LMTP STARTTLS and certificates

Matt Bernstein mb/cyrus at dcs.qmul.ac.uk
Wed Sep 11 04:44:48 EDT 2002 

On Sep 10 Matt Bernstein wrote:

>At 09:42 -0400 Ken Murchison wrote:
>>Matt Bernstein wrote:
>>> So.. Exim is ready to send AUTH EXTERNAL, but it's no longer offered :-/
>>
>>Are you sure that Exim is offering a valid client cert?  lmtpd won't
>>offer EXTERNAL unless it gets an authid from the client cert.
>
>Hmmm..... ... .. ... arse! Exim's cert is fine, but the CA on the server
>is a little knotted... ..this will take a little time to sort out.

It is now utterly sorted. We have a "signing tree" like this:
(beforehand our User CA was accidentally self-signed, but the behaviour
was exactly the same AFAICT)

"DCS Root CA" (self-signed)
  \-- "DCS Server CA"
  |     \-- { all of our server certs eg imapnew.pem }
  \-- "DCS User CA"
        \-- { all of our user certs eg client.pem }

..and OpenSSL (see below) is happy with this (and Exim can deliver to
another Exim using such certificates), but Cyrus doesn't like the fact
that our Root CA is self-signed. What else could it have been? The
debugging looks like it's trying to verify the server cert.. here's all I
get from imapd.log:

Sep 11 09:31:25 vicar master[17079]: about to exec /usr/cyrus/bin/lmtpd
Sep 11 09:31:25 vicar lmtp[17079]: executed
Sep 11 09:31:25 vicar lmtpd[17079]: accepted connection
Sep 11 09:31:25 vicar lmtpd[17079]: connection from vicar [127.0.0.1]
Sep 11 09:31:25 vicar lmtpd[17079]: Doing a peer verify
Sep 11 09:31:25 vicar lmtpd[17079]: mystore: starting txn 2147483672
Sep 11 09:31:25 vicar lmtpd[17079]: mystore: committing txn 2147483672
Sep 11 09:31:25 vicar lmtpd[17079]: received client certificate
Sep 11 09:31:25 vicar lmtpd[17079]: subject=/C=UK/ST=United
Kingdom/L=London/O=Queen Mary, University of London/OU=Department of
Computer Science/CN=mail.dcs.qmul.ac.uk/Email=systems at dcs.qmul.ac.uk
Sep 11 09:31:25 vicar lmtpd[17079]: starttls: TLSv1 with cipher
DES-CBC3-SHA (168/168 bits new) authenticated as mail.dcs.qmul.ac.uk

So.. I can't use AUTH EXTERNAL.. what am I missing?

vicar# egrep '_file' /etc/imapd.conf
tls_cert_file: /etc/cyrus/imapnew.cert
tls_key_file: /etc/cyrus/imapnew.key
tls_lmtp_cert_file: /etc/cyrus/imapnew.cert
tls_lmtp_key_file: /etc/cyrus/imapnew.key
tls_ca_file: /etc/cyrus/DCS_CA_file.pem
vicar# openssl verify -CAfile /etc/cyrus/DCS_CA_file.pem /etc/cyrus/imapnew.cert
/etc/cyrus/imapnew.cert: OK
vicar# openssl verify -CAfile /etc/cyrus/DCS_CA_file.pem client.pem
client.pem: OK
vicar# lmtptest -v -t client.pem localhost | egrep -v '^0'
S: 220 vicar LMTP Cyrus v2.1.9 ready
C: LHLO example.com
S: 250-vicar
S: 250-8BITMIME
S: 250-ENHANCEDSTATUSCODES
S: 250-PIPELINING
S: 250-SIZE
S: 250-STARTTLS
S: 250 IGNOREQUOTA
C: STARTTLS
S: 220 Begin TLS negotiation now
starting TLS engine
setting up TLS connection
SSL_connect:before/connect initialization
write to 08064940 [08074188] (88 bytes => 88 (0x58))

SSL_connect:SSLv3 write client hello A
read from 08064940 [0806B978] (5 bytes => 5 (0x5))
read from 08064940 [0806B97D] (74 bytes => 74 (0x4A))

SSL_connect:SSLv3 read server hello A
read from 08064940 [0806B978] (5 bytes => 5 (0x5))
read from 08064940 [0806B97D] (4093 bytes => 4012 (0xFAC))
read from 08064940 [0806C929] (81 bytes => 81 (0x51))
Peer cert verify depth=2 /C=UK/ST=United Kingdom/L=London/O=Queen Mary,
University of London/OU=Department of Computer Science/CN=DCS Root
CA/Email=systems at dcs.qmul.ac.uk
verify error:num=19:self signed certificate in certificate chain
verify return:1
Peer cert verify depth=2 /C=UK/ST=United Kingdom/L=London/O=Queen Mary,
University of London/OU=Department of Computer Science/CN=DCS Root
CA/Email=systems at dcs.qmul.ac.uk
verify return:1
Peer cert verify depth=1 /C=UK/ST=United Kingdom/L=London/O=Queen Mary,
University of London/OU=Department of Computer Science/CN=DCS Server
CA/Email=systems at dcs.qmul.ac.uk
verify return:1
Peer cert verify depth=0 /C=UK/ST=United Kingdom/L=London/O=Queen Mary,
University of London/OU=Department of Computer
Science/CN=imapnew.dcs.qmul.ac.uk/Email=systems at dcs.qmul.ac.uk
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 08064940 [0806B978] (5 bytes => 5 (0x5))
read from 08064940 [0806B97D] (630 bytes => 630 (0x276))

SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
write to 08064940 [080799A0] (1787 bytes => 1787 (0x6FB))
SSL_connect:SSLv3 flush data
read from 08064940 [0806B978] (5 bytes => 5 (0x5))
read from 08064940 [0806B97D] (1 bytes => 1 (0x1))
read from 08064940 [0806B978] (5 bytes => 5 (0x5))
read from 08064940 [0806B97D] (40 bytes => 40 (0x28))
SSL_connect:SSLv3 read finished A
subject_CN=imapnew.dcs.qmul.ac.uk, issuer_CN=DCS Server CA
TLS connection established: TLSv1 with cipher DES-CBC3-SHA (168/168 bits)
Asking for capabilities again since they might have changed
C: LHLO example.com
write to 08064940 [08074188] (45 bytes => 45 (0x2D))
read from 08064940 [0806B978] (5 bytes => 5 (0x5))
read from 08064940 [0806B97D] (152 bytes => 152 (0x98))
S: 250-vicar
S: 250-8BITMIME
S: 250-ENHANCEDSTATUSCODES
S: 250-PIPELINING
S: 250-SIZE
S: 250-STARTTLS
S: 250-AUTH LOGIN PLAIN
S: 250 IGNOREQUOTA
C: AUTH LOGIN
write to 08064940 [08074188] (45 bytes => 45 (0x2D))
read from 08064940 [0806B978] (5 bytes => 5 (0x5))
read from 08064940 [0806B97D] (40 bytes => 40 (0x28))
S: 334 VXNlcm5hbWU6

More information about the Info-cyrus mailing list