1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3 4<html> 5 6<head> 7 8<title>TLS Forward Secrecy in Postfix</title> 9 10<meta http-equiv="Content-Type" content="text/html; charset=utf-8"> 11<link rel='stylesheet' type='text/css' href='postfix-doc.css'> 12 13</head> 14 15<body> 16 17<h1><img src="postfix-logo.jpg" width="203" height="98" ALT=""> 18TLS Forward Secrecy in Postfix 19</h1> 20 21<hr> 22 23<h2> Warning </h2> 24 25<p> Forward secrecy does not protect against active attacks such 26as forged DNS replies or forged TLS server certificates. If such 27attacks are a concern, then the SMTP client will need to authenticate 28the remote SMTP server in a sufficiently-secure manner. For example, 29by the fingerprint of a (CA or leaf) public key or certificate. 30Conventional PKI relies on many trusted parties and is easily 31subverted by a state-funded adversary. </p> 32 33<h2> Overview </h2> 34 35<p> Postfix supports forward secrecy of TLS network communication 36since version 2.2. This support was adopted from Lutz Jänicke's 37"Postfix TLS patch" for earlier Postfix versions. This document 38will focus on TLS Forward Secrecy in the Postfix SMTP client and 39server. See <a href="TLS_README.html">TLS_README</a> for a general 40description of Postfix TLS support. </p> 41 42<p> Topics covered in this document: </p> 43 44<ul> 45 46<li> <p> Give me some background on forward secrecy in Postfix </p> 47 48<ul> 49 50<li><a href="#dfn_fs">What is Forward Secrecy</a> 51 52<li><a href="#tls_fs">Forward Secrecy in TLS</a> 53 54<li><a href="#server_fs">Forward Secrecy in the Postfix SMTP Server</a> 55 56<li><a href="#client_fs">Forward Secrecy in the Postfix SMTP Client</a> 57 58</ul> 59 60<li> <p> Never mind, just show me what it takes to get forward 61secrecy </p> 62 63<ul> 64 65<li><a href="#quick-start">Getting started, quick and dirty</a> 66 67<li><a href="#test">How can I see that a connection has forward secrecy?</a> 68 69<li><a href="#ciphers"> What ciphers provide forward secrecy? </a> 70 71<li><a href="#status"> What do "Anonymous", "Untrusted", etc. in 72Postfix logging mean? </a> 73 74</ul> 75 76<li> <p> <a href="#credits"> Credits </a> </p> 77 78</ul> 79 80<h2><a name="dfn_fs">What is Forward Secrecy</a></h2> 81 82<p> The term "Forward Secrecy" (or sometimes "Perfect Forward Secrecy") 83is used to describe security protocols in which the confidentiality 84of past traffic is not compromised when long-term keys used by either 85or both sides are later disclosed. </p> 86 87<p> Forward secrecy is accomplished by negotiating session keys 88using per-session cryptographically-strong random numbers that are 89not saved, and signing the exchange with long-term authentication 90keys. Later disclosure of the long-term keys allows impersonation 91of the key holder from that point on, but not recovery of prior 92traffic, since with forward secrecy, the discarded random key 93agreement inputs are not available to the attacker. </p> 94 95<p> Forward secrecy is only "perfect" when brute-force attacks on 96the key agreement algorithm are impractical even for the best-funded 97adversary and the random-number generators used by both parties are 98sufficiently strong. Otherwise, forward secrecy leaves the attacker 99with the challenge of cracking the key-agreement protocol, which 100is likely quite computationally intensive, but may be feasible for 101sessions of sufficiently high value. Thus forward secrecy places 102cost constraints on the efficacy of bulk surveillance, recovering 103all past traffic is generally infeasible, and even recovery of 104individual sessions may be infeasible given a sufficiently-strong 105key agreement method. </p> 106 107<h2><a name="tls_fs">Forward Secrecy in TLS</a></h2> 108 109<p> Early implementations of the SSL protocol do not provide forward 110secrecy (some provide it only with artificially-weakened "export" 111cipher suites, but we will ignore