Mailing List Archive

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=786




--- Comment #2 from jwexler@mail.usa.com 2008-12-02 09:04:58 ---
Thank you for your quick response.

Isn't this one additional a means to increase the security to further restrict
who is authorized to relay outgoing email through the server?
I have read as much as I can about this feature including
http://www.exim.org/lurker/message/20070610.123842.6610025d.en.html

If this is not what tls_verify_hosts is for then what is it intended for?

Outlook appears to send the server certificate that I loaded in Outlook's
trusted center. For example, when I send email from this same Outlook client
via an account at another machine running MS Exchange 2000 and then open the
email from another Outlook client machine, I am able to view the contents of
the server certificate that was sent.

Please don't misunderstand; my objective is not to check certificates of
inbound email. Rather, it is for Exim to validate whether or not the Outlook
2007 client is allowed to relay outgoing smtp email by (in addition to TLS
authentication) checking that the certificate that Outlook uses for
authentication (in the Outlook trusted center) is in
/etc/ssl/certs/ca-certificats.crt. MS Exchange has a feature for an
authentication layer via certificates; thus, I believe that Outlook should be
able to do its part.

(Please excuse my challenge with correct terminology below.)

I just did the following two tests.
TEST #1: Send an encrypted, signed email from Outlook 2007 via an account that
authenticates with the main Exim server. I.e., direct authentication with main
Exim server.

The error I just got is as follows:
2008-12-02 16:06:12 [31010] SMTP connection from [main_exim_server_ip]:3687
I=[originating_outlook_client_ip]:587 (TCP/IP connection count = 1)
2008-12-02 16:06:12 [31028] TLS error on connection from
originating_outlook_client_hostname.domain
(originating_outlook_client_hostname) [main_exim_server_ip]:3687
(gnutls_handshake): The peer did not send any certificate.
2008-12-02 16:06:12 [31028] SMTP connection from
originating_outlook_client_hostname.domain
(originating_outlook_client_hostname) [main_exim_server_ip]:3687
I=[originating_outlook_client_ip]:587 closed by EOF
2008-12-02 16:06:12 [31028] no MAIL in SMTP connection from
originating_outlook_client_hostname.domain
(originating_outlook_client_hostname) [main_exim_server_ip]:3687
I=[originating_outlook_client_ip]:587 D=0s C=EHLO,STARTTLS



TEST #2: Send an encrypted, signed email from Outlook 2007 via an account that
authenticates with a separate (interim) Exim server on another machine. Upon
authentication, this interim Exim server then relays the email to the main Exim
server for delivery to the local user. I.e., indirect sending via a separate
Exim server for inbound delivery at the main Exim server.

Main Exim Server Log:
I.e., Log from the main Exim server that receives the email for delivery from
the interim Exim server:

2008-12-02 16:26:30 [1865] SMTP connection from
[interim_exim_server_for_relay_from_separate_mta_ip]:44978
I=[originating_outlook_client_ip]:25 (TCP/IP connection count = 1)
2008-12-02 16:26:30 [1882] TLS error on connection from
interim_exim_server_for_relay_from_separate_mta_hostname.domain
[interim_exim_server_for_relay_from_separate_mta_ip]:44978 (gnutls_handshake):
The peer did not send any certificate.
2008-12-02 16:26:30 [1882] SMTP connection from
interim_exim_server_for_relay_from_separate_mta_hostname.domain
[interim_exim_server_for_relay_from_separate_mta_ip]:44978
I=[originating_outlook_client_ip]:25 closed by EOF
2008-12-02 16:26:30 [1882] no MAIL in SMTP connection from
interim_exim_server_for_relay_from_separate_mta_hostname.domain
[interim_exim_server_for_relay_from_separate_mta_ip]:44978
I=[originating_outlook_client_ip]:25 D=0s C=EHLO,STARTTLS
2008-12-02 16:26:30 [1865] SMTP connection from
[interim_exim_server_for_relay_from_separate_mta_ip]:44979
I=[originating_outlook_client_ip]:25 (TCP/IP connection count = 1)
2008-12-02 16:26:30 [1883]
H=interim_exim_server_for_relay_from_separate_mta_hostname.domain
[interim_exim_server_for_relay_from_separate_mta_ip]:44979
I=[originating_outlook_client_ip]:25 rejected MAIL
<user_who_relays_through_other_interim_exim_server@domain>
2008-12-02 16:26:30 [1883] SMTP connection from
interim_exim_server_for_relay_from_separate_mta_hostname.domain
[interim_exim_server_for_relay_from_separate_mta_ip]:44979
I=[originating_outlook_client_ip]:25 closed by QUIT


