<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">To follow up on my previous email,</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">It seems the lmtp deamon does NOT
support ssl_ca selection based on remote IP. It also does NOT seem
to support authorization.</div>
<div class="moz-cite-prefix">The solution I arrived at was to create
a separate CA, used solely for the purpose of authorizing LDAP
clients.</div>
<div class="moz-cite-prefix">
<pre class="code bash">openssl genpkey <span class="re5">-algorithm</span> rsa <span class="re5">-pkeyopt</span> rsa_keygen_bits:<span class="nu0">4096</span> <span class="re5">-out</span> <span class="sy0">/</span>etc<span class="sy0">/</span>ssl<span class="sy0">/</span>private<span class="sy0">/</span>ca_dovecot_lmtps.key
openssl req <span class="re5">-x509</span> <span class="re5">-new</span> <span class="re5">-subj</span> <span class="st_h">'/CN=Dovecot LMTP Authorization CA'</span> <span class="re5">-key</span> <span class="sy0">/</span>etc<span class="sy0">/</span>ssl<span class="sy0">/</span>private<span class="sy0">/</span>ca_dovecot_lmtps.key <span class="re5">-nodes</span> <span class="re5">-sha256</span> <span class="re5">-days</span> <span class="nu0">3650</span> <span class="re5">-addext</span> <span class="st_h">'keyUsage=keyCertSign,cRLSign'</span> <span class="re5">-out</span> <span class="sy0">/</span>etc<span class="sy0">/</span>ssl<span class="sy0">/</span>private<span class="sy0">/</span>ca_dovecot_lmtps.pem
</pre>
This CA can then be used to sign certificates for LMTP clients to
use when delivering mail.</div>
<div class="moz-cite-prefix">
<pre class="code bash"><span class="co0">export lmtpsrc=msa</span>
openssl genpkey <span class="re5">-algorithm</span> rsa <span class="re5">-pkeyopt</span> rsa_keygen_bits:<span class="nu0">2048</span> <span class="re5">-out</span> <span class="sy0">/</span>etc<span class="sy0">/</span>ssl<span class="sy0">/</span>private<span class="sy0">/</span>_lmtp.<span class="co1">${lmtpsrc}</span>.example.com.key
openssl req <span class="re5">-new</span> <span class="re5">-nodes</span> <span class="re5">-key</span> <span class="sy0">/</span>etc<span class="sy0">/</span>ssl<span class="sy0">/</span>private<span class="sy0">/</span>_lmtp.<span class="co1">${lmtpsrc}</span>.example.com.key <span class="re5">-sha256</span> <span class="re5">-out</span> <span class="sy0">/</span>etc<span class="sy0">/</span>ssl<span class="sy0">/</span>private<span class="sy0">/</span>_lmtp.<span class="co1">${lmtpsrc}</span>.example.com.csr <span class="re5">-subj</span> <span class="st0">"/CN=<span class="es3">${lmtpsrc}</span>.</span><span class="st0">example.com"</span>
<span class="kw2">cat</span> <span class="sy0"><<</span>EOF <span class="sy0">>/</span>etc<span class="sy0">/</span>ssl<span class="sy0">/</span>private<span class="sy0">/</span>_lmtp.<span class="co1">${lmtpsrc}</span>.example.com.ext
basicConstraints = critical, CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:<span class="co1">${lmtpsrc}</span>.example.com
subjectKeyIdentifier = <span class="kw3">hash</span>
authorityKeyIdentifier = keyid:always, issuer:always
EOF
openssl x509 <span class="re5">-req</span> <span class="re5">-CA</span> <span class="sy0">/</span>etc<span class="sy0">/</span>ssl<span class="sy0">/</span>private<span class="sy0">/</span>ca_dovecot_lmtp.pem <span class="re5">-CAkey</span> <span class="sy0">/</span>etc<span class="sy0">/</span>ssl<span class="sy0">/</span>private<span class="sy0">/</span>ca_dovecot_lmtp.key <span class="re5">-sha256</span> <span class="re5">-days</span> <span class="nu0">3650</span> <span class="re5">-in</span> <span class="sy0">/</span>etc<span class="sy0">/</span>ssl<span class="sy0">/</span>private<span class="sy0">/</span>_lmtp.<span class="co1">${lmtpsrc}</span>.example.com.csr <span class="re5">-extfile</span> <span class="sy0">/</span>etc<span class="sy0">/</span>ssl<span class="sy0">/</span>private<span class="sy0">/</span>_lmtp.<span class="co1">${lmtpsrc}</span>.example.com.ext <span class="re5">-out</span> <span class="sy0">/</span>etc<span class="sy0">/</span>ssl<span class="sy0">/</span>private<span class="sy0">/</span>_lmtp.<span class="co1">${lmtpsrc}</span>.example.com.pem
