Re: requiring TLS on a pool of servers

Wed, 16 Oct 2013 10:54:12 -0700 

Hello,

Am 2013-10-14 14:12, schrieb Dan Langille:

I have a group of Postfix servers. I want communications between these
servers to be TLS and clients must present a known certificate.

These servers are also public-facing and accept incoming mail from
servers not under my control.

I just started setting this up and it seems to be working as expected.
 I'm looking for feedback and suggestions.   I think I understand what
I'm doing.
Each of these servers will accept mail from the other servers on port 5587. 

The master.cf has something like this:

64.147.113.42:5587 inet n       -       n       -       -       smtpd
-o smtp_tls_security_level=encrypt
-o smtpd_recipient_restrictions=permit_tls_clientcerts,reject
-o smtpd_tls_req_ccert=yes
-o smtpd_tls_auth_only=no
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_cert_file=/usr/local/etc/ssl/server.pem
-o smtpd_tls_key_file=/usr/local/etc/ssl/D.example.org.nopassword.key
-o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
-o smtpd_sender_restrictions=
-o smtpd_relay_restrictions=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_data_restrictions=

Some of the entries from main.cf are:

smtp_tls_policy_maps = hash:/usr/local/etc/postfix-config/tls_policy
transport_maps = hash:/usr/local/etc/postfix-config/transport
relay_clientcerts = hash:/usr/local/etc/postfix-config/relay_clientcerts 
smtpd_tls_fingerprint_digest=sha1
smtp_tls_fingerprint_digest=sha1

Ensure that comms is via TLS:

# cat /usr/local/etc/postfix-config/tls_policy
[A.example.org]:5587 encrypt protocols=TLSv1 ciphers=high
[B.example.org]:5587 encrypt protocols=TLSv1 ciphers=high
[C.example.org]:5587 encrypt protocols=TLSv1 ciphers=high

Make sure the comms goes to the right service:

# cat /usr/local/etc/postfix-config/transport
A.example.org  :[A.example.org]:5587
B.example.org  :[B.example.org]:5587
C.example.org  :[C.example.org]:5587

Accept incoming mail only if these certs are presented:

# cat /usr/local/etc/postfix-config/relay_clientcerts
11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33:44 a.example.org 11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33:55 b.example.org 11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33:66 c.example.org
i think "secure" can also check DNS, "encrypt" does not check if DNS is wrong. 
when u set in your /etc/hosts:

  111.111.111.111   A.example.org
  222.222.222.222   B.example.org
  212.212.212.212   C.example.org
then "secure" can check before sending the mail if the DNS is right or cought by someone. otherwise the mail goes to the destination that A.exmample.org or others ponit.
Dunno if i understand that complete right. But viktor pointed me in march to the TLS_README 
that took me a while to understand all the things.

marko

Reply via email to