Interim Exim Server Log:
Log from the interim Exim Server that authenticates and then relays to the main
Exim Server following:

2008-12-02 16:26:30 [4880] SMTP connection from [main_exim_server_ip]:3705
I=[interim_exim_server_for_relay_from_separate_mta_ip]:25 (TCP/IP connection
count = 1)
2008-12-02 16:26:30 [6272] 1L7PeQ-0001dA-8c <=
user_who_relays_through_other_interim_exim_server@domain
H=originating_outlook_client_hostname.domain
(originating_outlook_client_hostname) [main_exim_server_ip]:3705
I=[interim_exim_server_for_relay_from_separate_mta_ip]:25 P=esmtp S=12177
id=02ca01c9544f$495c11d0$dc143570$@com T="For delivery. Sent from another exim
server. tls_verify_hosts Expect: OK 002" from
<user_who_relays_through_other_interim_exim_server@domain> for
testuser02@local_virtual_domain_pre-rewrite
2008-12-02 16:26:30 [6273] cwd=/var/spool/exim4 3 args: /usr/sbin/exim4 -Mc
1L7PeQ-0001dA-8c
2008-12-02 16:26:30 [6274] 1L7PeQ-0001dA-8c TLS error on connection to
local_virtual_domain_pre-rewrite [originating_outlook_client_ip]
(gnutls_handshake): Error in the push function.
2008-12-02 16:26:30 [6274] 1L7PeQ-0001dA-8c TLS session failure: delivering
unencrypted to local_virtual_domain_pre-rewrite [originating_outlook_client_ip]
(not in hosts_require_tls)
2008-12-02 16:26:30 [6273] 1L7PeQ-0001dA-8c **
testuser02@local_virtual_domain_pre-rewrite
F=<user_who_relays_through_other_interim_exim_server@domain>
P=<user_who_relays_through_other_interim_exim_server@domain>
R=dnslookup_relay_to_domains T=remote_smtp: SMTP error from remote mail server
after MAIL FROM:<user_who_relays_through_other_interim_exim_server@domain>
SIZE=13370: host local_virtual_domain_pre-rewrite
[originating_outlook_client_ip]: 550 Administrative prohibition
2008-12-02 16:26:30 [6275] cwd=/var/spool/exim4 7 args: /usr/sbin/exim4 -t -oem
-oi -f <> -E1L7PeQ-0001dA-8c
2008-12-02 16:26:31 [6275] 1L7PeQ-0001dD-QU <= <> R=1L7PeQ-0001dA-8c
U=Debian-exim P=local S=13157 T="Mail delivery failed: returning message to
sender" from <> for user_who_relays_through_other_interim_exim_server@domain
2008-12-02 16:26:31 [6276] cwd=/var/spool/exim4 3 args: /usr/sbin/exim4 -Mc
1L7PeQ-0001dD-QU
2008-12-02 16:26:31 [6273] 1L7PeQ-0001dA-8c Completed QT=1s
2008-12-02 16:26:31 [6276] 1L7PeQ-0001dD-QU =>
user_who_relays_through_other_interim_exim_server
<user_who_relays_through_other_interim_exim_server@domain> F=<> P=<>
R=ldap_user T=maildir_home S=13252 QT=1s DT=0s
2008-12-02 16:26:31 [6276] 1L7PeQ-0001dD-QU Completed QT=1s
2008-12-02 16:26:33 [6272] SMTP connection from
originating_outlook_client_hostname.domain
(originating_outlook_client_hostname) [main_exim_server_ip]:3705
I=[interim_exim_server_for_relay_from_separate_mta_ip]:25 closed by QUIT


TEST #3: Same as Test #2 except that I commented out MAIN_RELAY_NETS so that
neither the Client nor the Interim Exim relay server are in MAIN_RELAY_NETS.

