On 28 Nov 2018, at 15:47, Wolfgang Paul Rauchholz wrote:
Thanks for the taking this up.
Concerning hardening TLS settings; can you recommend a read / web page
that
is suitable for a home email server?
The TLS "readme" files in the Postfix distribution (and at
http://www.postfix.org/TLS_README.html and
http://www.postfix.org/FORWARD_SECRECY_README.html) cover what you need
to know.
The short version: Postfix default TLS cipher and protocol settings are
fine, for releases after 2015. For older versions, you may need to set
smtpd_tls_protocols and smtpd_tls_mandatory_protocols to "!SSLv2,
!SSLv3" which is the default in currently supported versions.
Thanks in advance
Here the podtconf -Mf output
smtp inet n - n - - smtpd
amavisfeed unix - - n - 2 lmtp
-o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes -o max_use=20
submission inet n - n - - smtpd
-o syslog_name=postfix/submission -o smtpd_sasl_auth_enable=yes
-o
smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
-o milter_macro_daemon_name=ORIGINATING
That's the 'submission' (port 587) daemon, which opens connections in
cleartext and supports the "STARTTLS" command to upgrade the connection
to TLS encryption (because your main config includes
"smtpd_tls_security_level = may"). To send mail through this daemon, you
MUST either be sending to a domain that Postfix is configured to accept
mail for (local, virtual, and relay domains) OR authenticate using SASL
first. Because of "smtpd_tls_auth_only = yes" in your main config, you
can only authenticate using SASL *after* using STARTTLS to negotiate a
TLS session.
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps -o smtpd_sasl_auth_enable=yes
-o
smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
-o milter_macro_daemon_name=ORIGINATING
That's supposedly the 'smtps' (port 465) daemon, which *NORMALLY* would
have an additional configuration override directive:
-o smtpd_tls_wrappermode=yes
Which "wraps" the SMTP session in TLS encryption that is negotiated
immediately at connect time, rather than having clients connect in the
clear. As it stands, your 'submission' and 'smtps' daemons will behave
identically, except for listening on different ports and using different
syslog labels. There's no benefit in that, because any client using port
465 will expect the smtps 'wrappermode' behavior and any using port 587
will expect the configured cleartext/STARTTLS behavior.
Because you are overriding the default smtpd_recipient_restrictions with
a restriction list which only permits mail from authenticated senders or
to recipients in local and relay-authorized domains, your attempt to
send mail to a gmail.com address was rejected.
You were able to send through port 25 because by default,
smtpd_recipient_restrictions is empty (giving an implicit 'DUNNO'
result) and smtpd_relay_restrictions starts with 'permit_mynetworks'.
This lets the mail through because you are connection from the loopback,
which is included in your mynetworks setting.
I hope this helps. Good luck!
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
