Hello, At my job, we use Postfix as our email setup. Recently, as part of a security audit by one of our customers, we were told that our mail relays must accept only TLSv1.2 when doing TLS, and not any prior versions. Well, that's simple enough to address. The TLS readme[1] and the documentation for main.cf[2] cover use of smtp(d)_tls_protocols and smtp(d)_tls_mandatory_protocols. If I understand the documentation correctly, the smtp_tls_FOO options are for SMTP connections outbound from Postfix to other servers, where Postfix is relaying mail to another servers, and the smtpd_tls_BAR options are for SMTP connections inbound, where Postfix is the server some receiving mail being submitted to it by an MUA or relayed to it another SMTP server. Is my understanding correct?
In any case, I set both the smtp_ and smtpd_ variants of the options to only accept TLSv1.2. However, as my co-workers feared would happen when we discussed this, requiring that all TLS connections be TLSv1.2-only broke some legacy internal applications that can't do modern TLS versions. These applications can't easily retired or upgraded presently, so I changed the above options back to their defaults of allowing TLSv1, TLSv1.1, and TLSv1.2. This presents us with a problem. We can't restrict TLS to only 1.2 to please our customers, and we can't break mail from our legacy internal apps. I looked through the documentation for a possible solution and came across smtp_tls_policy_maps[3]. Initially, I was hopeful I could use this to require TLSv1.2 as a general policy, then set exceptions such that my legacy apps could still send mail. However, looking closer at the documentation it seems that this option is only for specific TLS options when connecting outbound to relay mail to other domains, e.g. requiring TLSv1.3 to google.com, turning off TLS to legacy.org, and forcing the use of AES256 to government.gov. Is my understanding of this option correct? If I have the above correct, are there other options I should explore for requiring TLSv1.2-only as a general policy while making exceptions for my legacy applications? Failing that, is it possible to add an smtpd_tls_policy_maps feature, such that one could set a general smtpd TLS policy in main.cf using smtpd_tls_protocols, and then specific exceptions in one's smtpd_tls_policy_maps? Regards, Jeremy Banks 1. http://www.postfix.org/TLS_README.html 2. http://www.postfix.org/postconf.5.html 3. http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps .
