SSL Client Authentication

New ideas and constructive comments go here.

Moderator: Moderators

Locked
sttng359
Posts: 21
Joined: Tue Jun 13, 2006 10:50 am
Contact:

SSL Client Authentication

Post by sttng359 »

I noticed that the Equifax issued certificate used by the mail servers is marked for the "TLS Web Client Authentication" purpose which gave me the idea of using to authenticate incoming mail from Rollernet instead of whitelisting the IP address everywhere. I added Equifax as a trusted CA for sendmail, but Rollernet's postfix servers do not seem to be configured to use client TLS certificates. Would this be a good approach for Rollernet to bypass greylisting, antivirus, etc. when sending mail to my primary mail server? And if so, would it be difficult to enable on your servers?
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

In Postfix (we have no idea how to do this in Sendmail) you would want to request *our* certificate fingerprint and check it using the check_ccert_access method to return an OK early in the process. It should work as is, but honestly we've never actually tried it in the real world.

The only reason this would be a bad idea is that the SSL certificate fingerprint is subject to change every time we renew the certificate and upload the new one.
Technical Support support@rollernet.us
Roller Network LLC
sttng359
Posts: 21
Joined: Tue Jun 13, 2006 10:50 am
Contact:

Post by sttng359 »

With sendmail on the server side, I should be able to verify your certificate via the Equifax certificate and your subject just as a browser would verify it. I extracted the Equifax certificate from my installed copy of Firefox which I already trust and installed it as a listed CA in sendmail. Sendmail can be configure to validate a certificate matching a certain subject and issuer. I used "opensssl s_client -connect mail.rollernet.us:smtp -starttls smtp -CAfile my_extracted_equifax.crt" to verify the certificate presented by your server and extract the subject it was using which looked reasonably so I added it to sendmail's access.db. This should be reasonably secure, IMHO, and indepentent of your certificates current fingerprint.
Locked