On Mon, Dec 09, 2019 at 07:17:46AM +0000, Felix Rubio wrote:
> My requirements are:
> - Require encrypted and authenticated user to submit mail from non-local
> (other than 127.0.0.x) connections
> - Allow unencrypted/unauthenticated users to submit mail from local
> (127.0.0.x) connections
> mynetworks = 127.0.0.0/24, 10.8.0.0/24, 172.17.0.0/16
> smtpd_relay_restrictions =
> permit_mynetworks
> permit_sasl_authenticated
> reject_unauth_destination
Well, clearly your definition of "non-local" is broader than 127.0.0.x,
it also include two RFC1918 address (sub)blocks.
> smtpd_tls_eecdh_grade = ultra
With OpenSSL 1.0.2 and later, the default is "auto", and you very much
SHOULD NOT override that.
> smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH,
> MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL
What on earth is all that? Just go with the default setting instead of
pasting in random garbage from some clueless blog.
> smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
I'd leave TLS 1.0 enabled for at least another year, safer than
cleartext, and still used to some degree with SMTP.
> smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
Not needed, now that we have session tickets.
> tls_high_cipherlist = !aNULL:!eNULL:!CAMELLIA:HIGH:@STRENGTH
Don't, the default is fine.
> tls_ssl_options = no_ticket, no_compression
I doubt you can provide a good reasons to disable session tickets,
don't disable them.
> To fulfill my requirements with respect to local/remote authentication
> and encryption settings, in master.cf I have:
>
> smtp inet n - y - - smtpd
> -o smtpd_sasl_auth_enable=no
> submission inet n - y - - smtpd
> -o
> smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
This is largely ineffective. See the stock Postfix master.cf file for a
much better approach.
> 127.0.0.1:588 inet n - y - - smtpd
> -o smtpd_sasl_exceptions_networks=
> -o smtpd_tls_auth_only=no
There's no reason for this. Just use a single port 587 submission
service, then allow traffic from the loopback interface, and otherwise
reject unencrypted sessions via "reject_plaintext_session". The
below client access table should work.
allow-loopback.cidr:
127.0.0.0/8 OK
::1 OK
Then just:
mua_client_restrictions =
check_client_access cidr:${config_directory}/allow-loopback.cidr,
reject_plaintext_session,
permit_sasl_authenticated,
reject
Since the loopback clients won't need to authenticate, you don't need to
set "smtpd_tls_auth_only = no".
Your configuration looks much too dense with extraneous settings, I
don't have the cycles to review them all. Resist the urge to
over-customize, especially settings you don't fully understand.
--
Viktor.
