Re: Enforce TLS to MX

Mon, 24 Jul 2017 09:15:59 -0700 

On 7/24/2017 7:33 AM, post...@xmas.de wrote:
> Hi,
> 
> isn't it possible to enforce TLS outbound to an MX ?
> In the example below, if mx0.example.com isn't offering TLS the
> email is sent unencrypted !?
> Enforcing TLS to a domain ist working as expected.
> 
> tls_policy:
> [mx0.example.com]         encrypt
> [4.3.2.1]                encrypt

According to the docs, the MX is not a supported key for the map.
Use the recipient domain or if you use a transport_maps entry, use
the verbatim next-hop from transport_maps.

http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps




  -- Noel Jones



> 
> postfix-3.2.0
> 
> alias_database = hash:/etc/mail/aliases
> alias_maps = hash:/etc/mail/aliases
> append_dot_mydomain = no
> authorized_submit_users = root
> canonical_classes = envelope_sender, envelope_recipient
> canonical_maps = regexp:/etc/postfix-mx1/canonical
> compatibility_level = 2
> config_directory = /usr/local/postfix/postfix-outgoing
> data_directory = /var/lib/postfix-outgoing
> default_database_type = btree
> default_destination_concurrency_limit = 500
> default_destination_recipient_limit = 500
> disable_vrfy_command = yes
> fast_flush_domains =
> hopcount_limit = 50
> in_flow_delay = 0
> inet_interfaces = 192.168.0.41
> inet_protocols = ipv4
> local_recipient_maps =
> local_transport = error:5.1.1 Mailbox unavailable
> mailq_path = /usr/local/postfix/bin/mailq
> masquerade_classes = envelope_recipient, envelope_sender,
> header_sender, header_recipient
> masquerade_domains = xyz.com pallas.de xyz.com
> master_service_disable =
> maximal_queue_lifetime = 5d
> message_size_limit = 50000000
> multi_instance_enable = yes
> multi_instance_group = mta
> multi_instance_name = postfix-outgoing
> mydestination =
> mydomain = xyz.com
> myhostname = outgoing.xyz.com
> mynetworks = $config_directory/mynetworks
> mynetworks_style = host
> myorigin = $mydomain
> newaliases_path = /usr/local/postfix/bin/newaliases
> queue_directory = /var/spool/postfix-outgoing
> sender_dependent_relayhost_maps =
> btree:/etc/postfix-outgoing/transport_sender
> sendmail_path = /usr/local/postfix/sbin/sendmail
> smtp_bind_address = 192.168.0.41
> smtp_dns_support_level = enabled
> smtp_host_lookup = dns, native
> smtp_tls_cert_file = ${smtpd_tls_cert_file}
> smtp_tls_ciphers = high
> smtp_tls_exclude_ciphers = aNULL eNULL EXPORT DES RC4 MD5 PSK aECDH
> EDH-DSS-DES-CBC3-SHA EDH-RSA-DES-CDC3-SHA KRB5-DE5 CBC3-SHA
> smtp_tls_key_file = ${smtpd_tls_key_file}
> smtp_tls_loglevel = 1
> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
> smtp_tls_policy_maps = btree:/etc/postfix-outgoing/tls_policy
> smtp_tls_protocols = !SSLv2, !SSLv3
> smtp_tls_security_level = may
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_banner = $myhostname ESMTP
> smtpd_discard_ehlo_keywords = silent-discard, etrn
> smtpd_error_sleep_time = 3s
> smtpd_helo_required = yes
> smtpd_recipient_limit = 500
> smtpd_recipient_restrictions = reject_unknown_recipient_domain,
> permit_mynetworks, reject
> smtpd_relay_restrictions =
> smtpd_tls_CAfile = /etc/postfix-outgoing/cacert.pem
> smtpd_tls_cert_file = /etc/postfix-outgoing/outgoing.xyz.com.crt
> smtpd_tls_ciphers = high
> smtpd_tls_dh1024_param_file = /etc/postfix-outgoing/dhparams.pem
> smtpd_tls_exclude_ciphers = aNULL eNULL EXPORT DES RC4 MD5 PSK aECDH
> EDH-DSS-DES-CBC3-SHA EDH-RSA-DES-CDC3-SHA KRB5-DE5 CBC3-SHA
> smtpd_tls_key_file = /etc/postfix-outgoing/outgoing.xyz.com.key
> smtpd_tls_loglevel = 1
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
> smtpd_tls_protocols = !SSLv2, !SSLv3
> smtpd_tls_received_header = yes
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtputf8_enable = no
> tls_preempt_cipherlist = yes
> transport_maps = btree:/etc/postfix-outgoing/transport
> unknown_local_recipient_reject_code = 550
> 
> 
> 192.168.0.41:25 inet n  -       n       -       -       smtpd
> pickup     unix  n       -       n       60      1       pickup
> cleanup    unix  n       -       n       -       0       cleanup
> qmgr       unix  n       -       n       300     1       qmgr
> tlsmgr     unix  -       -       n       1000?   1       tlsmgr
> rewrite    unix  -       -       n       -       - trivial-rewrite
> bounce     unix  -       -       n       -       0       bounce
> defer      unix  -       -       n       -       0       bounce
> trace      unix  -       -       n       -       0       bounce
> verify     unix  -       -       n       -       1       verify
> flush      unix  n       -       n       1000?   0       flush
> proxymap   unix  -       -       n       -       -       proxymap
> proxywrite unix  -       -       n       -       1       proxymap
> smtp       unix  -       -       n       -       -       smtp
> relay      unix  -       -       n       -       -       smtp
> showq      unix  n       -       n       -       -       showq
> error      unix  -       -       n       -       -       error
> retry      unix  -       -       n       -       -       error
> discard    unix  -       -       n       -       -       discard
> local      unix  -       n       n       -       -       local
> virtual    unix  -       n       n       -       -       virtual
> lmtp       unix  -       -       n       -       -       lmtp
> anvil      unix  -       -       n       -       1       anvil
> scache     unix  -       -       n       -       1       scache
> 
>

Reply via email to