Menu

where/how to configure php SSL context options (CAfile, cert, etc) for Postfixadmin SMTP send authentication?

Postfix Admin Discussion
pgnd
2020-09-13
2020-09-13

  • pgnd

    pgnd - 2020-09-13

    i'm adding postfixadmin to a working dovecot+postfix setup.

    for mail sending, i use dovecot's submission protocol, with required SSL cert verification; config includes,

        ssl = required
    protocol submission {
        ssl_verify_client_cert       = yes
        auth_ssl_require_client_cert = yes
    }
    service submission-login {
        inet_listener submission {
            address = 10.0.1.100, 127.0.0.1
            port = 60465
            ssl = yes
        }
    }

    all SMTP clients must provide cert+CA for certificate-based send authentication.

    for php clients, configs must provide the connection auth data; e.g., for Roundcube client,

        $config['smtp_server']  = 'ssl://mx.example.com';
    $config['smtp_port']    = 60465;

    additional/required php SSL context options (https://www.php.net/manual/en/context.ssl.php) are readily specified,

        $config['smtp_conn_options'] = array(
        'ssl' => array(
            'allow_self_signed' => true,
            'cafile'            => '/etc/ssl/myCA_CHAIN.crt',
            'ciphers'           => 'TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305',
            'local_cert'        => '/etc/ssl/client.EC.crt',
            'local_pk'          => '/etc/ssl/client.EC.key',
            'peer_name'         => 'mx.example.com',
            'SNI_enabled'       => true,
            'verify_depth'      => 2,
            'verify_peer'       => true,
            'verify_peer_name'  => true,
        ),
    );

    with that^ typical config, connect+submit works as intended, & without error.

    in postfixadmin, checking for any relevant config opts, only finds,

        egrep -i "smtp|cafile|local_cert" ./src/postfixadmin/config.inc.php
        $CONF['smtp_server'] = 'localhost';
        $CONF['smtp_port'] = '25';
        // SMTP Client
        $CONF['smtp_client'] = '';

    with just

        $CONF['smtp_server'] = 'mx.example.com';
    $CONF['smtp_port'] = '60465';
    $CONF['smtp_client'] = 'mx.example.com';

    specified, postfixadmin mail send fails, clearly for missing CA/crt data,

        ==> /var/log/dovecot/dovecot-debug.log <==
    2020-09-13 09:18:15 submission-login: Debug: smtp-server: conn 127.0.0.1:34548 [1]: Connection created
    2020-09-13 09:18:15 auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth
    2020-09-13 09:18:15 auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
    2020-09-13 09:18:15 auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_mysql.so
    2020-09-13 09:18:15 auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so
    2020-09-13 09:18:15 auth: Debug: Read auth token secret from /run/dovecot//auth-token-secret.dat

    ==> /var/log/dovecot/dovecot-debug.log <==
    2020-09-13 09:18:15 auth: Debug: auth client connected (pid=3210)
    2020-09-13 09:18:15 submission-login: Debug: smtp-server: conn 127.0.0.1:34548 [1]: Sent: 220 mx.example.com Dovecot ready.
    2020-09-13 09:18:15 submission-login: Debug: SSL: where=0x10, ret=1: before SSL initialization
    2020-09-13 09:18:15 submission-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization
    2020-09-13 09:18:15 submission-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization
    2020-09-13 09:18:15 submission-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization
    2020-09-13 09:18:15 submission-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello
    2020-09-13 09:18:15 submission-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello
    2020-09-13 09:18:15 submission-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec
    2020-09-13 09:18:15 submission-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions
    2020-09-13 09:18:15 submission-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate request
    2020-09-13 09:18:15 submission-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate
    2020-09-13 09:18:15 submission-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify
    2020-09-13 09:18:15 submission-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished
    2020-09-13 09:18:15 submission-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data
    2020-09-13 09:18:15 submission-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data
    2020-09-13 09:18:15 submission-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data
    2020-09-13 09:18:15 submission-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data
    2020-09-13 09:18:15 submission-login: Debug: SSL alert: where=0x4004, ret=560: fatal unknown CA
    2020-09-13 09:18:15 submission-login: Debug: SSL: where=0x2002, ret=-1: error
    2020-09-13 09:18:15 submission-login: Debug: SSL error: SSL_accept() failed: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48
    2020-09-13 09:18:15 submission-login: Debug: smtp-server: conn 127.0.0.1:34548 [1]: Disconnected: Read failure
    2020-09-13 09:18:15 submission-login: Debug: smtp-server: conn 127.0.0.1:34548 [1]: Connection state reset

    ==> /var/log/dovecot/dovecot.log <==
    2020-09-13 09:18:15 submission-login: Error: smtp-server: conn 127.0.0.1:34548 [1]: Connection lost: read((conn:127.0.0.1:34548,id=1)) failed: SSL_accept() failed: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48

    ==> /var/log/dovecot/dovecot-info.log <==
    2020-09-13 09:18:15 submission-login: Info: Read failure (client didn't send a cert): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48

    how/where are required SSL context params configured for use by Postfixadmin's SMTP send function?

     

    Last edit: pgnd 2020-09-13

  • GingerDog

    GingerDog - 2020-09-13

    Hi -

    PostfixAdmin historically didn't send much (a welcome email?) email - and would have probably have been installed on the Postfix server - so could get away with sending everything locally.

    Because of this, PostfixAdmin has only basic SMTP sending functionality - see https://github.com/postfixadmin/postfixadmin/blob/3d46ec795969f76604a8ed522df130548ae428c2/functions.inc.php#L1408

    It's probably past time that it was changed to use an SMTP library, which would hopefully add support for the various SSL parameters you're referencing.

    For now, i doubt it's possible - to do much more than what fsockopen() supports - i.e. using a ssl://localhost style url for the smtp server config parameter.
    (see: https://www.php.net/fsockopen )

     

  • pgnd

    pgnd - 2020-09-13

    would have probably have been installed on the Postfix server - so could get away with sending everything locally.
    ...
    It's probably past time that it was changed to use an SMTP library

    to be fair, different strokes, right?

    my own policies are that all submission/transports/relays -- local or otherwise -- need to have auth/access controls available; and most of that's migrated to mandatory already.

    in practice here, that means every connection/handshake is locked down with SSL cert verification, with tighetened protocols/ciphers.

    sure, a bit more work up front to setup, but distributes/scales far more easily; once setup correctly, moving the SMTP server 'elsewhere', changing certs, etc becomes a trivial exercise.

    and, with those^ policies in-place & widespread around here, what's "past" is my option to re-introduce 'weaker' security. tbh, a PITA, some days ...

    see: https://www.php.net/fsockopen

    That page does mention:

    "The function stream_socket_client() is similar but provides a richer set of options, including non-blocking connection and the ability to provide a stream context. "

    @

    https://www.php.net/manual/en/function.stream-socket-client.php ,

    the function does apparently support the ssl context options ... which should, in principle, be sufficient.

    i don't have a sense for how "similar" it is; is it a simple (nearly) drop-in replacement?

    taking a look at RoundCubeMail's approach

    https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_smtp.php

    may be of interest.

    There's also PhpMailer

    https://github.com/PHPMailer/PHPMailer

    that's a comprehensive mailer lib.

    it certainly provides the capabilities required

    https://github.com/PHPMailer/PHPMailer/blob/master/examples/ssl_options.phps

    it might be easily included, but may be vast overkill ....

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.