Hello, well, as a quick-fix you could always start an additional smtpd service on a non-standard port (by adding an appropriate line in master.cf) and configure this additional smtpd in exception ways (by adding "-o smtpd_tls_FOO" options to the additional smtpd service)
example master.cf line (note leading whitespaces in the option lines): :2525 inet n - y - - smtpd -o smtpd_tls_protocols=BAR -o smtpd_tls_mandatory_protocols=FOO -o KEY=VALUE this works, if your legacy apps have a suitable configuration option to use a non-standard port for smtp With regards to a possible smtpd_tls_policy_maps option, i must defer to more knowledgeable people. regards! Max Am 11.06.20 um 18:22 schrieb Jeremy Banks: > > Hello, > > > > At my job, we use Postfix as our email setup. Recently, as part of a > security audit by one of our customers, we were told that our mail > relays must accept only TLSv1.2 when doing TLS, and not any prior > versions. Well, that’s simple enough to address. The TLS readme[1] and > the documentation for main.cf[2] cover use of smtp(d)_tls_protocols > and smtp(d)_tls_mandatory_protocols. If I understand the documentation > correctly, the smtp_tls_FOO options are for SMTP connections outbound > from Postfix to other servers, where Postfix is relaying mail to > another servers, and the smtpd_tls_BAR options are for SMTP > connections inbound, where Postfix is the server some receiving mail > being submitted to it by an MUA or relayed to it another SMTP server. > Is my understanding correct? > > > > In any case, I set both the smtp_ and smtpd_ variants of the options > to only accept TLSv1.2. However, as my co-workers feared would happen > when we discussed this, requiring that all TLS connections be > TLSv1.2-only broke some legacy internal applications that can’t do > modern TLS versions. These applications can’t easily retired or > upgraded presently, so I changed the above options back to their > defaults of allowing TLSv1, TLSv1.1, and TLSv1.2. > > > > This presents us with a problem. We can’t restrict TLS to only 1.2 to > please our customers, and we can’t break mail from our legacy internal > apps. > > > > I looked through the documentation for a possible solution and came > across smtp_tls_policy_maps[3]. Initially, I was hopeful I could use > this to require TLSv1.2 as a general policy, then set exceptions such > that my legacy apps could still send mail. However, looking closer at > the documentation it seems that this option is only for specific TLS > options when connecting outbound to relay mail to other domains, e.g. > requiring TLSv1.3 to google.com, turning off TLS to legacy.org, and > forcing the use of AES256 to government.gov. Is my understanding of > this option correct? > > > > If I have the above correct, are there other options I should explore > for requiring TLSv1.2-only as a general policy while making exceptions > for my legacy applications? > > > > Failing that, is it possible to add an smtpd_tls_policy_maps feature, > such that one could set a general smtpd TLS policy in main.cf using > smtpd_tls_protocols, and then specific exceptions in one’s > smtpd_tls_policy_maps? > > > > Regards, > > Jeremy Banks > > > > 1. http://www.postfix.org/TLS_README.html > > 2. http://www.postfix.org/postconf.5.html > > 3. http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps > > > > > > . > > >
