LMTP STARTTLS and certificates

Ken Murchison ken at oceana.com
Wed Sep 11 09:39:11 EDT 2002 


Matt Bernstein wrote:
> 
> On Sep 10 Matt Bernstein wrote:
> 
> >At 09:42 -0400 Ken Murchison wrote:
> >>Matt Bernstein wrote:
> >>> So.. Exim is ready to send AUTH EXTERNAL, but it's no longer offered :-/
> >>
> >>Are you sure that Exim is offering a valid client cert?  lmtpd won't
> >>offer EXTERNAL unless it gets an authid from the client cert.
> >
> >Hmmm..... ... .. ... arse! Exim's cert is fine, but the CA on the server
> >is a little knotted... ..this will take a little time to sort out.
> 
> It is now utterly sorted. We have a "signing tree" like this:
> (beforehand our User CA was accidentally self-signed, but the behaviour
> was exactly the same AFAICT)
> 
> "DCS Root CA" (self-signed)
>   \-- "DCS Server CA"
>   |     \-- { all of our server certs eg imapnew.pem }
>   \-- "DCS User CA"
>         \-- { all of our user certs eg client.pem }
> 
> ..and OpenSSL (see below) is happy with this (and Exim can deliver to
> another Exim using such certificates), but Cyrus doesn't like the fact
> that our Root CA is self-signed. What else could it have been? The
> debugging looks like it's trying to verify the server cert.. here's all I
> get from imapd.log:
> 
> Sep 11 09:31:25 vicar master[17079]: about to exec /usr/cyrus/bin/lmtpd
> Sep 11 09:31:25 vicar lmtp[17079]: executed
> Sep 11 09:31:25 vicar lmtpd[17079]: accepted connection
> Sep 11 09:31:25 vicar lmtpd[17079]: connection from vicar [127.0.0.1]
> Sep 11 09:31:25 vicar lmtpd[17079]: Doing a peer verify
> Sep 11 09:31:25 vicar lmtpd[17079]: mystore: starting txn 2147483672
> Sep 11 09:31:25 vicar lmtpd[17079]: mystore: committing txn 2147483672
> Sep 11 09:31:25 vicar lmtpd[17079]: received client certificate
> Sep 11 09:31:25 vicar lmtpd[17079]: subject=/C=UK/ST=United
> Kingdom/L=London/O=Queen Mary, University of London/OU=Department of
> Computer Science/CN=mail.dcs.qmul.ac.uk/Email=systems at dcs.qmul.ac.uk
> Sep 11 09:31:25 vicar lmtpd[17079]: starttls: TLSv1 with cipher
> DES-CBC3-SHA (168/168 bits new) authenticated as mail.dcs.qmul.ac.uk
> 
> So.. I can't use AUTH EXTERNAL.. what am I missing?

I'm by no means an expert, but I _think_ what you need is a cert with an
authid as the CN.  lmtpd is looking for a user to authenticate, not a
client machine.  You need a cert like you would use for an email client
like Netscape or Outlook.


