[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [msmtp-users] Bug: external auth via certificate only doesn't work

Hi Martin,

Quoting Martin Lambers (2012-12-26 10:34:59)
> [..]

> Msmtp resends EHLO after STARTTLS, and in response to that the server
> must announce its authentication methods. It is my understanding
> that msmtp still needs to be able to send AUTH EXTERNAL to the server,
> and therefore it needs AUTH EXTERNAL to be supported by the server
> after STARTTLS. Otherwise, how can the client tell the server which
> identity to authenticate, and how can it find out if authentication
> succeeded? (Note that the client cannot assume that the server uses TLS
> certificate credentials for EXTERNAL authentication.)

Your points are of course absolutely right.
The server doesn't announce any auth methods. The only method should be
EXTERNAL with certificates so I suspect the proper behaviour would be to
announce EXTERNAL only after STARTTLS.

The server is postfix 2.9.5 from the archlinux repo, without any code
patches. The only settings are static alias maps and virtual domains.
(There is an excerpt of the ssl stuff from the postfix config at the end
of this mail.)
It does the authentication/verification. I can't send mails without the
valid, configured certificate.

> See also RFC 4422 Appendix A and the SMTP example given in RFC 4954.
Thanks for your response. I am sorry for assuming bugs in msmtp :-)

Excerpt from postfix config:

smtpd_tls_cert_file = <certfile>
smtpd_tls_key_file = <keyfile>
smtpd_tls_security_level = may
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_fingerprint_digest = sha1

relay_clientcerts = btree:/etc/postfix/relay_clientcerts


Transkript of msmtp session:
$ msmtp -vv

ignoring system configuration file /etc/msmtprc: No such file or directory
loaded user configuration file /home/t-8ch/.msmtprc
falling back to default account
using account default from /home/t-8ch/.msmtprc
host                  = mail.t-8ch.de
port                  = 25
timeout               = off
protocol              = smtp
domain                = localhost
auth                  = EXTERNAL
user                  = (not set)
password              = (not set)
passwordeval          = (not set)
ntlmdomain            = (not set)
tls                   = on
tls_starttls          = on
tls_trust_file        = (not set)
tls_crl_file          = (not set)
tls_fingerprint       = <fingerprint>
tls_key_file          = <keyfile>
tls_cert_file         = <certfile>
tls_certcheck         = on
tls_force_sslv3       = off
tls_min_dh_prime_bits = (not set)
tls_priorities        = (not set)
auto_from             = off
maildomain            = (not set)
from                  = <from_address>
dsn_notify            = (not set)
dsn_return            = (not set)
keepbcc               = off
logfile               = <logfile>
syslog                = (not set)
aliases               = (not set)
reading recipients from the command line
<-- 220 homer.t-8ch.de ESMTP Postfix
--> EHLO localhost
<-- 250-homer.t-8ch.de
<-- 250-PIPELINING
<-- 250-SIZE 10240000
<-- 250-VRFY
<-- 250-ETRN
<-- 250-STARTTLS
<-- 250-ENHANCEDSTATUSCODES
<-- 250-8BITMIME
<-- 250 DSN
--> STARTTLS
<-- 220 2.0.0 Ready to start TLS
TLS certificate information:
  [..]
  cert stuff
--> EHLO localhost
<-- 250-homer.t-8ch.de
<-- 250-PIPELINING
<-- 250-SIZE 10240000
<-- 250-VRFY
<-- 250-ETRN
<-- 250-ENHANCEDSTATUSCODES
<-- 250-8BITMIME
<-- 250 DSN
--> QUIT
<-- 221 2.0.0 Bye
msmtp: the server does not support authentication
msmtp: could not send mail (account default from /home/t-8ch/.msmtprc)