My github Postfix repo:
https://github.com/vdukhovni/postfix
has a "tlsfallback" branch, which extends Postfix with two new
pairs (smtp and lmtp flavours) of parameters (postconf(5) documentation
snippets below). I am soliciting feedback on the interface and
any operational experience if anyone is willing to test the code
on a live system. You can test just the "audit" feature if you
wish, if audit-only "security" (log authentication failure and
deliver anyway) is not your cup of tea.
$ git clone https://github.com/vdukhovni/postfix.git
$ cd postfix/postfix
$ git checkout tlsfallback
set shared=yes/no dynamimaps=yes/no to taste, tweak other compile-time
options and build (see INSTALL file for details):
$ make -f Makefile.init shared=yes dynamicmaps=yes \
CCARGS="... -DUSE_TLS ..." \
AUXLIBS="... -lssl -lcrypto ..." \
AUXLIBS_CDB=... \
AUXLIBS_PCRE=... \
... \
makefiles
$ make
Install the new code:
# make upgrade
Even if running the code is too bleeding-edge, comments based on
the documentation are welcome. Do you want/need the new features?
Is the audit interface too complex (it errs on the side of flexibility,
perhaps there should a handful of named templates whose definitions could
be changed by the adventurous, but most users could use a standard setting?)
Documentation snippets:
-----------------------
smtp_tls_fallback_level (default: empty)
Optional fallback levels for authenticated TLS levels. Specify a
white-space or comma-separate list of policy_level=fallback_level
pairs. The policy_level must require authentication (be one of dane,
dane-only, fingerprint, verify, secure). The fallback_level must be
"encrypt" or "may". When an authenticated connection with a policy
level equal to one of the specified values cannot be established,
delivery will proceed at the fallback level if possible. A warning
will be logged indicating the fallback reason. You can use
smtp_tls_audit_template to record the TLS security status for each
delivery.
The TLS policy table can be used to specify a destination-specific
fallback strategy via the "fallback" policy attribute. The value of
the "fallback" attribute, if specified, must be "may", "encrypt" or
"none". If not "none", this specifies the fallback level for the des-
tination in question. If the attribute value is "none", fallback is
suppressed for the destination even if enabled via a global setting of
smtp_tls_fallback_level.
Example:
/etc/postfix/main.cf:
# When authentication fails, log a warning and deliver anyway
# over an unauthenticated TLS connection.
#
smtp_tls_fallback_level =
dane=encrypt,
dane-only=encrypt,
fingerprint=encrypt,
verify=encrypt,
secure=encrypt
indexed = ${default_database_type}:${config_directory}/
smtp_tls_policy_maps = ${indexed}tls-policy
/etc/postfix/tls-policy:
# No fallback for example.com
example.com secure fallback=none
# For example.net tolerate cleartext fallback
example.net dane fallback=may
This feature is available in Postfix 2.12 and later.
smtp_tls_audit_template (default: empty)
Optional template for tls audit logging at the completion of each mes-
sage data transfer. If empty (the default setting) no TLS audit log
entries are generated.
The following $name expansions are done on smtp_tls_audit_template:
$relay The remote SMTP server.
$level The effective TLS security level after any fallback.
$policy
The desired TLS security level before any fallback, undefined if
no fallback took place.
$auth The authentication level of the remote SMTP server. One of
"Cleartext", "Anonymous", "Untrusted", "Trusted" or "Verified".
$protocol
The TLS protocol version, defined only when TLS is used.
$cipher
The TLS cipher name, defined only when TLS is used.
$cert_digest
The digest of the remote SMTP server's certificate, defined only
when TLS is used and the remote server presented a certificate.
The digest algorithm is that specified via smtp_tls_finger-
print_digest.
$spki_digest
The digest of the remote SMTP server's public key (Subject Pub-
lic Key Info or SPKI from X.509), defined only when TLS is used
and the remote server presented a certificate. The digest algo-
rithm is that specified via smtp_tls_fingerprint_digest.
${name?value}
Expands to value when $name is non-empty.
${name:value}
Expands to value when $name is empty.
Example:
/etc/postfix/main.cf:
smtp_tls_audit_template =
tlsaudit: relay=${relay}${auth?, auth=${auth}}${level?,
level=${level}}${policy?, policy=${policy}}${protocol?,
protocol=${protocol}}${cipher?, cipher=${cipher}}
This feature is available in Postfix 2.12 and later.
--
Viktor.
