I'm forwarding specific mail from a remote Postfix instance to a local one.
I'm switching from SASL auth to high-encryption tls cert auth'd connection.
It works to the extent that
(1) connections without the TLS cert in place are rejected
(2) a Trusted TLS connection is established at the server
(3) mail's received
On receipt, log on local
Jun 9 14:08:40 local010 postfix/relay-local/smtpd[14395]: connect from
internal.remote016.DDDD.com[10.1.1.16]
Jun 9 14:08:40 local010 postfix/relay-local/smtpd[14395]: Trusted TLS
connection established from internal.remote016.DDDD.com[10.1.1.16]: TLSv1.2
with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun 9 14:08:40 local010 postfix/relay-local/smtpd[14395]: 01EFB102793:
client=internal.remote016.DDDD.com[10.1.1.16]
I notice that on send, log on remote
Jun 9 14:08:40 remote016 postfix/relay-remote/smtp[31281]:
internal.local010.DDDD.com[10.128.1.10]:11587:
subject_CN=relay-local.local010.DDDD.com, issuer_CN=DDDD.com_CA,
fingerprint=AA:..., pkey_fingerprint=BB:...
Jun 9 14:08:40 remote016 postfix/relay-remote/smtp[31281]: Untrusted
TLS connection established to internal.local010.DDDD.com[10.128.1.10]:11587:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun 9 14:08:40 remote016 postfix/relay-remote/smtp[31281]: F150D66780:
to=<[email protected]>, relay=internal.local010.DDDD.com[10.128.1.10]:11587,
delay=0.4, delays=0/0/0.25/0.15, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued
as 01EFB102793)
Should that be "Untrusted TLS connection", or needs to be modified to be a
"Trusted TLS connection"?
Iiuc, since there's no Trust until the server auths the connection that this is
OK as is.
Is it? Or can / should it get tightened down more?
Config on the remote
/master.cf
...
relay-remote unix - - n - - smtp
-o smtp_bind_address=10.1.1.16
-o smtp_connect_timeout=5
-o smtp_helo_name=relay-remote.DDDD.com
-o smtp_helo_timeout=5
-o smtp_tls_loglevel=2
-o smtp_tls_cert_file=/etc/ssl/mail/relay-remote.crt
-o smtp_tls_key_file=/etc/ssl/mail/relay-remote.key
-o smtp_tls_fingerprint_digest=sha1
-o smtp_tls_mandatory_ciphers=high
-o smtp_tls_mandatory_protocols=!TLSv1.1,!TLSv1,!SSLv3,!SSLv2
-o smtp_tls_security_level=encrypt
-o syslog_name=postfix/relay-remote
...
Config on the local
/master.cf
...
11587 inet n - n - - smtpd
-o alias_database=
-o alias_maps=
-o content_filter=
-o relayhost=
-o relay_clientcerts=lmdb:/etc/postfix/relay_clientcerts
-o relay_domains=
-o relay_transport=relay:[127.0.0.1]:30011
-o smtp_helo_name=relay-local.DDDD.com
-o smtpd_client_restrictions=
-o smtpd_data_restrictions=
-o smtpd_end_of_data_restrictions=
-o smtpd_enforce_tls=yes
-o smtpd_etrn_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_recipient_restrictions=
-o
smtpd_relay_restrictions=permit_mynetworks,permit_tls_clientcerts,reject_unauth_destination
-o smtpd_sasl_auth_enable=no
-o smtpd_sender_restrictions=
-o smtpd_tls_auth_only=no
-o smtpd_tls_CApath=/etc/ssl/certs
-o smtpd_tls_ccert_verifydepth=2
-o smtpd_tls_cert_file=/etc/ssl/mail/relay-local.crt
-o smtpd_tls_fingerprint_digest=sha1
-o smtpd_tls_key_file=/etc/ssl/mail/relay-local.key
-o smtpd_tls_loglevel=1
-o smtpd_tls_mandatory_ciphers=high
-o
smtpd_tls_mandatory_protocols=!TLSv1.1,!TLSv1,!SSLv3,!SSLv2
-o smtpd_tls_req_ccert=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=no
-o syslog_name=postfix/relay-local
Also the local's
-o
smtpd_relay_restrictions=permit_mynetworks,permit_tls_clientcerts,reject_unauth_destination
seems it could safely be
-o smtpd_relay_restrictions=permit_tls_clientcerts,reject
Any reason not to?