those here). The client 112sends a random "pre-master secret" to the server encrypted with the 113server's RSA public key. The server decrypts this with its private 114key, and uses it together with other data exchanged in the clear 115to generate the session key. An attacker with access to the server's 116private key can perform the same computation at any later time. </p> 117 118<p> Later revisions to the TLS protocol introduced forward-secrecy 119cipher suites in which the client and server implement a key exchange 120protocol based on ephemeral secrets. Sessions encrypted with one 121of these newer cipher suites are not compromised by future disclosure 122of long-term authentication keys. </p> 123 124<p> The key-exchange algorithms used for forward secrecy require 125the TLS server to designate appropriate "parameters" consisting of a 126mathematical "group" and an element of that group called a "generator". 127Presently, there are two flavors of "groups" that work with PFS: </p> 128 129<ul> 130 131<li> <p> <b>FFDHE:</b> Finite-field Diffie-Hellman ephemeral key 132exchange groups (also EDH or DHE). The server needs to be configured 133with a suitably-large prime and a corresponding "generator". Standard 134choices of the prime and generator are specified in RFC7919, and can be 135used in the TLS 1.3 protocol with the server and client negotiating a 136mutually supported choice. In earlier versions of TLS (1.0 through 1371.2), when FFDHE key exchange is performed, the server chooses the prime 138and generator unilaterally. </p> 139 140<li> <p> <b>EECDH:</b> This is short for Ephemeral Elliptic Curve 141Diffie-Hellman (also abbreviated as ECDHE). EECDH offers better 142security at lower computational cost than FFDHE. Elliptic curves used 143in cryptography are typically identified by a "name" that stands for a 144set of well-known parameter values, and it is these "named curves" (or, 145in certificates, associated ASN.1 object identifiers) that are used in 146the TLS protocol. When EECDH key exchange is used, a mutually supported 147named curve is negotiated as part of the TLS handshake. </p> 148 149</ul> 150 151<h2><a name="server_fs">Forward Secrecy in the Postfix SMTP Server</a></h2> 152 153<p> The Postfix ≥ 2.2 SMTP server supports forward secrecy in 154its default configuration. If the remote SMTP client prefers cipher 155suites with forward secrecy, then the traffic between the server 156and client will resist decryption even if the server's long-term 157authentication keys are <i>later</i> compromised. </p> 158 159<p> Most remote SMTP clients now support forward secrecy (the only 160choice as of TLS 1.3), but some may prefer cipher suites <i>without</i> 161forward secrecy. Postfix ≥ 2.8 servers can be configured to override 162the client's preference by setting "tls_preempt_cipherlist = yes". </p> 163 164<h3> FFDHE Server support </h3> 165 166<p> Postfix ≥ 3.1 supports 2048-bit-prime FFDHE out of the box, with 167no additional configuration. You can also generate your own FFDHE 168parameters, but this is not necessary and no longer recommended. See 169the <a href="#quick-start">quick-start</a> section for details. </p> 170 171<p> Postfix ≥ 3.8 supports the finite-field Diffie-Hellman ephemeral 172(FFDHE) key exchange group negotiation API of OpenSSL ≥ 3.0. FFDHE 173groups are explicitly negotiated between client and server starting with 174TLS 1.3. In earlier TLS versions, the server chooses the group 175unilaterally. The list of candidate FFDHE groups can be configured via 176"tls_ffdhe_auto_groups", which can be used to select a prioritized list 177of supported groups (most preferred first) on both the server and 178client. The default list is suitable for most users. Either, but not 179both of "tls_eecdh_auto_curves" and "tls_ffdhe_auto_groups" may be set 180empty, disabling either EC or FFDHE key exchange in OpenSSL 3.0 with TLS 1811.3. That said, interoperability will be poor if the EC curves are 182all disabled or don't include the most widely used curves. </p> 183 184<h3> EECDH Server support </h3> 185 186<p> As of Postfix 3.2 and OpenSSL 1.0.2, a range of supported EECDH 187curves is enabled in the server and client, and a suitable mutually 188supported curve is negotiated as part of the TLS handshake. The list of 189supported curves is configurable via the "tls_eecdh_auto_curves" 190parameter. With TLS 1.2 the server needs to leave its setting of 191"smtpd_tls_eecdh_grade" at the default value of "auto" (earlier choices 192of an explicit single curve grade are deprecated). With TLS 1.3, the 193"smtpd_tls_eecdh_grade" parameter is not used, and curve selection is 194unconditionally negotiated. </p> 195 196<h2> <a name="client_fs">Forward Secrecy in the Postfix SMTP Client</a> </h2> 197 198<p> The Postfix ≥ 2.2 SMTP client supports forward secrecy in its 199default configuration. All supported OpenSSL releases support both 200FFDHE and EECDH key exchange. If the remote SMTP server supports cipher 201suites with forward secrecy (and does not override the SMTP client's 202cipher preference), then the traffic between the server and client will 203resist decryption even if the server's long-term authentication keys are 204<i>later</i> compromised. Forward secrecy is always on in TLS 1.3. </p> 205 206<p> Postfix ≥ 3.2 supports the curve negotiation API of OpenSSL 207≥ 1.0.2. The list of candidate curves can be changed via the 208"tls_eecdh_auto_curves" configuration parameter, which can be used 209to select a prioritized list of supported curves (most preferred 210first) on both the Postfix SMTP server and SMTP client. The default 211list is suitable for most users. </p> 212 213<p> Postfix ≥ 3.8 supports the finite-field Diffie-Hellman ephemeral 214(FFDHE) key exchange group negotiation API of OpenSSL ≥ 3.0. 215The list of candidate FFDHE groups can be configured via 216"tls_ffdhe_auto_groups", which can be used to select a prioritized list 217of supported groups (most preferred first) on both the server and 218client. The default list is suitable for most users. </p> 219 220<p> The default Postfix SMTP client cipher lists are correctly ordered 221to prefer EECDH and FFDHE cipher suites ahead of similar cipher suites 222that don't implement forward secrecy. Administrators are strongly 223discouraged from changing the cipher list definitions. </p> 224 225<h2><a name="quick-start">Getting started, quick and dirty</a></h2> 226 227<h3> EECDH Client support (Postfix ≥ 3.2 with OpenSSL ≥ 1.1.1) </h3> 228 229<p> This works "out of the box" with no need for additional 230configuration. </p> 231 232<p> Postfix ≥ 3.2 supports the curve negotiation API of OpenSSL 233≥ 1.0.2. The list of candidate curves can be changed via the 234"tls_eecdh_auto_curves" configuration parameter, which can be used 235to select a prioritized list of supported curves (most preferred 236first) on both the Postfix SMTP server and SMTP client. The default 237list is suitable for most users. </p> 238 239<h3> EECDH Server support (Postfix ≥ 3.2 with OpenSSL ≥ 1.1.1) </h3> 240 241<p> This works "out of the box" with no need for additional 242configuration. </p> 243 244<p> Postfix ≥ 3.2 supports the curve negotiation API of OpenSSL 245≥ 1.0.2. The list of candidate curves can be changed via the 246"tls_eecdh_auto_curves" configuration parameter, which can be used 247to select a prioritized list of supported curves (most preferred 248first) on both the Postfix SMTP server and SMTP client. The default 249list is suitable for most users. </p> 250 251<h3> FFDHE Client support (Postfix ≥ 3.2, OpenSSL ≥ 1.1.1) </h3> 252 253<p> In Postfix < 3.8, or OpenSSL prior to 3.0, FFDHE for TLS 1.2 or 254below works "out of the box", no additional configuration is necessary. 255The most one can do is (not advisable) disable all "kDHE" ciphers, which 256would then disable FFDHE key exchange in TLS 1.2 and below. </p> 257 258<p> With OpenSSL 1.1.1, FFDHE is not supported for TLS 1.3, which uses 259only EECDH key exchange. Support for FFDHE with TLS 1.3 was added in 260OpenSSL 3.0. With OpenSSL 3.0 and Postfix 3.8 the list of supported TLS 2611.3 FFDHE groups becomes configurable via the "tls_ffdhe_auto_groups" 262parameter, which can be set empty to disable FFDHE in TLS 1.3, or 263conversely expanded to support more groups. The default should work 264well for most users. </p> 265 266<h3> FFDHE Server support (Postfix ≥ 2.2, all supported OpenSSL 267versions) </h3> 268 269<p> In Postfix < 3.8, or OpenSSL prior to 3.0, FFDHE for TLS 1.2 or 270below works "out of the box", no additional configuration is necessary. 271One can of course (not advisable) disable all "kDHE" ciphers, which 272would then disable FFDHE key exchange in TLS 1.2 and below. </p> 273 274<p> The built-in default Postfix FFDHE group is a 2048-bit group as of 275Postfix 3.1. You can optionally generate non-default Postfix SMTP 276server FFDHE parameters for possibly improved security against 277pre-computation attacks, but this is not necessary or recommended. Just 278leave "smtpd_tls_dh1024_param_file" at its default empty value. </p> 279 280<p> The set of FFDHE groups enabled for use with TLS 1.3 becomes 281configurable with Postfix ≥ 3.8 and OpenSSL ≥ 3.0. The default 282setting of "tls_ffdhe_auto_groups" enables the RFC7919 2048 and 3072-bit 283groups. If you need more security, you should probably be using EECDH. 284</p> 285 286<h2><a name="test">How can I see that a connection has forward 287secrecy? </a> </h2> 288 289<p> Postfix can be configured to report information about the 290negotiated cipher, the corresponding key lengths, and the remote 291peer certificate or public-key verification status. </p> 292 293<ul> 294 295<li> <p> With "smtp_tls_loglevel = 1" and "smtpd_tls_loglevel = 1", 296the Postfix SMTP client and server will log TLS connection information 297to the maillog file. The general logfile format is shown below. 298With TLS 1.3 there may be additional properties logged after the 299cipher name and bits. </p> 300 301<blockquote> 302<pre> 303postfix/smtp[<i>process-id</i>]: Untrusted TLS connection established 304to host.example.com[192.168.0.2]:25: TLSv1 with cipher <i>cipher-name</i> 305(<i>actual-key-size</i>/<i>raw-key-size</i> bits) 306 307postfix/smtpd[<i>process-id</i>]: Anonymous TLS connection established 308from host.example.com[192.168.0.2]: TLSv1 with cipher <i>cipher-name</i> 309(<i>actual-key-size</i>/<i>raw-key-size</i> bits) 310</pre> 311</blockquote> 312 313<li> <p> With "smtpd_tls_received_header = yes", the Postfix SMTP 314server will record TLS connection information in the Received: 315header in the form of comments (text inside parentheses). The general 316format depends on the smtpd_tls_ask_ccert setting. With TLS 1.3 there 317may be additional properties logged after the cipher name and bits. </p> 318 319<blockquote> 320<pre> 321Received: from host.example.com (host.example.com [192.168.0.2]) 322 (using TLSv1 with cipher <i>cipher-name</i> 323 (<i>actual-key-size</i>/<i>raw-key-size</i> bits)) 324 (Client CN "host.example.com", Issuer "John Doe" (not verified)) 325 326Received: from host.example.com (host.example.com [192.168.0.2]) 327 (using TLSv1 with cipher <i>cipher-name</i> 328 (<i>actual-key-size</i>/<i>raw-key-size</i> bits)) 329 (No client certificate requested) 330</pre> 331</blockquote> 332 333<p> TLS 1.3 examples. Some of the new attributes may not appear when not 334applicable or not available in older versions of the OpenSSL library. </p> 335 336<blockquote> 337<pre> 338Received: from localhost (localhost [127.0.0.1]) 339 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) 340 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) 341 (No client certificate requested) 342 343Received: from localhost (localhost [127.0.0.1]) 344 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) 345 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 346 client-signature ECDSA (P-256) client-digest SHA256) 347 (Client CN "example.org", Issuer "example.org" (not verified)) 348</pre> 349</blockquote> 350 351<ul> 352<li> <p> The "key-exchange" attribute records the type of "Diffie-Hellman" 353group used for key agreement. Possible values include "DHE", "ECDHE", "X25519" 354and "X448". With "DHE", the bit size of the prime will be reported in 355parentheses after the algorithm name, with "ECDHE", the curve name. </p> 356 357<li> <p> The "server-signature" attribute shows the public key signature 358algorithm used by the server. With "RSA-PSS", the bit size of the modulus will 359be reported in parentheses. With "ECDSA", the curve name. If, for example, 360the server has both an RSA and an ECDSA private key and certificate, it will be 361possible to track which one was used for a given connection. </p> 362 363<li> <p> The new "server-digest" attribute records the digest algorithm used by 364the server to prepare handshake messages for signing. The Ed25519 and Ed448 365signature algorithms do not make use of such a digest, so no "server-digest" 366will be shown for these signature algorithms. </p> 367 368<li> <p> When a client certificate is requested with "smtpd_tls_ask_ccert" and 369the client uses a TLS client-certificate, the "client-signature" and 370"client-digest" attributes will record the corresponding properties of the 371client's TLS handshake signature. </p> </ul> 372 373</ul> 374 375<p> The next sections will explain what <i>cipher-name</i>, 376<i>key-size</i>, and peer verification status information to expect. 377</p> 378 379<h2><a name="ciphers"> What ciphers provide forward secrecy? </a> </h2> 380 381<p> There are dozens of ciphers that support forward secrecy. What 382follows is the beginning of a list of 51 ciphers available with 383OpenSSL 1.0.1e. The list is sorted in the default Postfix preference 384order. It excludes null ciphers that only authenticate and don't 385encrypt, together with export and low-grade ciphers whose encryption 386is too weak to offer meaningful secrecy. The first column shows the 387cipher name, and the second shows the key exchange method. </p> 388 389<blockquote> 390<pre> 391$ openssl ciphers -v \ 392 'aNULL:-aNULL:kEECDH:kEDH:+RC4:!eNULL:!EXPORT:!LOW:@STRENGTH' | 393 awk '{printf "%-32s %s\n", $1, $3}' 394AECDH-AES256-SHA Kx=ECDH 395ECDHE-RSA-AES256-GCM-SHA384 Kx=ECDH 396ECDHE-ECDSA-AES256-GCM-SHA384 Kx=ECDH 397ECDHE-RSA-AES256-SHA384 Kx=ECDH 398ECDHE-ECDSA-AES256-SHA384 Kx=ECDH 399ECDHE-RSA-AES256-SHA Kx=ECDH 400ECDHE-ECDSA-AES256-SHA Kx=ECDH 401ADH-AES256-GCM-SHA384 Kx=DH 402ADH-AES256-SHA256 Kx=DH 403ADH-AES256-SHA Kx=DH 404ADH-CAMELLIA256-SHA Kx=DH 405DHE-DSS-AES256-GCM-SHA384 Kx=DH 406DHE-RSA-AES256-GCM-SHA384 Kx=DH 407DHE-RSA-AES256-SHA256 Kx=DH 408... 409</pre> 410</blockquote> 411 412<p> To date, all ciphers that support forward secrecy have one of 413five values for the first component of their OpenSSL name: "AECDH", 414"ECDHE", "ADH", "EDH" or "DHE". Ciphers that don't implement forward 415secrecy have names that don't start with one of these prefixes. 416This pattern is likely to persist until some new key-exchange 417mechanism is invented that also supports forward secrecy. </p> 418 419<p> The actual key length and raw algorithm key length 420are generally the same with non-export ciphers, but they may 421differ for the legacy export ciphers where the actual key 422is artificially shortened. </p> 423 424<p> Starting with TLS 1.3 the cipher name no longer contains enough 425information to determine which forward-secrecy scheme was employed, 426but TLS 1.3 <b>always</b> uses forward-secrecy. On the client side, 427up-to-date Postfix releases log additional information for TLS 1.3 428connections, reporting the signature and key exchange algorithms. 