Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Security
postfix ebuild with default certificates
pjlv at mega
Dec 20, 2004, 4:31 AM
Post #1 of 12 (2831 views)
Permalink
hello everyone,

I've got this itch on my brain that maybe someone can explain:

Why does the postfix ebuild includes server certificates (other than CA root
certificates)? there is a private key, a certificate signing request, a signed
certificate...

[code]
pjlv archon $ qpkg -l postfix | grep /etc/ssl/postfix
/etc/ssl/postfix
/etc/ssl/postfix/server.crt
/etc/ssl/postfix/server.csr
/etc/ssl/postfix/server.key
/etc/ssl/postfix/server.pem
pjlv archon $
[/code]

the problems i see are:
1. It's annoying everytime you update postfix it tries to replace your
certificates with it's own (etc-update/dispatch-conf). If you're not careful,
you might end up with replaced PUBLIC private key/certificate.
2. It's a security risk for the unaware. If someone uses (and I'm sure many
people do) those certificates, than everyone with a postfix server can
successfully attack such encrypted connections... everybody's got their private
key, certificate, etc.

I'm sure there are more problems...

Is there a good reason for the ebuild to include default certificates?

[this is also posted on the gentoo forum:
http://forums.gentoo.org/viewtopic.php?p=1897167#1897167]

regards,
pedro venda.
--

Pedro João Lopes Venda
email: pjlv@mega.ist.utl.pt
http://arrakis.dhis.org

--
gentoo-security@gentoo.org mailing list
Re: postfix ebuild with default certificates [ In reply to ]
michel at crondor
Dec 20, 2004, 12:23 PM
Post #2 of 12 (2786 views)
Permalink
The certificates are automatically generated, of course, so everyone has
a different certificate. Nothing to worry about, thus. Same goes for
cyrus-imapd and cyrus-pop3d, for example.

Regards,

Michel.
--
Michel Wilson michel@crondor.net
PGP key ID 0xD2CB4B7E
Re: postfix ebuild with default certificates [ In reply to ]
antoine at nagafix
Dec 21, 2004, 12:33 PM
Post #3 of 12 (2790 views)
Permalink
On Mon, 2004-12-20 at 11:31 +0000, Pedro Venda wrote:
> hello everyone,
>
> I've got this itch on my brain that maybe someone can explain:
>
> Why does the postfix ebuild includes server certificates (other than CA root
> certificates)? there is a private key, a certificate signing request, a signed
> certificate...
>
> [code]
> pjlv archon $ qpkg -l postfix | grep /etc/ssl/postfix
> /etc/ssl/postfix
> /etc/ssl/postfix/server.crt
> /etc/ssl/postfix/server.csr
> /etc/ssl/postfix/server.key
> /etc/ssl/postfix/server.pem
> pjlv archon $
> [/code]
>
> the problems i see are:
> 1. It's annoying everytime you update postfix it tries to replace your
> certificates with it's own (etc-update/dispatch-conf). If you're not careful,
> you might end up with replaced PUBLIC private key/certificate.
> 2. It's a security risk for the unaware. If someone uses (and I'm sure many
> people do) those certificates, than everyone with a postfix server can
> successfully attack such encrypted connections... everybody's got their private
> key, certificate, etc.
3. I don't see any benefits in including them.

Anyone care to explain?

Regards
Antoine

>
> I'm sure there are more problems...
>
> Is there a good reason for the ebuild to include default certificates?
>
> [this is also posted on the gentoo forum:
> http://forums.gentoo.org/viewtopic.php?p=1897167#1897167]
>
> regards,
> pedro venda.


--
gentoo-security@gentoo.org mailing list
Re: postfix ebuild with default certificates [ In reply to ]
chaosite at gmail
Dec 21, 2004, 12:39 PM
Post #4 of 12 (2789 views)
Permalink
Antoine Martin wrote:

>On Mon, 2004-12-20 at 11:31 +0000, Pedro Venda wrote:
>
>
>3. I don't see any benefits in including them.
>
>Anyone care to explain?
>
>
Its a default cert, thats all... A randomly generated one, at that.

Attached Files:

Re: postfix ebuild with default certificates [ In reply to ]
boxroot at gmail
Dec 22, 2004, 9:17 AM
Post #5 of 12 (2775 views)
Permalink
> > 1. It's annoying everytime you update postfix it tries to replace your
> > certificates with it's own (etc-update/dispatch-conf). If you're not careful,
> > you might end up with replaced PUBLIC private key/certificate.

