dovecot - Oct 2015 - TLS communication director -> backend with X.509 cert checks?

Hello,

using Dovecot 2.2.9 and a setup with directors and backends.
The communication between directors and backends needs to be TLS
secured.

The director config contains a list of hostnames for the backends.
(implicit list because of multiple A/AAAA records for a single hostname
or explicit list of several host names)

On connection setup from a client the director connects to the
selected backend. But it seems (not checked in the source yet),
that for SSL certificate verification the director doesn't know the
original host name anymore. The certificate's CN gets compared to
the IP address the director connects to.

Oct 12 23:56:51 director2 dovecot: director: Error:
director(2001:683:921:f33::5:1:9090/out): connect() failed: Connection reset by
peer
Oct 12 23:57:53 director2 dovecot: imap-login: Error: proxy: hostname
doesn't match SSL certificate at 2001:683:921:f33::5:fe:993:
user=<foo>, method=PLAIN, rip=2001:638:912:f33::1:1,
lip=2001:638:912:f33::5:2, TLS, session=<fLrUa+8hggAgAQY4CRIPMwAAAAAAAQAB>

In 10-directors.conf I've:
director_mail_servers = backend1.<domain> backend2.<domain>

Should I create certificates with IP address in SAN? (Any hint about the
correct syntax for the openssl.conf is welcome). Or is there any chance
that this is fixed already or will be fixed in the near future or even
better, that it's my fault?

    Best regards from Dresden/Germany
    Viele Gr??e aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20151013/4b24babb/attachment-0001.sig>

On 13 Oct 2015, at 21:44, Heiko Schlittermann <hs at schlittermann.de>
wrote:
> 
> Hello,
> 
> using Dovecot 2.2.9 and a setup with directors and backends.
> The communication between directors and backends needs to be TLS
> secured.
> 
> The director config contains a list of hostnames for the backends.
> (implicit list because of multiple A/AAAA records for a single hostname
> or explicit list of several host names)
> 
> On connection setup from a client the director connects to the
> selected backend. But it seems (not checked in the source yet),
> that for SSL certificate verification the director doesn't know the
> original host name anymore. The certificate's CN gets compared to
> the IP address the director connects to.
Right. The hostnames are lost immediately at director startup. I've never
really thought about needing this functionality for director, since they're
usually in the same trusted network with backends..
> Should I create certificates with IP address in SAN? (Any hint about the
> correct syntax for the openssl.conf is welcome). Or is there any chance
> that this is fixed already or will be fixed in the near future or even
> better, that it's my fault?
I guess that could work for now. No idea about how to do such certificates.

Timo Sirainen <tss at iki.fi> (Di 13 Okt 2015 21:02:59 CEST):
?
> > On connection setup from a client the director connects to the
> > selected backend. But it seems (not checked in the source yet),
> > that for SSL certificate verification the director doesn't know
the
> > original host name anymore. The certificate's CN gets compared to
> > the IP address the director connects to.
> 
> Right. The hostnames are lost immediately at director startup. I've
never really thought about needing this functionality for director, since
they're usually in the same trusted network with backends..
> 
That's it? "ususally". And additionally local policy says that we
should use
secured connections whenever credentials are transported ? And since the
director uses either a master password or the credentials obtained from
the client, we want to use secured connections. And using TLS w/o
verified certs is better than nothing, but it's far from being perfect.

I see:

    a) pass the host *names* to the director too, for CN verification
       purpose

       May be in struct mail_host could be a field for the original
       hostname we used to obtain the adress(es)?

or
    b) allow some kind of certificate pinning, that is loose the implied
       relation CN <=> hostname
> > Should I create certificates with IP address in SAN? (Any hint about
the
> > correct syntax for the openssl.conf is welcome). Or is there any
chance
> > that this is fixed already or will be fixed in the near future or even
> > better, that it's my fault?
> 
> I guess that could work for now. No idea about how to do such certificates.
I'll try that, but I think it's not a solution as soon as we reach out
for "official" certs. And because it puts more details about the
infrastructure into the configuration than would be necessary.

    Best regards from Dresden/Germany
    Viele Gr??e aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20151013/6f845a4a/attachment.sig>

Timo Sirainen <tss at iki.fi> (Di 13 Okt 2015 21:02:59
CEST):
> > the IP address the director connects to.
> 
> Right. The hostnames are lost immediately at director startup. I've
never really thought about needing this functionality for director, since
they're usually in the same trusted network with backends..
> 
Ooo.
What if 

    director_mail_servers = backends.<domain>

and the DNS entry for backends.<domain> gets updated? Does the director
catch up the change automatically w/o restart?

    Best regards from Dresden/Germany
    Viele Gr??e aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20151013/f152bd58/attachment.sig>