MAIN EXIM SERVER LOG:
2008-12-02 17:25:40 [3153] SMTP connection from
[interim_exim_server_for_relay_from_separate_mta_ip]:41397
I=[main_exim_server_ip]:25 (TCP/IP connection count = 1)
2008-12-02 17:25:40 [3167] "testuser02@local_virtual_domain_pre-rewrite" from
env-to rewritten as "post_rewrite_prefix_testuser02@domain" by rule 7
2008-12-02 17:25:40 [3167]
H=interim_exim_server_for_relay_from_separate_mta_hostname.domain
[interim_exim_server_for_relay_from_separate_mta_ip]:41397
I=[main_exim_server_ip]:25
F=<user_who_relays_through_other_interim_exim_server@domain> rejected RCPT
<testuser02@local_virtual_domain_pre-rewrite>
2008-12-02 17:25:40 [3167]
H=interim_exim_server_for_relay_from_separate_mta_hostname.domain
[interim_exim_server_for_relay_from_separate_mta_ip]:41397
I=[main_exim_server_ip]:25 incomplete transaction (QUIT) from
<user_who_relays_through_other_interim_exim_server@domain>
2008-12-02 17:25:40 [3167] SMTP connection from
interim_exim_server_for_relay_from_separate_mta_hostname.domain
[interim_exim_server_for_relay_from_separate_mta_ip]:41397
I=[main_exim_server_ip]:25 closed by QUIT


INTERIM RELAYING EXIM SERVER LOG:
2008-12-02 17:25:40 [4880] SMTP connection from
[originating_outlook_client_ip]:3820
I=[interim_exim_server_for_relay_from_separate_mta_ip]:25 (TCP/IP connection
count = 1)
2008-12-02 17:25:40 [6363] 1L7QZg-0001ed-GO <=
user_who_relays_through_other_interim_exim_server@domain
H=originating_outlook_client_hostname.domain
(originating_outlook_client_hostname) [originating_outlook_client_ip]:3820
I=[interim_exim_server_for_relay_from_separate_mta_ip]:25 P=esmtp S=11982
id=02db01c95457$8d3c5880$a7b50980$@com T="For delivery. Sent from another exim
server. tls_verify_hosts Expect: OK 003" from
<user_who_relays_through_other_interim_exim_server@domain> for
testuser02@local_virtual_domain_pre-rewrite
2008-12-02 17:25:40 [6364] cwd=/var/spool/exim4 3 args: /usr/sbin/exim4 -Mc
1L7QZg-0001ed-GO
2008-12-02 17:25:40 [6364] 1L7QZg-0001ed-GO **
testuser02@local_virtual_domain_pre-rewrite
F=<user_who_relays_through_other_interim_exim_server@domain>
P=<user_who_relays_through_other_interim_exim_server@domain>
R=dnslookup_relay_to_domains T=remote_smtp: SMTP error from remote mail server
after RCPT TO:<testuser02@local_virtual_domain_pre-rewrite>: host
local_virtual_domain_pre-rewrite [main_exim_server_ip]: 550 Administrative
prohibition
2008-12-02 17:25:40 [6366] cwd=/var/spool/exim4 7 args: /usr/sbin/exim4 -t -oem
-oi -f <> -E1L7QZg-0001ed-GO
2008-12-02 17:25:41 [6366] 1L7QZg-0001eg-Qx <= <> R=1L7QZg-0001ed-GO
U=Debian-exim P=local S=12959 T="Mail delivery failed: returning message to
sender" from <> for user_who_relays_through_other_interim_exim_server@domain
2008-12-02 17:25:41 [6367] cwd=/var/spool/exim4 3 args: /usr/sbin/exim4 -Mc
1L7QZg-0001eg-Qx
2008-12-02 17:25:41 [6364] 1L7QZg-0001ed-GO Completed QT=1s
2008-12-02 17:25:41 [6367] 1L7QZg-0001eg-Qx =>
user_who_relays_through_other_interim_exim_server
<user_who_relays_through_other_interim_exim_server@domain> F=<> P=<>
R=ldap_user T=maildir_home S=13054 QT=1s DT=0s
2008-12-02 17:25:41 [6367] 1L7QZg-0001eg-Qx Completed QT=1s
2008-12-02 17:25:43 [6363] SMTP connection from
originating_outlook_client_hostname.domain
(originating_outlook_client_hostname) [originating_outlook_client_ip]:3820
I=[interim_exim_server_for_relay_from_separate_mta_ip]:25 closed by QUIT


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

On Tue, 2 Dec 2008, jwexler@mail.usa.com wrote:

| Outlook appears to send the server certificate that I loaded in Outlook's
| trusted center.

That's very strange.

Normally, a *server* certificate is sent from the server to the client, to
help the client to authenticate the server.

In some situations, the server requires the client to supply a *client*
certifiate, to help the server authenticate the client. This seems to be
what you're after. But as Andreas says, I've no idea if/how you can make
outlook supply a *client* certificate.

