client side cert *name* validation, because LMTP has no authentication either.
What is your use-case for validation here? Did you mean submission? It has actual authentication and can do client cert name validation with auth_ssl_username_from_cert.
Aki
What is your use-case for validation here? Did you mean submission? It has actual authentication and can do client cert name validation with auth_ssl_username_from_cert.
I've been pulling apart an old monolithic server and putting various systems into dedicated containers. To this end I have put Dovecot and the user mailboxes into it's their own container and set up a LMTPS link between the MSA container (Postfix) and the MDA container (Dovcot). Mail submissions go directly to the MSA. Both the MSA and MDA independently connect back to an LDAP database (in another container) for authentication/validation. All the containers have valid public certificates which I would like to use throughout but Dovecot is the standout exception. It can't check the MSA's certificate.
In short, I want to check that all deliveries come from the MSA container, with stronger checks than IP addresses alone. On the monolithic server, the deliveries flowed over an IPC socket. I'd like a similar level of security.
I've created a single-use CA and used it to sign a certificate for the MSA to connect with over LMTP, but the arrangement is a bit of an embarrassment. All for the sake of a few lines of code to check the name on the certificate.
Mail redirects (from sieve scrips) flow back in the other direction over SMTPS. This uses the regular PKI infrastructure.
As a side note, It would be nice to be able to specify the bind address of the SMTP client. The interfaces tend to have several IPv6 addresses. It's hard to predict which one the operating system will choose.
At least now I know I have taken it as far as I can.
Regards
Sean
-- This email has been checked for viruses by AVG antivirus software. www.avg.com
On 19/05/2023 09:44 EEST Sean Gallagher sean@teletech.com.au wrote:
What is your use-case for validation here? Did you mean submission? It has actual authentication and can do client cert name validation with auth_ssl_username_from_cert.
I've been pulling apart an old monolithic server and putting various systems into dedicated containers. To this end I have put Dovecot and the user mailboxes into it's their own container and set up a LMTPS link between the MSA container (Postfix) and the MDA container (Dovcot). Mail submissions go directly to the MSA. Both the MSA and MDA independently connect back to an LDAP database (in another container) for authentication/validation. All the containers have valid public certificates which I would like to use throughout but Dovecot is the standout exception. It can't check the MSA's certificate.
In short, I want to check that all deliveries come from the MSA container, with stronger checks than IP addresses alone. On the monolithic server, the deliveries flowed over an IPC socket. I'd like a similar level of security.
I've created a single-use CA and used it to sign a certificate for the MSA to connect with over LMTP, but the arrangement is a bit of an embarrassment. All for the sake of a few lines of code to check the name on the certificate.
Mail redirects (from sieve scrips) flow back in the other direction over SMTPS. This uses the regular PKI infrastructure.
As a side note, It would be nice to be able to specify the bind address of the SMTP client. The interfaces tend to have several IPv6 addresses. It's hard to predict which one the operating system will choose.
At least now I know I have taken it as far as I can.
Regards
Sean
Seems there indeed is no way to require SSL cert for LMTP client connection. This seems to be a bug. I'll put this into our tracker.
Aki
participants (3)
-
Aki Tuomi
-
Jochen Bern
-
Sean Gallagher