Dear,
I installed Zimbra version 8.8.15_GA_4018.FOSS 24 Mar, 2021
and recive mail from gmail.com domain in log view warning
postfix/smtpd[28557]: warning: permit_tls_clientcerts is requested, but "smtpd_tls_ask_ccert = no"
Ples help what this warning and how resolve
warning tls smtpd_tls_ask_ccert = no please help
- JDunphy
- Outstanding Member
- Posts: 889
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: warning tls smtpd_tls_ask_ccert = no please help
Here is the documentation on it.grozdan wrote:
and recive mail from gmail.com domain in log view warning
postfix/smtpd[28557]: warning: permit_tls_clientcerts is requested, but "smtpd_tls_ask_ccert = no"
Ples help what this warning and how resolve
So paraphrasing this.. it allows the remote SMTP client (gmail) to request if their certificate passes verification and if it's fingerprint is present in your list of client certificates if you are checking validity. It's an extra feature you could enable if you wanted to be stricter with your remote SMTP connections and provide additional server access control.https://www.postfix.org/postconf.5.html wrote: permit_tls_clientcerts
Permit the request when the remote SMTP client certificate fingerprint or public key fingerprint (Postfix 2.9 and later) is listed in $relay_clientcerts. The fingerprint digest algorithm is configurable via the smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert = yes" and is available with Postfix version 2.2 and later.
It exists because of this:
Code: Select all
% grep permit_tls_clientcerts /opt/zimbra/common/conf/main.cf
smtpd_sender_restrictions = check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re
Code: Select all
% grep permit_tls_clientcerts /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
permit_tls_clientcerts
Perhaps someone that knows can shed light on why this is present with Zimbra installs - I see it on 9.0 installs also? I configured a stand alone postfix installation (non zimbra) years ago on RHEL6 ago and it was present in that so it seems to be a default for smtpd_sender_restrictions but there are no warning messages with that version of postfix which is older so I am guessing the warning was enabled in more modern versions of postfix which Zimbra introduced in 8.8.15+ I believe.
You don't mention that it caused any problems in delivery? Email arrived but you saw it when you verified the gmail connection in your logs is how I understood your question.
Ref: http://www.postfix.org/TLS_LEGACY_README.html
Jim
Re: warning tls smtpd_tls_ask_ccert = no please help
Hello, just checking if there is a fix for this warning as I am experiencing the same from what i read in the daily mail report.
Appreciate any guidance you may provide where to look in the Zimbra installation
I am on Zimbra FOSS 8.8.15 Patch 32 with Centos 7
Appreciate any guidance you may provide where to look in the Zimbra installation
I am on Zimbra FOSS 8.8.15 Patch 32 with Centos 7
Re: warning tls smtpd_tls_ask_ccert = no please help
I also have consistent warnings in the zimbra.log of this kind:
The log reads like below:
My zimbra version:
Release 8.8.15_GA_3829.RHEL7_64_20190718141144 RHEL7_64 FOSS edition, Patch 8.8.15_P34.
Is it a misconfiguration of my server or how can I clear this errors ?
Code: Select all
mail postfix/smtpd[8706]: warning: permit_tls_clientcerts is requested, but "smtpd_tls_ask_ccert = no"
Code: Select all
Oct 25 04:45:40 mail postfix/smtpd[8706]: connect from mail15.xxx[198.2.xxx.xx]
Oct 25 04:45:41 mail postfix/smtpd[8706]: Anonymous TLS connection established from mail15.xxx[198.2.xxx.xx]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Oct 25 04:45:41 mail postfix/smtpd[8706]: NOQUEUE: filter: RCPT from mail15.xxx[198.2.xxx.xx]: <bounce-mc.us15_72166678.395684-66ea859c0e@mail15.xxxx>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<bounce-mc.us15_72166678.395684-66ea859c0e@mail15.xxxx$
Oct 25 04:45:41 mail postfix/smtpd[8706]: warning: permit_tls_clientcerts is requested, but "smtpd_tls_ask_ccert = no"
Oct 25 04:45:41 mail postfix/smtpd[8706]: NOQUEUE: filter: RCPT from mail15.xxx[198.2.xxx.xx]: <bounce-mc.us15_72166678.395684-66ea859c0e@mail15.xxxx>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<bounce-mc.us15_72166678.395684-66ea859c0e@mail15.xxx$
Oct 25 04:45:42 mail postfix/smtpd[8706]: 41D0094DBBBD: client=mail15.xxxx[198.2.xxx.xx]
Release 8.8.15_GA_3829.RHEL7_64_20190718141144 RHEL7_64 FOSS edition, Patch 8.8.15_P34.
Is it a misconfiguration of my server or how can I clear this errors ?
Re: warning tls smtpd_tls_ask_ccert = no please help
Hello,
for the records I set the following to reflect in the postfix configuration:
originally it was set to "no". I read this setting has been introduced with 8.8.15.
I am monitoring the situation in case this modification causes more harm than benefit.
for the records I set the following to reflect in the postfix configuration:
Code: Select all
zmprov mcf zimbraMtaSmtpTlsAskCcert yes
I am monitoring the situation in case this modification causes more harm than benefit.
-
- Posts: 2
- Joined: Mon Aug 29, 2016 9:22 pm
Re: warning tls smtpd_tls_ask_ccert = no please help
I think you mean
and not
missing the d at the end of smtp
Code: Select all
zmprov mcf zimbraMtaSmtpdTlsAskCcert yes
Code: Select all
zmprov mcf zimbraMtaSmtpTlsAskCcert yes
- L. Mark Stone
- Ambassador
- Posts: 2796
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.6 Network Edition
- Contact:
Re: warning tls smtpd_tls_ask_ccert = no please help
Please recall that those warnings are entirely benign, and as Jim pointed out above, you may want to re-read http://www.postfix.org/TLS_README.html to see why setting zimbraMtaSmtpdTlsAskCcert to "yes" could cause you not to receive otherwise legitimate email.
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate