Thanks for the taking this up.
Concerning hardening TLS settings; can you recommend a read / web page that
is suitable for a home email server?
Thanks in advance
Here the podtconf -Mf output
smtp inet n - n - - smtpd
amavisfeed unix - - n - 2 lmtp
-o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes -o max_use=20
submission inet n - n - - smtpd
-o syslog_name=postfix/submission -o smtpd_sasl_auth_enable=yes
-o
smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps -o smtpd_sasl_auth_enable=yes
-o
smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
-o milter_macro_daemon_name=ORIGINATING
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
spamassassin unix - n n - - pipe
flags=R user=spamd argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f
${sender} ${recipient}
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter= -o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions= -o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions= -o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
-o local_header_rewrite_clients= -o smtpd_milters= -o
local_recipient_maps=
Thanks, Wolfgang
On Wed, Nov 28, 2018 at 4:55 PM Bill Cole <
postfixlists-070...@billmail.scconsult.com> wrote:
> On 28 Nov 2018, at 6:49, wp.rauchholz wrote:
>
> > [root@home postfix]# telnet localhost 465
>
> That's abnormal. Port 465 is normally TLS-wrapped, so telnet should not
> work for testing it. That it seemingly DOES work (at least to connect
> and try mail...) means that you've done something unusual in master.cf.
>
> Please provide the output of "postconf -Mf" so that we can see how that
> port is configured.
>
> Tangentially: all those customized "hardening" smtpd_tls_* settings you
> have will result in your server receiving more mail over unencrypted
> sessions, because many sending systems won't be able to live up to your
> TLS standards and so will fall back to sending in the clear. This makes
> your mail flow in aggregate much LESS secure.
>
--
Wolfgang Rauchholz
