On 4/14/21 3:39 PM, Wietse Venema wrote:
> Viktor Dukhovni:
>> On Wed, Apr 14, 2021 at 02:24:23PM -0400, Wietse Venema wrote:
>>> TL;DR: the idea is to change the smtpd_forbidden_commands default
>>> setting to something like:
>>>
>>> CONNECT GET POST pcre:{/^\x16/ Possible TLS handshake}
>>>
>>> Which would match current TLS protocols.
>>
>> I guess subject to "#ifdef HAVE_PCRE".
>
> Sure. Note that this is configurable, so that a signature can be
> added without having to upgrade or recompile Postfix, and that this
> does not care whether a problem is the servers's fault or client's.
>
> (aside from that, the ability to replace a lookup table pathname
> with {the file content} has potential for other use cases).
>
>> Another option to reduce user surprise is to log warnings when
>> listening on port 465, but TLS wrapper mode is not enabled. Or,
>> more radically, implicitly enable wrapper mode when configured to
>> run on port 465.
>
> Heuristics for the expected state of ports and protocols are
> preferably configurable. If they were hard-coded in C, Postfix would
> need to be recompiled when there is a need to change a rule.
>
> WietseWould the following be a good idea? - Ports 25 and 587 default to having TLS wrapper mode disabled. TLS handshakes without STARTTLS are logged. - Port 465 defaults to having TLS wrapper mode disabled. Connections that do not begin with a TLS handshake are logged. - Other ports default to the current behavior, but this is deprecated and logs a warning at startup. The warning can be suppressed by explicitly enabling or disabling the TLS wrapper. I wonder if we could also have similar behavior w.r.t. authentication: ports 587 and 465 automatically enable it, port 25 automatically disables it, and listening on other ports logs a warning unless an explicit setting exists. Sincerely, Demi
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