429Two examples below (the long single line messages are folded across 430multiple lines for readability): </p> 431 432<blockquote> 433<pre> 434postfix/smtp[<i>process-id</i>]: 435 Untrusted TLS connection established to 127.0.0.1[127.0.0.1]:25: 436 TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) 437 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 438 client-signature ECDSA (P-256) client-digest SHA256 439 440postfix/smtp[<i>process-id</i>]: 441 Untrusted TLS connection established to 127.0.0.1[127.0.0.1]:25: 442 TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) 443 key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256 444</pre> 445</blockquote> 446 447<p> In the above connections, the "key-exchange" value records the 448"Diffie-Hellman" algorithm used for key agreement. The "server-signature" value 449records the public key algorithm used by the server to sign the key exchange. 450The "server-digest" value records any hash algorithm used to prepare the data 451for signing. With "ED25519" and "ED448", no separate hash algorithm is used. 452</p> 453 454<p> Examples of Postfix SMTP server logging: </p> 455 456<blockquote> 457<pre> 458postfix/smtpd[<i>process-id</i>]: 459 Untrusted TLS connection established from localhost[127.0.0.1]:25: 460 TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) 461 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 462 client-signature ECDSA (P-256) client-digest SHA256 463 464postfix/smtpd[<i>process-id</i>]: 465 Anonymous TLS connection established from localhost[127.0.0.1]: 466 TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) 467 server-signature RSA-PSS (2048 bits) server-digest SHA256 468 469postfix/smtpd[<i>process-id</i>]: 470 Anonymous TLS connection established from localhost[127.0.0.1]: 471 TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) 472 server-signature ED25519 473</pre> 474</blockquote> 475 476<p> Note that Postfix ≥ 3.4 server logging may also include a 477"to <i>sni-name</i>" element to record the use of an alternate 478server certificate chain for the connection in question. This happens 479when the client uses the TLS SNI extension, and the server selects 480a non-default certificate chain based on the client's SNI value: 481</p> 482 483<blockquote> 484<pre> 485postfix/smtpd[<i>process-id</i>]: 486 Untrusted TLS connection established from client.example[192.0.2.1] 487 to server.example: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) 488 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 489 client-signature ECDSA (P-256) client-digest SHA256 490</pre> 491</blockquote> 492 493<h2><a name="status"> What do "Anonymous", "Untrusted", etc. in 494Postfix logging mean? </a> </h2> 495 496<p> The verification levels below are subject to man-in-the-middle 497attacks to different degrees. If such attacks are a concern, then 498the SMTP client will need to authenticate the remote SMTP server 499in a sufficiently-secure manner. For example, by the fingerprint 500of a (CA or leaf) public key or certificate. Remember that 501conventional PKI relies on many trusted parties and is easily 502subverted by a state-funded adversary. </p> 503 504<dl> 505 506<dt><b>Anonymous</b> (no peer certificate)</dt> 507 508<dd> <p> <b> Postfix SMTP client:</b> With opportunistic TLS (the "may" security level) the Postfix 509SMTP client does not verify any information in the peer certificate. 510In this case it enables and prefers anonymous cipher suites in which 511the remote SMTP server does not present a certificate (these ciphers 512offer forward secrecy of necessity). When the remote SMTP server 513also supports anonymous TLS, and agrees to such a cipher suite, the 514verification status will be logged as "Anonymous". </p> </dd> 515 516<dd> <p> <b> Postfix SMTP server:</b> This is by far most common, 517as client certificates are optional, and the Postfix SMTP server 518does not request client certificates by default (see smtpd_tls_ask_ccert). 519Even when client certificates are requested, the remote SMTP client 520might not send a certificate. Unlike the Postfix SMTP client, the 521Postfix SMTP server "anonymous" verification status does not imply 522that the cipher suite is anonymous, which corresponds to the 523<i>server</i> not sending a certificate. </p> </dd> 524 525<dt><b>Untrusted</b> (peer certificate not signed by trusted CA)</dt> 526 527<dd> 528 529<p> <b> Postfix SMTP client:</b> The remote SMTP server presented 530a certificate, but the Postfix SMTP client was unable to check the 531issuing CA signature. With opportunistic TLS this is common with 532remote SMTP servers that don't support anonymous cipher suites. 533</p> 534 535<p> <b> Postfix SMTP server:</b> The remote SMTP client presented 536a certificate, but the Postfix SMTP server was unable to check the 537issuing CA signature. This can happen when the server is configured 538to request client certificates (see smtpd_tls_ask_ccert). </p> 539 540</dd> 541 542<dt><b>Trusted</b> (peer certificate signed by trusted CA, unverified 543peer name)</dt> 544 545<dd> 546 547<p> <b> Postfix SMTP client:</b> The remote SMTP server's certificate 548was signed by a CA that the Postfix SMTP client trusts, but either 549the client was not configured to verify the destination server name 550against the certificate, or the server certificate did not contain 551any matching names. This is common with opportunistic TLS 552(smtp_tls_security_level is "may" or else "dane" with no usable 553TLSA DNS records) when the Postfix SMTP client's trusted CAs can 554verify the authenticity of the remote SMTP server's certificate, 555but the client is not configured or unable to verify the server 556name. </p> 557 558<p> <b> Postfix SMTP server:</b> The remote SMTP client certificate 559was signed by a CA that the Postfix SMTP server trusts. The Postfix 560SMTP server never verifies the remote SMTP client name against the 561names in the client certificate. Since the client chooses to connect 562to the server, the Postfix SMTP server has no expectation of a 563particular client hostname. </p> 564 565</dd> 566 567<dt><b>Verified</b> (peer certificate signed by trusted CA and 568verified peer name; or: peer certificate with expected public-key 569or certificate fingerprint)</dt> 570 571<dd> 572 573<p> <b> Postfix SMTP client:</b> The remote SMTP server's certificate 574was signed by a CA that the Postfix SMTP client trusts, and the 575certificate name matches the destination or server name(s). The 576Postfix SMTP client was configured to require a verified name, 577otherwise the verification status would have been just "Trusted". 578</p> 579 580<p> <b> Postfix SMTP client:</b> The "Verified" status may also 581mean that the Postfix SMTP client successfully matched the expected 582fingerprint against the remote SMTP server public key or certificate. 583The expected fingerprint may come from smtp_tls_policy_maps or from 584TLSA (secure) DNS records. The Postfix SMTP client ignores the CA 585signature. </p> 586 587<p> <b> Postfix SMTP server:</b> The status is never "Verified", 588because the Postfix SMTP server never verifies the remote SMTP 589client name against the names in the client certificate, and because 590the Postfix SMTP server does not expect a specific fingerprint in 591the client public key or certificate. </p> 592 593</dd> 594 595</dl> 596 597<h2><a name="credits">Credits </a> </h2> 598 599<ul> 600 601<li> TLS support for Postfix was originally developed by Lutz 602Jänicke at Cottbus Technical University. 603 604<li> Wietse Venema adopted and restructured the code and documentation. 605 606<li> Viktor Dukhovni implemented support for many subsequent TLS 607features, including EECDH, and authored the initial version of this 608document. 609 610</ul> 611 612</body> 613 614</html> 615
