Re: config check

Mon, 09 Dec 2019 05:03:49 -0800 

Hi Viktor,
Thank you very much for your answer. I really appreciate the time you took to go through it. The reason for having the tls/auth parameters configured was, actually, a requirement I did not write (sorry for that, I wrote the mail in a hurry :-/): 


- Require encrypted and authenticated user to submit mail from non-local 
(other than 127.0.0.x) connections
- Allow unencrypted/unauthenticated users to submit mail from local 
(127.0.0.x) connections
- Allow unencrypted/authenticated users to submit mail from local 
(127.0.0.x) connections



With my current setup (so smtpd_tls_auth_only=yes in general, and 
disabling it for 127.0.0.1:588) I achieve exactly that. This way I can 
make sure that for any connection to 587 that want to send commands 
requiring AUTH will be encrypted, while local connections can 
authenticate without using TLS.



I have applied all the changes you proposed, and so far all works (this 
is not lack of trust on you, but I have observed there are many knobs to 
turn on the configuration) but I still seem to need the smtpd service in 
588.



Might you know of any way to achieve this setup with a more simple 
approach?


Thank you!
Felix


On 2019-12-09 07:44, Viktor Dukhovni wrote:

On Mon, Dec 09, 2019 at 07:17:46AM +0000, Felix Rubio wrote:


My requirements are:

- Require encrypted and authenticated user to submit mail from 
non-local

(other than 127.0.0.x) connections
- Allow unencrypted/unauthenticated users to submit mail from local
(127.0.0.x) connections



     mynetworks = 127.0.0.0/24, 10.8.0.0/24, 172.17.0.0/16
     smtpd_relay_restrictions =
       permit_mynetworks
       permit_sasl_authenticated
       reject_unauth_destination


Well, clearly your definition of "non-local" is broader than 127.0.0.x,
it also include two RFC1918 address (sub)blocks.


     smtpd_tls_eecdh_grade = ultra


With OpenSSL 1.0.2 and later, the default is "auto", and you very much
SHOULD NOT override that.


     smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH,
MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL


What on earth is all that?  Just go with the default setting instead of
pasting in random garbage from some clueless blog.


     smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1


I'd leave TLS 1.0 enabled for at least another year, safer than
cleartext, and still used to some degree with SMTP.


     smtpd_tls_session_cache_database = 
btree:/var/lib/postfix/smtpd_scache


Not needed, now that we have session tickets.


     tls_high_cipherlist = !aNULL:!eNULL:!CAMELLIA:HIGH:@STRENGTH


Don't, the default is fine.


     tls_ssl_options = no_ticket, no_compression


I doubt you can provide a good reasons to disable session tickets,
don't disable them.


To fulfill my requirements with respect to local/remote authentication
and encryption settings, in master.cf I have:

     smtp      inet  n       -       y       -       -       smtpd
        -o smtpd_sasl_auth_enable=no
     submission inet n       -       y       -       -       smtpd

        -o 
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject



This is largely ineffective.  See the stock Postfix master.cf file for 
a

much better approach.


     127.0.0.1:588 inet n       -       y       -       -       smtpd
       -o smtpd_sasl_exceptions_networks=
       -o smtpd_tls_auth_only=no


There's no reason for this.  Just use a single port 587 submission
service, then allow traffic from the loopback interface, and otherwise
reject unencrypted sessions via "reject_plaintext_session".  The
below client access table should work.

    allow-loopback.cidr:
        127.0.0.0/8 OK
        ::1         OK

Then just:

    mua_client_restrictions =

        check_client_access 
cidr:${config_directory}/allow-loopback.cidr,

        reject_plaintext_session,
        permit_sasl_authenticated,
        reject


Since the loopback clients won't need to authenticate, you don't need 
to

set "smtpd_tls_auth_only = no".

Your configuration looks much too dense with extraneous settings, I
don't have the cycles to review them all.  Resist the urge to
over-customize, especially settings you don't fully understand.


--
Don't believe what you are told. Double check.






















					Reply via email to