> vicar# egrep '_file' /etc/imapd.conf
> tls_cert_file: /etc/cyrus/imapnew.cert
> tls_key_file: /etc/cyrus/imapnew.key
> tls_lmtp_cert_file: /etc/cyrus/imapnew.cert
> tls_lmtp_key_file: /etc/cyrus/imapnew.key
> tls_ca_file: /etc/cyrus/DCS_CA_file.pem
> vicar# openssl verify -CAfile /etc/cyrus/DCS_CA_file.pem /etc/cyrus/imapnew.cert
> /etc/cyrus/imapnew.cert: OK
> vicar# openssl verify -CAfile /etc/cyrus/DCS_CA_file.pem client.pem
> client.pem: OK
> vicar# lmtptest -v -t client.pem localhost | egrep -v '^0'
> S: 220 vicar LMTP Cyrus v2.1.9 ready
> C: LHLO example.com
> S: 250-vicar
> S: 250-8BITMIME
> S: 250-ENHANCEDSTATUSCODES
> S: 250-PIPELINING
> S: 250-SIZE
> S: 250-STARTTLS
> S: 250 IGNOREQUOTA
> C: STARTTLS
> S: 220 Begin TLS negotiation now
> starting TLS engine
> setting up TLS connection
> SSL_connect:before/connect initialization
> write to 08064940 [08074188] (88 bytes => 88 (0x58))
> 
> SSL_connect:SSLv3 write client hello A
> read from 08064940 [0806B978] (5 bytes => 5 (0x5))
> read from 08064940 [0806B97D] (74 bytes => 74 (0x4A))
> 
> SSL_connect:SSLv3 read server hello A
> read from 08064940 [0806B978] (5 bytes => 5 (0x5))
> read from 08064940 [0806B97D] (4093 bytes => 4012 (0xFAC))
> read from 08064940 [0806C929] (81 bytes => 81 (0x51))
> Peer cert verify depth=2 /C=UK/ST=United Kingdom/L=London/O=Queen Mary,
> University of London/OU=Department of Computer Science/CN=DCS Root
> CA/Email=systems at dcs.qmul.ac.uk
> verify error:num=19:self signed certificate in certificate chain
> verify return:1
> Peer cert verify depth=2 /C=UK/ST=United Kingdom/L=London/O=Queen Mary,
> University of London/OU=Department of Computer Science/CN=DCS Root
> CA/Email=systems at dcs.qmul.ac.uk
> verify return:1
> Peer cert verify depth=1 /C=UK/ST=United Kingdom/L=London/O=Queen Mary,
> University of London/OU=Department of Computer Science/CN=DCS Server
> CA/Email=systems at dcs.qmul.ac.uk
> verify return:1
> Peer cert verify depth=0 /C=UK/ST=United Kingdom/L=London/O=Queen Mary,
> University of London/OU=Department of Computer
> Science/CN=imapnew.dcs.qmul.ac.uk/Email=systems at dcs.qmul.ac.uk
> verify return:1
> SSL_connect:SSLv3 read server certificate A
> read from 08064940 [0806B978] (5 bytes => 5 (0x5))
> read from 08064940 [0806B97D] (630 bytes => 630 (0x276))
> 
> SSL_connect:SSLv3 read server certificate request A
> SSL_connect:SSLv3 read server done A
> SSL_connect:SSLv3 write client certificate A
> SSL_connect:SSLv3 write client key exchange A
> SSL_connect:SSLv3 write certificate verify A
> SSL_connect:SSLv3 write change cipher spec A
> SSL_connect:SSLv3 write finished A
> write to 08064940 [080799A0] (1787 bytes => 1787 (0x6FB))
> SSL_connect:SSLv3 flush data
> read from 08064940 [0806B978] (5 bytes => 5 (0x5))
> read from 08064940 [0806B97D] (1 bytes => 1 (0x1))
> read from 08064940 [0806B978] (5 bytes => 5 (0x5))
> read from 08064940 [0806B97D] (40 bytes => 40 (0x28))
> SSL_connect:SSLv3 read finished A
> subject_CN=imapnew.dcs.qmul.ac.uk, issuer_CN=DCS Server CA
> TLS connection established: TLSv1 with cipher DES-CBC3-SHA (168/168 bits)
> Asking for capabilities again since they might have changed
> C: LHLO example.com
> write to 08064940 [08074188] (45 bytes => 45 (0x2D))
> read from 08064940 [0806B978] (5 bytes => 5 (0x5))
> read from 08064940 [0806B97D] (152 bytes => 152 (0x98))
> S: 250-vicar
> S: 250-8BITMIME
> S: 250-ENHANCEDSTATUSCODES
> S: 250-PIPELINING
> S: 250-SIZE
> S: 250-STARTTLS
> S: 250-AUTH LOGIN PLAIN
> S: 250 IGNOREQUOTA
> C: AUTH LOGIN
> write to 08064940 [08074188] (45 bytes => 45 (0x2D))
> read from 08064940 [0806B978] (5 bytes => 5 (0x5))
> read from 08064940 [0806B97D] (40 bytes => 40 (0x28))
> S: 334 VXNlcm5hbWU6

-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp

More information about the Info-cyrus mailing list