I've got a really dumb question: why not just modify
/etc/postfix/main.cf to point to different files? There's nothing
stopping you from naming your certificates something other than
server.*, is there?

...and since you've already modified /etc/postfix/main.cf for your
setup anyway, what's a few more modified lines in a single file
compared to accidentally wiping out your SSL certificates that you may
have actually had to pay for?

Personally, I think it's a great idea that the mail servers (postfix,
courier-imap) generate default (random) certificates when they're
installed. It makes it that much more obvious to the user that they
should be using some sort of encryption/authentication for their
services...

...but you're right: the potential for damage is fairly high if the
user's not paying any attention at all... even though that's -always-
a danger: if the user's not paying attention, there's only so much
that a software developer can do to prevent damage. After that, it's
up to the user.

--
gentoo-security@gentoo.org mailing list
Re: postfix ebuild with default certificates [ In reply to ]
lami at bonbox
Dec 22, 2004, 9:44 AM
Post #6 of 12 (2791 views)
Permalink
Hi.

>The thing is, if they were generated it wouldn't be so bad,
>but as pointed out earlier, these certs are included as-is. AFAIK.
>It doesn't make it obvious at all. Saying "you need to run mkcert"
>would.
>
>
Sorry for interventing, but isn't this part of code for generating
certificates? But I didn't look anywhere else.
See /usr/portage/mail-mta/postfix/postfix-2.1.5-r1.ebuild

if use ssl ; then
SSL_ORGANIZATION="${SSL_ORGANIZATION:-Postfix SMTP Server}"
insinto /etc/ssl/postfix
docert server
fowners postfix:mail /etc/ssl/postfix/server.{key,pem}
fi

--
gentoo-security@gentoo.org mailing list
Re: postfix ebuild with default certificates [ In reply to ]
boxroot at gmail
Dec 22, 2004, 9:46 AM
Post #7 of 12 (2792 views)
Permalink
> And end up having unused certificate files in /etc/ ? Hmm.

The certs aren't that big, so it's not a huge waste of space... <shrug>

> The thing is, if they were generated it wouldn't be so bad,
> but as pointed out earlier, these certs are included as-is. AFAIK.
> It doesn't make it obvious at all. Saying "you need to run mkcert"
> would.

They are generated, though: looking through
/usr/portage/mail-mta/postfix/postfix-2.1.5-r1.ebuild indicates that
it inherits from ssl-cert (see /usr/portage/eclass/ssl-cert), which in
turn generates a new SSL certificate given a set of parameters... so
every time you install/upgrade postfix, you'll get a newly generated
certificate... in other words, the ebuild is already running mkcert
for you...

I must've missed it when somebody pointed out that the certs are
included as-is... but from my fifteen minutes of investigation, it
doesn't look that way to me at all...

> We make it easier for the user not to pay attention by making him
> believe he is using secure certs.

What's so insecure about them? Am I missing something here?

--
gentoo-security@gentoo.org mailing list
Re: postfix ebuild with default certificates [ In reply to ]
antoine at nagafix
Dec 22, 2004, 9:55 AM
Post #8 of 12 (2786 views)
Permalink
On Wed, 2004-12-22 at 11:17 -0500, James Hiscock wrote:
> > > 1. It's annoying everytime you update postfix it tries to replace your
> > > certificates with it's own (etc-update/dispatch-conf). If you're not careful,
> > > you might end up with replaced PUBLIC private key/certificate.
>
> I've got a really dumb question: why not just modify
> /etc/postfix/main.cf to point to different files? There's nothing
> stopping you from naming your certificates something other than
> server.*, is there?
>
> ...and since you've already modified /etc/postfix/main.cf for your
> setup anyway, what's a few more modified lines in a single file
> compared to accidentally wiping out your SSL certificates that you may
> have actually had to pay for?
And end up having unused certificate files in /etc/ ? Hmm.
>
> Personally, I think it's a great idea that the mail servers (postfix,
> courier-imap) generate default (random) certificates when they're
> installed. It makes it that much more obvious to the user that they
> should be using some sort of encryption/authentication for their
> services...
The thing is, if they were generated it wouldn't be so bad,
but as pointed out earlier, these certs are included as-is. AFAIK.
It doesn't make it obvious at all. Saying "you need to run mkcert"
would.
>
> ...but you're right: the potential for damage is fairly high if the
> user's not paying any attention at all... even though that's -always-
> a danger: if the user's not paying attention, there's only so much
> that a software developer can do to prevent damage. After that, it's
> up to the user.
We make it easier for the user not to pay attention by making him
believe he is using secure certs.

