search

szepeviktor / courier

Courier Mail Server, also see https://github.com/szepeviktor/courier-libs
http://www.courier-mta.org
0 stars 0 forks source link

SSL CN and SAN #1

Open szepeviktor opened 7 years ago

szepeviktor commented 7 years ago

Hello!

Could it be that Courier MTA cannot be configured to send emails securely (using SSL) to Sendgrid because they have their hostname in SAN not in CN?

The OpenSSL library does not validate peer hostnames, leaving it up to the
application to do that. Courier's manual hostname validation code checks CN only.

Hostname validation for SMTP is a mess. Many servers use self-signed certs,
not signed by a trusted CAs, as such most servers typically do not verify
peer hostnames.

You can also recompile Courier to use GnuTLS, which handles hostname
verification itself, and will presumably check SAN.

mwanner commented 7 years ago

Note that on Debian starting with courier-0.76.3-2, we are compiling against gnutls.

szepeviktor commented 7 years ago

@mwanner https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605594

It seems like it is not possible to get perfect forward secrecy unless you can set the DH key exchange parameter, which is only offered if courier was compiled against gnutls.

DH parameters can be set in /etc/courier/dhparams.pem

szepeviktor commented 7 years ago

@mwanner Is it reported to Sam? https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844975

The root cause of this bug seems to be:

... checking openssl/ssl.h usability... yes checking openssl/ssl.h presence... yes checking for openssl/ssl.h... yes checking for SSL_load_error_strings in -lssl... no checking for OPENSSL_cleanup in -lssl... no ...