How can I enable client cert validation, so remote MTA can verify?

[jassonmc]

Hello there

I'm using OPNsense with the Postfix plugin as a mail gateway.
We have a secure mail provider here in Switzerland called IncaMail.
They require us to have our MTA provide a client certificate to their receiving MTA when we send mails to them.
You can easily check it by sending a mail to mta@check.incamail.ch, which sends back its findings about receiving and sending capabilities of your own MTA, the OPNsense in that case, of course.

The first part of the answer, which is sending from the OPNsense to the MTA of check.incamail.ch, tells me that there is no client certificate.

The second part is the other way around, where MTA from check.incamail.ch is sending a mail to the OPNsense, which works as it should.

How can I provide a client certificate to the MTA of check.incamail.ch?

I've read, that enabling "smtpd_tls_ask_ccert = yes" should not be used in general, as it could break legitimate mail transfer with sendmail MTAs.

Would there be a solution around "smtp_tls_policy_maps"?
If yes, how should that policy map look like and how can I tell OPNsense to use it, as it probably is a bad idea to directly modify postfix main.cf

Thanks for any hint :)

[doktornotor]

Code Select Expand

smtpd_tls_ask_ccert is for the server (MTA).

https://www.postfix.org/postconf.5.html#smtp_tls_cert_file
https://www.postfix.org/postconf.5.html#smtp_tls_chain_files

[jassonmc]

Thanks for the links @doktornotor

Your feedback helped me to find a post on github with the spot on topic:
https://github.com/opnsense/plugins/issues/3274

For testing, I added the following two lines, as mentioned ind the above psot, to the main.cf:

smtp_tls_cert_file = $smtpd_tls_cert_file
smtp_tls_key_file = $smtpd_tls_cert_file

Unfortunately, that didn't help.
Are the variable names even correct?

[doktornotor]

You are supposed to replace that with the actual paths to those files, or at least define those paths in the variables behind the =, no?

[jassonmc]

Well, that was based on the already existing entry in the main.cf:

smtpd_tls_cert_file = /usr/local/etc/postfix/cert_opn.pem

I added those two lines after that variable definition, which didn't work.
I did add then the explict path like this:

smtp_tls_cert_file = /usr/local/etc/postfix/cert_opn.pem
smtp_tls_key_file = /usr/local/etc/postfix/cert_opn.pem

With that I get the followinmg error in postfix log:
warning: TLS library problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:ssl/record/rec_layer_s3.c:1621:SSL alert number 46:

And it still doesn't work...

[doktornotor]

No idea. The mail provider configuration just does not work with any normally configured MTA, extremely stupid (as noted in the Postfix docs.) IOW, unusable "secure" service is completely useless. And unless they require a specific certificate issued by them to relay mail via their MTA, it also does not secure anything.

[mimugmail]

Usually when provider demands such setups,  they also offer guide for most prominent software. Do they have something like this?

[jassonmc]

@mimugmail
I did ask and they sent me the following, generic info, although i asked for postfix explicitly (in German).
The OPNsense is utilizing a Let's Encrypt certificate.

___
Für die IncaMail-Kommunikation benötigt ein Server:

- Ein gültiges X.509 Zertifikat einer anerkannten Certification Authority (CA)

- Wichtig: Nur gültige Zertifikate einer anerkannten Zertifizierungsstelle werden akzeptiert, u.a. alle Zertifikate von europäischen und nordamerikanischen Zertifizierungsstellen (CA - certificate authority) welche in der Trust-Liste von Mozilla aufgeführt sind (https://wiki.mozilla.org/CA/Included_Certificates). Ein selfsigned Zertifikat können wir leider nicht anerkennen



Serverconfig:

- Installieren Sie auf dem Inbound oder Empfangs- Connector das gültige Zertifikat

- Ebenfalls auf dem Outbound oder Sende- Connector. Dort ist es wichtig, dass das Zertifikat in der Client Role präsentiert wird.

- Die Zertifikatskette sollte in der  Reihenfolge - Client - Intermediate - Root Zertifikat - präsentiert werden.

