I am not confident all of our legacy apps can be configured for non-standard
ports; I would be in no way surprised if one or more of them have the classic
smtp ports hardcoded. Though, I will discuss that option with my co-workers.
Is my understanding of the smtp(d)_tls_FOO options in my original message
correct? If so, what would it take to add a smtpd_tls_polcy_maps option to
allow per-client TLS settings?
From: owner-postfix-us...@postfix.org On Behalf Of Max-Julian Pogner
Sent: Thursday, June 11, 2020 10:36 AM
To: postfix-users@postfix.org
Subject: Re: Checking my understanding of TLS-related settings, and a possible
feature request
Hello,
well, as a quick-fix you could always start an additional smtpd service on a
non-standard port (by adding an appropriate line in master.cf) and configure
this additional smtpd in exception ways (by adding "-o smtpd_tls_FOO" options
to the additional smtpd service)
example master.cf line (note leading whitespaces in the option lines):
:2525 inet n - y - - smtpd
-o smtpd_tls_protocols=BAR
-o smtpd_tls_mandatory_protocols=FOO
-o KEY=VALUE
this works, if your legacy apps have a suitable configuration option to use a
non-standard port for smtp
With regards to a possible smtpd_tls_policy_maps option, i must defer to more
knowledgeable people.
regards!
Max
Am 11.06.20 um 18:22 schrieb Jeremy Banks:
Hello,
At my job, we use Postfix as our email setup. Recently, as part of a security
audit by one of our customers, we were told that our mail relays must accept
only TLSv1.2 when doing TLS, and not any prior versions. Well, that's simple
enough to address. The TLS readme[1] and the documentation for main.cf[2] cover
use of smtp(d)_tls_protocols and smtp(d)_tls_mandatory_protocols. If I
understand the documentation correctly, the smtp_tls_FOO options are for SMTP
connections outbound from Postfix to other servers, where Postfix is relaying
mail to another servers, and the smtpd_tls_BAR options are for SMTP connections
inbound, where Postfix is the server some receiving mail being submitted to it
by an MUA or relayed to it another SMTP server. Is my understanding correct?
In any case, I set both the smtp_ and smtpd_ variants of the options to only
accept TLSv1.2. However, as my co-workers feared would happen when we discussed
this, requiring that all TLS connections be TLSv1.2-only broke some legacy
internal applications that can't do modern TLS versions. These applications
can't easily retired or upgraded presently, so I changed the above options back
to their defaults of allowing TLSv1, TLSv1.1, and TLSv1.2.
This presents us with a problem. We can't restrict TLS to only 1.2 to please
our customers, and we can't break mail from our legacy internal apps.
I looked through the documentation for a possible solution and came across
smtp_tls_policy_maps[3]. Initially, I was hopeful I could use this to require
TLSv1.2 as a general policy, then set exceptions such that my legacy apps could
still send mail. However, looking closer at the documentation it seems that
this option is only for specific TLS options when connecting outbound to relay
mail to other domains, e.g. requiring TLSv1.3 to google.com, turning off TLS to
legacy.org, and forcing the use of AES256 to government.gov. Is my
understanding of this option correct?
If I have the above correct, are there other options I should explore for
requiring TLSv1.2-only as a general policy while making exceptions for my
legacy applications?
Failing that, is it possible to add an smtpd_tls_policy_maps feature, such that
one could set a general smtpd TLS policy in main.cf using smtpd_tls_protocols,
and then specific exceptions in one's smtpd_tls_policy_maps?
Regards,
Jeremy Banks
1. http://www.postfix.org/TLS_README.html
2. http://www.postfix.org/postconf.5.html
3. http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps
.