However, you mention outlook sending a *server* certificate. This sounds
odd - there is no point in sending a server certificate *to* the server.
Recall that the server certificate is essentially public. Anyone who can
send packets to the server can trivially download it.



--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

On Tue, 2 Dec 2008, jwexler@mail.usa.com wrote:

| Outlook appears to send the server certificate that I loaded in
| Outlook's trusted center.

That's very strange.

Normally, a *server* certificate is sent from the server to the client, to
help the client to authenticate the server.

In some situations, the server requires the client to supply a *client*
certifiate, to help the server authenticate the client. This seems to be
what you're after. But as Andreas says, I've no idea if/how you can make
outlook supply a *client* certificate.

However, you mention outlook sending a *server* certificate. This sounds
odd - there is no point in sending a server certificate *to* the server.
Recall that the server certificate is essentially public. Anyone who can
send packets to the server can trivially download it.




--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=786

jwexler@mail.usa.com changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |jwexler@mail.usa.com




--- Comment #3 from jwexler@mail.usa.com 2008-12-04 23:03:29 ---
> On 2008-12-03 15:00, Chris Edwards wrote:
> On Tue, 2 Dec 2008, jwexler@??? wrote:
>
> | Outlook appears to send the server certificate that I loaded in
> | Outlook's trusted center.
>
> That's very strange.
>
> Normally, a *server* certificate is sent from the server to the client, to
> help the client to authenticate the server.
>
> In some situations, the server requires the client to supply a *client*
> certifiate, to help the server authenticate the client. This seems to be
> what you're after. But as Andreas says, I've no idea if/how you can make
> outlook supply a *client* certificate.
>
> However, you mention outlook sending a *server* certificate. This sounds
> odd - there is no point in sending a server certificate *to* the server.
> Recall that the server certificate is essentially public. Anyone who can
> send packets to the server can trivially download it.
>

Thanks Chris.
I have also actually attempted the same test using a client certificate in
Outlook Trust Center with the same results.

This is the current configuration of certificates that I have:

01_CA_Certificate = CA certificate signing authority

02_Server_Certificate = Certificate signed by 01_CA_Certificate. This
certificate and its corresponding private key are located in /etc/exim4. This
is the certificate that MAIN_TLS_CERTIFICATE is assigned and
MAIN_TLS_PRIVATEKEY is assigned to its corresponding private key. (Note that
the certificate is also in /usr/share/ca-certificates and loaded into
/etc/ssl/certs/ca-certificats.crt per the instructions in exim4.conf.template.
I realize now from your post that the server certificate should not be there
but would guess does not affect the tls_verify_hosts issue.)

03_Client1_Certificate = Email sender/authenticator's client certificate. Test
user 1.

04_Client2_Certificate = Email recipient's client certificate. Test user 2.
This is also signed by 01_CA_Certificate.

Both client certificates (03_ and 04_) are signed by 01_CA_Certificate. Each of
the two client users were added to Outlook's address book and their
corresponding certificates (in .cer file format for the address book upload)
were uploaded and saved in the addresss book. Note that Outlook requires that
their certificates be in the address book before it allows signed and encrypted
email to be sent between the sender and recipient.

As mentioned above, I had initial attempted the authentication check via
tls_verify_hosts = * with 03_Client1_Certificate in Outlook's Trust Center.
(CASE A) I had gotten identical errors messages in Exim's mainlog. When I
commented out the tls_verify_hosts assignment, I had confirmed that the client
certificate was indeed within the received email.
Since tls_verify_hosts did not work with the sender's client certificate, I had
then proceeded to attempt sending the email by uploading 02_Server_Certificate
into Outlook's Trust Center and tried sending with that certificate (CASE B).
This yielded the same error as CASE A (and of course is not expected to work
given that it should be the client certificate that is sent as per your post).

Other settings: Exim was installed from daemon-heavy and thus appears to
perform TLS via GnuTLS rather than OpenSSL. The certificates that I have been
testing against recently were created via GnuTLS's certtool. TLS relaying is
performed on port 587. The Outlook client is on a network within
MAIN_RELAY_NETS which is required for authenticating.

CASE A is the intended functionality for tls_verify_hosts, correct? I would
guess that this is its intended purpose as it seems to offer equivalent
certificate authentication security functionality as in MS Exchange. I can't
imagine what other purpose would be for tls_verify_hosts than to verify client
certificates for authentication.

Is there any other info/test that I can provide to help determine whether this
is a legitimate bug?