- Aktivieren Sie  "Transport Layer Security" (TLS) and "Mutual Authentication"

- Stellen Sie sicher, dass "Client Certificate Authentication" aktiviert ist



Einstellungen beim Routing:

Dort können Sie hinterlegen, dass alles was an *.incamail.ch geht weitergereicht wird an gw1.incamail.com und gw2.incamail.com (sofern Sie zwei Empfangsserver angeben können). Falls nur ein Empfangsserver angegeben werden kann, nehmen Sie bitte im.post.ch (dieser verteilt die Nachrichten dann an gw1.incamail.com und gw2.incamail.com).



Optional können Sie auch ein E-Mail-Gateway dazwischen einsetzen, welches zwischen den Mailserver und dem IncaMail-Dienst geschaltet ist.

Da die Transportverschlüsselung erst ab dem Gateway erfolgt, muss eine hinreichend sichere Transportverschlüsselung zwischen Gateway und Mailserver gewährleistet sein.

Statt auf dem Mailserver können Sie In diesem Fall das oben genannte Zertifikat auf dem Gateway installieren und dort STARTTLS in SMTP-Kommunikation über Port 25 sowie die Unterstützung von Mutual Authentication einschalten.

Weiter ist es wichtig, dass das SwissSign-Rootzertifikat des IncaMail-Serverzertifikats in Ihrem Truststore enthalten ist, Nachrichten mit HTML-Anhängen nicht gefiltert werden und der IncaMail-Server nicht gesperrt ist (ev. Eintrag in Whitelist).

[mimugmail]

And which error do you get with LE? The one above?

[Fright]

warning: TLS library problem: error:14094416

what if you add

Code Select Expand

smtp_tls_CAfile = $smtpd_tls_CAfile
also then

[jassonmc]

warning: TLS library problem: error:14094416

what if you add

Code Select Expand

smtp_tls_CAfile = $smtpd_tls_CAfile
also then

That worked, thanks :-)

I adjusted my main.cf as follows and had to uncomment the default "smtp_tls_CAfile = /etc/ssl/cert.pem":

#smtp_tls_CAfile = /etc/ssl/cert.pem
smtp_tls_CAfile = /usr/local/etc/postfix/ca_opn.pem
smtp_tls_cert_file = /usr/local/etc/postfix/cert_opn.pem
smtp_tls_key_file = /usr/local/etc/postfix/cert_opn.pem

Afterwards, I have enabled the following setting: System / Settings / General / Store intermediate
This adds all locally administered intermediate CAs to the /etc/ssl/cert.pem.
This way I could revert the change made to the smtp_tls_CAfile.
Is there a more selective way to add intermediate CAs to the cert.pem file?
It added now ofc also the "Fake LE Intermediate X1" intermediate CA, which I rather would not have in the cert.pem, or is it safe?

My last question would be, how I would make my manual main.cf adjustments update safe? :)

Thanks

[Fright]

Afterwards, I have enabled the following setting: System / Settings / General / Store intermediate
This adds all locally administered intermediate CAs to the /etc/ssl/cert.pem.
This way I could revert the change made to the smtp_tls_CAfile.
Is there a more selective way to add intermediate CAs to the cert.pem file?

"store intermediate" is one of the solution. but imho is not entirely correct
At first glance, the pem-generation script (https://github.com/opnsense/plugins/blob/f6f324891261d8a1f75eeb0cd9bb0736e7a4403a/mail/postfix/src/opnsense/scripts/OPNsense/Postfix/generate_certs.php) is not entirely correct: intermediate certs should be added to cert_opn.pem, not to ca_opn.pem. and ca_opn.pem should contain roots only (or 'smtpd_tls_CAfile = /etc/ssl/cert.pem' if no restrictions are required). in this case, imho there is no need to enable "Store intermediate" (which in my opinion is a very specific option)

ref. http://postfix.cs.utah.edu/postconf.5.html#smtpd_tls_cert_file

how I would make my manual main.cf adjustments update safe?

plugin update is the best option imho  ;)