On 17/02/2021 14:49, Vincent Lefevre wrote:
On 2021-02-16 18:34:32 -0200, Viktor Dukhovni wrote:
On Feb 16, 2021, at 3:57 PM, Dominic Raferd <domi...@timedicer.co.uk> wrote:
In what way does that improve your security over the default, which
allows 1.0 and 1.1?
As stated this is for auth clients i.e. our own people, using SMTPS or
STARTTLS. There is no problem for us in enforcing it for them, they don't use
old MTAs anyway and if they did this would force them to upgrade, which would
be good. This also seems to be the OP's scenario (as his logs imply the problem
comes from submission port i.e. 587). We use standard postfix settings for
permitted protocols for outsider emails (port 25) because (as frequently
advised here) lower security is better than no security at all. HTH
Yes, on the submission port, dropping support for TLS < 1.2
is much more reasonable, because presumably you can make
informed judgements as to what software the authorised users
have at their disposal.
But since smtpd_tls_mandatory_protocols is not specific to the
submission port, I suppose that this should be done with a -o option
in the master.cf file. Is that right?
After searching a bit, I've seen that on
https://forum.chatons.org/t/configuration-postfix-notation-cryptcheck/1684
some user has
submission inet n - n - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
Is there any reason that he uses smtpd_tls_protocols and not
smtpd_tls_mandatory_protocols? This seems incorrect since
smtpd_enforce_tls=yes is mandatory TLS.
smtpd_tls_mandatory_protocols applies only where tls is mandatory. I define it
in main.cf, where I also define 'smtpd_tls_security_level = may'. Then in
master.cf, for connections by MTAs (our users) I define '-o
smtpd_tls_security_level=encrypt' (also '-o smtpd_sasl_auth_enable=yes'). The
effect is that the settings for smtpd_tls_mandatory_protocols are applied for
the MTAs ('tls security level is encrypt' means 'tls is mandatory') and not for
connections on port 25 because tls is not mandatory there.
But yes you could put the definition of smtpd_tls_mandatory_protocols in the
smtpd settings in master.cf for all ports used for auth connections instead of
putting it once in main.cf - it might make the logic easier to follow.
smtpd_enforce_tls=yes is an old setting available for Postfix 2.2+ but not
advised for Postfix 2.3+.
man 5 postconf is your friend!
