Tag Archives: openssl

Security check for postfix (STARTTLS connection)

$ openssl s_client -tls1_2 -cipher ECDHE-RSA-AES128-GCM-SHA256 -starttls smtp -verify 3 -verify_return_error -debug -CApath /etc/ssl/certs -connect 1.2.3.4:25

"-tls1_2" forces the TLSv1.2 protocol. Make sure protocol and cipher list match.

"-verify 3" enables server certificate verification and sets the length of the certificate chain. In this case there are 3 certificates in the certificate chain, including the root CA. Make sure the public root CA certificate is in the "-CApath" directory. "-verify_return_error" enforces the certificate verification to succeed.

The "-cipher" option specifies the list of ciphers to be transferred to the server. The server then decides which of these ciphers to use. As we only give one cipher, we force the postfix server to only use this one. If the server does not support this cipher, openssl will return with an error.

If everything goes well, you will see a long output from the server (including the protocol and cipher from your openssl command line options) and something like "Verify return code: 0 (ok)". Quit the connection with the postfix server by typing "quit" and hit return.

Share

Create a self-signed certificate for ip address

openssl.conf:

[req]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = v3_ca
x509_extensions = v3_ca

[req_distinguished_name]
countryName = Country
countryName_default = GB
countryName_min = 2
countryName_max = 2
localityName = Locality
localityName_default = London
organizationName = Organization
organizationName_default = Roland Ltd.
organizationalUnitName = OU
organizationalUnitName_default = Roland-OU
commonName = CN
commonName_default = 192.168.12.122
commonName_max = 64
emailAddress = Email
emailAddress_default = postmaster@local.example
emailAddress_max = 40

[v3_ca]
extendedKeyUsage=serverAuth
subjectAltName=IP:192.168.12.122

# openssl req -newkey rsa -config openssl.conf -days 32 -x509 -out new.cert -keyout new.key

Add the option "-nodes" to avoid having to type in a password for the private key. You will need this e.g. if you use the certificate for Apache and do not want to type in the private key password every time you restart your webserver.

You also might want to add "-sha512" to make the signature algorithm use the SHA512 digest. Otherwise a reasonable default will be used. For Ubuntu 14.04 (OpenSSL 1.0.1f) the default has already been set to SHA256.

Share

Check sasl authentication with Postfix

Create base64 encrypted username and password:

$ echo -ne '\000username\000password' | openssl base64
$ AHl5eQB4eHg=

Start TLS session with mailserver:

$ openssl s_client -connect mailserver:25 -starttls smtp
...
---
250 DSN
ehlo test
250-mail.localhost.de
250-PIPELINING
250-SIZE 20480000
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN AHl5eQB4eHg=
235 2.7.0 Authentication successful

Note that even though we use plain text username and password which are only base64-encoded, they are sent encrypted over the network because of the starttls command line option. 

Share