On Tue, Oct 13, 2015 at 10:53:47PM +0000, Kevin Miller wrote:
> I need to set up a server so that any mail to/from a specific domain
> (Alaska.gov - external to us) is using mandatory TLS. The server is a
> mail gateway - it doesn't have any local mailboxes and acts as a virus/spam
> filter relay to internal mail servers.
The "to" part is straight-forward enough, just some policy settings.
The "from" part is a bit of a catch-22. Without say TLS client
certs, how do you know that a particular client is "alaska.gov"
and therefore must do TLS? Do you want to hard-code their sending
IP address range? Do you want to enforce TLS hop-by-hop policy on
end-to-end envelope sender addresses, thereby potentially breaking
forwarding?
The most reasonable way to this is for alaska.gov to return the
favour and enforce the converse policy on their side when sending
to your domain.
> In main.cf,
=== Begin TLS settings for receiving mail ===
> smtpd_use_tls=yes
Delete, obsoleted by smtpd_tls_security_level.
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_tls_security_level = may
> smtpd_tls_loglevel = 2
Too high for normal use. Use "1" instead.
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
> smtpd_tls_received_header = yes
=== End TLS settings for receiving mail ===
Mostly fine, but I don't see any settings for the server certificate
file. Something along the lines of:
smtpd_tls_cert_file = ${config_directory}/smtpd.pem
with a root-owned mode 0700 file containing the PEM private key
and associated certificate.
=== Begin TLS settings for sending mail ===
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtp_tls_security_level = may
> smtp_tls_loglevel = 2
Too high for normal use. Use "1" instead.
> smtp_tls_policy_maps = hash:/etc/postfix/cbj_tls_policy
>
> cbj_tls_policy looks like:
> alaska.gov encrypt
=== End TLS settings for sending mail ===
This enforces unauthenticated mandatory TLS.
> I'm a little confused however on the difference between the smtpd_* settings
> and smtp_* settings. It seems that the smtp_* settings are for "client"
> connectivity and smtpd for "server".
Correct, client == Your Postfix is the client == You're sending mail
Correct, server == Your Postfix is the server == You're receiving mail
> Is client defined as any external
> host contacting my server, i.e. an inbound connection? It's not clear to
> me whether it refers to just MUAs or also to remote MTAs.
No, that would be "server" not client, and Postfix has no idea
what's an MUA or an MTA. Of course typically MTAs connect to port
25 and send mail just to your domains, while MUAs connect to 587
and submit mail for delivery to various domains.
> I presume that the smtpd settings are for messages that we originate.
No, they are for messages you receive.
> Alaska.gov will set their side to only send to us using TLS.
Super! That way you're not faced with the difficult task of trying
to enforce for them on your end.
> If they fail to I want to reject it (but only them).
This is difficult, perhaps even unwise. What criterion do you want
to use to determine that mail is coming "from them"?
> I want to only send to them using
> TLS. If my server doesn't, it's on them to reject it but it would be good
> to only send if it is encrypted.
You've already done that.
> Is there anything I should add or strip out of the above?
See above.
--
Viktor.
