warning tls smtpd_tls_ask_ccert = no please help

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
grozdan
Posts: 1
Joined: Fri May 28, 2021 1:57 pm

warning tls smtpd_tls_ask_ccert = no please help

Post by grozdan »

Dear,

I installed Zimbra version 8.8.15_GA_4018.FOSS 24 Mar, 2021

and recive mail from gmail.com domain in log view warning
postfix/smtpd[28557]: warning: permit_tls_clientcerts is requested, but "smtpd_tls_ask_ccert = no"


Ples help what this warning and how resolve :oops:
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: warning tls smtpd_tls_ask_ccert = no please help

Post by JDunphy »

grozdan wrote:
and recive mail from gmail.com domain in log view warning
postfix/smtpd[28557]: warning: permit_tls_clientcerts is requested, but "smtpd_tls_ask_ccert = no"


Ples help what this warning and how resolve :oops:
Here is the documentation on it.
https://www.postfix.org/postconf.5.html wrote: permit_tls_clientcerts
Permit the request when the remote SMTP client certificate fingerprint or public key fingerprint (Postfix 2.9 and later) is listed in $relay_clientcerts. The fingerprint digest algorithm is configurable via the smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert = yes" and is available with Postfix version 2.2 and later.
So paraphrasing this.. it allows the remote SMTP client (gmail) to request if their certificate passes verification and if it's fingerprint is present in your list of client certificates if you are checking validity. It's an extra feature you could enable if you wanted to be stricter with your remote SMTP connections and provide additional server access control.

It exists because of this:

Code: Select all

% grep permit_tls_clientcerts /opt/zimbra/common/conf/main.cf
smtpd_sender_restrictions = check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re
Which is created because of this:

Code: Select all

% grep permit_tls_clientcerts /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf 
permit_tls_clientcerts
The warning is harmless but you could enable certificate based relaying provided they offered up a client certificate you had listed in relay_clientcerts for example. I believe this warning is now standard in all modern zimbra installs (8.8.15 and 9). For some reason, I find the documentation obtuse on this and have not tried removing it myself but wondered about those warnings myself.

Perhaps someone that knows can shed light on why this is present with Zimbra installs - I see it on 9.0 installs also? I configured a stand alone postfix installation (non zimbra) years ago on RHEL6 ago and it was present in that so it seems to be a default for smtpd_sender_restrictions but there are no warning messages with that version of postfix which is older so I am guessing the warning was enabled in more modern versions of postfix which Zimbra introduced in 8.8.15+ I believe.

You don't mention that it caused any problems in delivery? Email arrived but you saw it when you verified the gmail connection in your logs is how I understood your question.

Ref: http://www.postfix.org/TLS_LEGACY_README.html

Jim
milauria
Advanced member
Advanced member
Posts: 96
Joined: Mon Aug 15, 2016 12:32 pm

Re: warning tls smtpd_tls_ask_ccert = no please help

Post by milauria »

Hello, just checking if there is a fix for this warning as I am experiencing the same from what i read in the daily mail report.

Appreciate any guidance you may provide where to look in the Zimbra installation

I am on Zimbra FOSS 8.8.15 Patch 32 with Centos 7
milauria
Advanced member
Advanced member
Posts: 96
Joined: Mon Aug 15, 2016 12:32 pm

Re: warning tls smtpd_tls_ask_ccert = no please help

Post by milauria »

I also have consistent warnings in the zimbra.log of this kind:

Code: Select all

mail postfix/smtpd[8706]: warning: permit_tls_clientcerts is requested, but "smtpd_tls_ask_ccert = no"
The log reads like below:

Code: Select all

Oct 25 04:45:40 mail postfix/smtpd[8706]: connect from mail15.xxx[198.2.xxx.xx]
Oct 25 04:45:41 mail postfix/smtpd[8706]: Anonymous TLS connection established from mail15.xxx[198.2.xxx.xx]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Oct 25 04:45:41 mail postfix/smtpd[8706]: NOQUEUE: filter: RCPT from mail15.xxx[198.2.xxx.xx]: <bounce-mc.us15_72166678.395684-66ea859c0e@mail15.xxxx>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<bounce-mc.us15_72166678.395684-66ea859c0e@mail15.xxxx$
Oct 25 04:45:41 mail postfix/smtpd[8706]: warning: permit_tls_clientcerts is requested, but "smtpd_tls_ask_ccert = no"
Oct 25 04:45:41 mail postfix/smtpd[8706]: NOQUEUE: filter: RCPT from mail15.xxx[198.2.xxx.xx]: <bounce-mc.us15_72166678.395684-66ea859c0e@mail15.xxxx>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<bounce-mc.us15_72166678.395684-66ea859c0e@mail15.xxx$
Oct 25 04:45:42 mail postfix/smtpd[8706]: 41D0094DBBBD: client=mail15.xxxx[198.2.xxx.xx]
My zimbra version:
Release 8.8.15_GA_3829.RHEL7_64_20190718141144 RHEL7_64 FOSS edition, Patch 8.8.15_P34.

Is it a misconfiguration of my server or how can I clear this errors ?
milauria
Advanced member
Advanced member
Posts: 96
Joined: Mon Aug 15, 2016 12:32 pm

Re: warning tls smtpd_tls_ask_ccert = no please help

Post by milauria »

Hello,
for the records I set the following to reflect in the postfix configuration:

Code: Select all

zmprov mcf zimbraMtaSmtpTlsAskCcert yes
originally it was set to "no". I read this setting has been introduced with 8.8.15.
I am monitoring the situation in case this modification causes more harm than benefit.
haffioconnor
Posts: 2
Joined: Mon Aug 29, 2016 9:22 pm

Re: warning tls smtpd_tls_ask_ccert = no please help

Post by haffioconnor »

I think you mean

Code: Select all

zmprov mcf zimbraMtaSmtpdTlsAskCcert yes
and not

Code: Select all

zmprov mcf zimbraMtaSmtpTlsAskCcert yes
missing the d at the end of smtp
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: warning tls smtpd_tls_ask_ccert = no please help

Post by L. Mark Stone »

Please recall that those warnings are entirely benign, and as Jim pointed out above, you may want to re-read http://www.postfix.org/TLS_README.html to see why setting zimbraMtaSmtpdTlsAskCcert to "yes" could cause you not to receive otherwise legitimate email.
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Post Reply