>
> --
> gentoo-security@gentoo.org mailing list
>


--
gentoo-security@gentoo.org mailing list
Re: postfix ebuild with default certificates [ In reply to ]
antoine at nagafix
Dec 22, 2004, 10:21 AM
Post #9 of 12 (2799 views)
Permalink
On Wed, 2004-12-22 at 11:46 -0500, James Hiscock wrote:
> > And end up having unused certificate files in /etc/ ? Hmm.
>
> The certs aren't that big, so it's not a huge waste of space... <shrug>
I wasn't thinking about space, just clutter and confusion.
>
> > The thing is, if they were generated it wouldn't be so bad,
> > but as pointed out earlier, these certs are included as-is. AFAIK.
> > It doesn't make it obvious at all. Saying "you need to run mkcert"
> > would.
>
> They are generated, though: looking through
> /usr/portage/mail-mta/postfix/postfix-2.1.5-r1.ebuild indicates that
> it inherits from ssl-cert (see /usr/portage/eclass/ssl-cert), which in
> turn generates a new SSL certificate given a set of parameters... so
> every time you install/upgrade postfix, you'll get a newly generated
> certificate... in other words, the ebuild is already running mkcert
> for you...
That isn't so bad.
>
> I must've missed it when somebody pointed out that the certs are
> included as-is... but from my fifteen minutes of investigation, it
> doesn't look that way to me at all...
I must have dreamt it...
>
> > We make it easier for the user not to pay attention by making him
> > believe he is using secure certs.
>
> What's so insecure about them? Am I missing something here?
Nothing, if they are generated!


>
> --
> gentoo-security@gentoo.org mailing list
>


--
gentoo-security@gentoo.org mailing list
Re: postfix ebuild with default certificates [ In reply to ]
pjlv at mega
Dec 23, 2004, 7:54 AM
Post #10 of 12 (2791 views)
Permalink
thanks everybody for you replies.

resuming:

1. the certificates are generated on installation, so there are no 2 equal
certificates (good).
2. a good solution to avoid certificate overwrite is to use different file names.

regards,
pedro venda.

--

Pedro João Lopes Venda
email: pjlv@mega.ist.utl.pt
http://arrakis.dhis.org

--
gentoo-security@gentoo.org mailing list
Re: postfix ebuild with default certificates [ In reply to ]
pauldv at gentoo
Dec 24, 2004, 5:47 AM
Post #11 of 12 (2792 views)
Permalink
On Thursday 23 December 2004 15:54, Pedro Venda wrote:
> thanks everybody for you replies.
>
> resuming:
>
> 1. the certificates are generated on installation, so there are no 2 equal
> certificates (good).
> 2. a good solution to avoid certificate overwrite is to use different file
> names.

The generation scripts should probably first look whether there are allready
certificates in ${ROOT}/etc/ssl/postfix/server.key or certificate requests,
and use those instead of generating new.

Paul

--
Paul de Vrieze
Gentoo Developer
Mail: pauldv@gentoo.org
Homepage: http://www.devrieze.net

--
gentoo-security@gentoo.org mailing list
Re: postfix ebuild with default certificates [ In reply to ]
lami at bonbox
Dec 27, 2004, 2:59 AM
Post #12 of 12 (2787 views)
Permalink
>>thanks everybody for you replies.
>>
>>resuming:
>>
>>1. the certificates are generated on installation, so there are no 2 equal
>>certificates (good).
>>2. a good solution to avoid certificate overwrite is to use different file
>>names.
>>
>>
>The generation scripts should probably first look whether there are allready
>certificates in ${ROOT}/etc/ssl/postfix/server.key or certificate requests,
>and use those instead of generating new.
>
>
It can be nice, but I guess that CONFIG_PROTECT works good enough. 2
more configuration file conflicts doesn't looks too bad for me.

Lami

--
gentoo-security@gentoo.org mailing list

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal