On 14 Aug 2018, at 23:05 (-0400), robac...@fastmail.us wrote:
Hello,
I'm starting the process of moving my mail from a hosted service to my
own. It'll include a Postfix server.
I got a test server running locally and 'sending & receiving' mail
inside my lan.
Now I'm doing my reading on security issues, authentication, and the
like.
I've got stacks of articles and notes.
I'm looking for any advice from opinionated, experienced Postfix
users.
Couple of production questions:
(1)
For opensource authentication milters (DKIM, DMARC, ARC), that works
with Postfix on Linux, there seem to be two main choices:
https://github.com/fastmail/authentication_milter
That's checking only, not signing
https://github.com/trusteddomainproject/
The OpenDKIM and OpenDMARC tools there are what most people use.
What do folks here recommend to use?
I'm an outlier in that I use & recommend none of the above. I use the
MIMEDefang milter as a harness for everything Postfix doesn't do itself,
and prefer letting it do DKIM checks via SpamAssassin and signing with
an internal implementation using the Perl Mail::DKIM module. I don't see
a lot of value as a receiver to do any DMARC implementation.
(2)
Is it time -- in the real-world -- to force STARTTLS yet?
No. See recent past traffic here on TLS issues for clues as to why.
Sturgeon's Law, unsurprisingly, applies to the deployed configurations
of production mail servers.
What's the current advice for MTA-STS vs MTA-DANE? Which should we
implement?
If you insist on trying to do one and only one of those, DANE is by far
the better choice. Accepting the fundamentally broken CA-based security
model as the price of postponing deployment of trustworthy DNS is deeply
unwise.
(3)
The TLS 1.3 has been officially released.
You mean finalized as an IETF RFC. There is no "release" involved.
I guess there will be a release of OpenSSL 1.1.1 that has it coming
pretty soon.
The "pre-release" versions with support have been coming out for a few
months.
What if anything should we be doing with Postfix and TLS 1.3?
Nothing. It has never been a good idea to fine-tune TLS version or
feature support in Postfix (aside from transient bug mitigation) and
TLSv1.3 cannot change the rationale for that.
I'm guessing it will be ABLE to use it.
As long as there isn't something broken in OpenSSL 1.1.1, it should be
possible to build Postfix with it and get TLSv1.3 sessions when
possible.
But I don't want to make the mistake of turning it on just to be
current, if I then make it impossible to communicate with my servers.
Typically there is no need to "turn on" TLS versions in Postfix, it is
only a matter of how your Postfix is built and what libraries you have
installed for the build and at runtime. Given OpenSSL history, I would
expect that switching to v1.1.1 will require a rebuild of Postfix.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steadier Work: https://linkedin.com/in/billcole
