Home / server / Questions / 1166842
Accepted
Ravexina
Asked: 2024-10-21 04:43:49 +0800 CST

Dovecot is not complaining about self-signed certificate while connecting to PostgreSQL over SSL

  • 772

I enabled SSL on my PostgreSQL database and enforced it using pg_hba.conf with the following line:

hostssl all all 0.0.0.0/0 md5

From the PostgreSQL connection logs and network traffic captured via tcpdump, it seems that SSL connections are being made:

2024-10-20 10:12:16.140 UTC [63] LOG:  connection authenticated: identity="user" method=md5 (/etc/postgresql/pg_hba.conf:136)
2024-10-20 10:12:16.140 UTC [63] LOG:  connection authorized: user=user database=db SSL enabled (protocol=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384, bits=256)

However, as Dovecot and PostgreSQL are running on different machines and the certificate and its CA are not trusted in dovecot machine, I expected Dovecot, which connects to PostgreSQL to flag an issue with the self-signed certificate, but there are no complaints. This leads me to believe that the certificate is not being properly validated, making the connection vulnerable to attacks like MITM (Man-in-the-Middle).

Is there an extra configuration or step I'm missing to enforce certificate validation? How can I ensure that connections are secure, and the certificate is being properly validated?

ssl

1 Answers

  1. Best Answer

    This is client configuration issue, and the supported client library for PostgreSQL is called libpq, which Dovecot is using. The related manual page, libpq SSL Support (for the verison 17), states explicitely:

    By default, PostgreSQL will not perform any verification of the server certificate.

    To force the verification, sslmode must be set to either verify-ca to check that the certificate is trusted by the chain, or even verify-full to also check that the name in the certificate matches the name in the libpq connection string.

    If you use Dovecot's SQL driver, that might look like this:

    connect = host=localhost dbname=mails user=admin password=pass sslmode=verify-full

    Only Dovecot is mentioned; I expect there is also at least some MTA, which might need a similar adjustment to its configuration too.

    Your client system must also have ~/.postgresql/root.crt file with trusted root CA certificates. Therefore, you must locate the Dovecot's user home directory and place the root certificate there. Alternatively, you may set sslrootcert=/path/to/file parameter to the connection string to specify the file with the trusted root CA certificate, and provide that file instead.

    • 1