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=786

jwexler@mail.usa.com changed:

What |Removed |Added
----------------------------------------------------------------------------
CC|jwexler@mail.usa.com |




--- Comment #4 from jwexler@mail.usa.com 2008-12-04 23:10:40 ---
Addendum:
03_Client1_Certificate and 04_Client2_Certificate are also located in
/usr/share/ca-certificates and loaded into /etc/ssl/certs/ca-certificats.crt
per the instructions in exim4.conf.template. I have confirmed they are listed
in /etc/ca-certificates as well and symbolic links (as .pem) were created for
them in /etc/ssl/certs.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=786




--- Comment #5 from jwexler@mail.usa.com 2008-12-12 05:16:55 ---
I'm not sure if this is expected behavior or not. Adding to bug report just in
case it helps.
Case: Send an email through exim on ServerA for delivery via exim on ServerB.
MAIN_TLS_VERIFY_HOSTS nor MAIN_TLS_TRY_VERIFY_HOSTS set in either server.
If TLS certificate that exim uses on ServerB is included in
/etc/ca-certificates of ServerA (and certificates in correct locations on
ServerA), when try to send email through ServerA, get the following error and
log entry in ServerA (there is no log entry in ServerB):

2008-12-12 13:45:59 [1589] SMTP connection from [client_ip]:1605
I=[ServerA_ip]:587 (TCP/IP connection count = 1)
2008-12-12 13:46:00 [1610] TLS error on connection from client.domain (client)
[client_ip]:1605 (gnutls_handshake): A TLS packet with unexpected length was
received.
2008-12-12 13:46:00 [1610] SMTP connection from client.domain (client)
[client_ip]:1605 I=[ServerA_ip]:587 closed by EOF
2008-12-12 13:46:00 [1610] no MAIL in SMTP connection from client.domain
(client) [client_ip]:1605 I=[ServerA_ip]:587 D=1s C=EHLO,STARTTLS

After removing ServerB's certificate from ServerA (and updating
/etc/ca-certificates, /etc/ssl/certs/ca-certificates, etc), the email goes
through ok.

Log entries:

ServerA:
2008-12-12 13:49:02 [4850] SMTP connection from [client_ip]:1606
I=[ServerA_ip]:587 (TCP/IP connection count = 1)
2008-12-12 13:49:10 [4876] 1LAzxX-0001Ge-E9 <= sender@domain H=client.domain
(client) [client_ip]:1606 I=[ServerA_ip]:587 P=smtps
X=TLS-1.0:RSA_ARCFOUR_MD5:16 CV=no DN="" S=8162
id=021301c95c14$f6e0f8d0$e4a2ea70$@com T="ServerA -> ServerB Signed Expect OK
19" from <sender@domain> for recipient@recipient_domain
2008-12-12 13:49:10 [4889] cwd=/var/spool/exim4 3 args: /usr/sbin/exim4 -Mc
1LAzxX-0001Ge-E9
2008-12-12 13:49:10 [4889] 1LAzxX-0001Ge-E9 => recipient@recipient_domain
F=<sender@domain> P=<sender@domain> R=dnslookup_relay_to_domains T=remote_smtp
S=8361 H=recipient_domain [ServerB_ip]:25 X=TLS-1.0:RSA_AES_256_CBC_SHA1:32
CV=no DN="C=US,ST=State,L=City,O=Company LLC,OU=Information
Technology,CN=ServerB.domain,EMAIL=sysmail@domain" C="250 OK
id=1LAzxd-0001k5-8d" QT=7s DT=0s
2008-12-12 13:49:10 [4889] 1LAzxX-0001Ge-E9 Completed QT=7s
2008-12-12 13:49:13 [4876] SMTP connection from client.domain (client)
[client_ip]:1606 I=[ServerA_ip]:587 closed by QUIT

ServerB:
2008-12-12 13:49:09 1LAzxd-0001k5-8d <= sender@domain H=ServerA.domain
[ServerA_ip] P=esmtps X=TLS-1.0:RSA_AES_256_CBC_SHA1:32 DN="" S=8428
id=021301c95c14$f6e0f8d0$e4a2ea70$@com
2008-12-12 13:49:09 1LAzxd-0001k5-8d => rw-recipient <rw-recipient@domain>
R=local_user T=maildir_home
2008-12-12 13:49:09 1LAzxd-0001k5-8d Completed

This is repeatable. If add certificate back, it does not go through and same
log as before. If then remove again, goes through and same logs for this case
as before.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##