</pre>
</div>
<div class="moz-cite-prefix">The Dovecot configuration looks like
this</div>
<div class="moz-cite-prefix">
<pre class="code bash">protocol lmtp {
mail_uid = nobody
auth_ssl_require_client_cert = yes
ssl_verify_client_cert = yes
ssl_ca = </etc/ssl/private/ca_dovecot_lmtps.pem
ssl = required
ssl_cert = </etc/ssl/mda.example.com-chain.pem
ssl_key = </etc/ssl/private/mda.example.com.key
ssl_require_crl = no
}
</pre>
<div class="moz-cite-prefix">This solution seems secure and
manageable so long as the number of LMTP sources stays small,
but overall, feels very unsatisfactory.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">I would regard Dovecot's inability to
inspect the LMTP certificate's subject name as a BUG that should
be prioritized.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">As it stands, I would not be
surprised to find real-world deployments of Dovecot that are
insecure, as _ANY_ host with a valid certificate could originate
mail.</div>
<div class="moz-cite-prefix">As a quick illustration, I created
another certificate with an invalid name from my "/CN=Dovecot
LMTP Authorization CA" authority. The mail was accepted without
complaint. In "normal" setups, a certificate from any public CA
would be accepted.<br>
</div>
<div class="moz-cite-prefix">
<pre class="code bash">Feb 11 14:29:52 imaps mail.info dovecot: lmtp(16386): Received valid SSL certificate: /CN=Dovecot LMTP Authorization CA
Feb 11 14:29:52 imaps mail.info dovecot: lmtp(16386): Received valid SSL certificate: /CN=evil.example.com
Feb 11 14:29:52 imaps mail.debug dovecot: lmtp(16386): Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client certificate
Feb 11 14:29:52 imaps mail.debug dovecot: lmtp(16386): Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read certificate verify
Feb 11 14:29:52 imaps mail.debug dovecot: lmtp(16386): Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read finished
Feb 11 14:29:52 imaps mail.debug dovecot: lmtp(16386): Debug: SSL: where=0x20, ret=1: SSLv3/TLS write session ticket
Feb 11 14:29:52 imaps mail.debug dovecot: lmtp(16386): Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket
Feb 11 14:29:52 imaps mail.debug dovecot: lmtp(16386): Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket
Feb 11 14:29:52 imaps mail.debug dovecot: lmtp(16386): Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully</pre>
</div>
<div class="moz-cite-prefix">
<pre class="code bash"></pre>
</div>
<pre class="code bash">
</pre>
</div>
<div id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br /><table style="border-top: 1px solid #D3D4DE;"><tr><td style="width: 55px; padding-top: 13px;"><a href="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" target="_blank"><img src="https://s-install.avcdn.net/ipm/preview/icons/icon-envelope-tick-green-avg-v1.png" alt="" width="46" height="29" style="width: 46px; height: 29px;"/></a></td><td style="width: 470px; padding-top: 12px; color: #41424e; font-size: 13px; font-family: Arial, Helvetica, sans-serif; line-height: 18px;">Virus-free.<a href="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" target="_blank" style="color: #4453ea;">www.avg.com</a></td></tr></table><a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"> </a></div></body>
</html>