DevHeads.net

Enforced inbound TLS ciphers

I'm enforcing inbound TLS from my internal network with these settings:

main.cf
smtpd_tls_security_level = may

smtpd_sender_restrictions =
check_client_access cidr:/etc/postfix/enforced_inbound_tls.cidr

enforced_inbound_tls.cidr
10.0.0.0/8 reject_plaintext_session

My question is, does the following setting in main.cf apply to tls
connections that are enforced with check_client_access? If yes, then is
there a way to set this to low for a particular IP or subnet, and leave
it to medium for everybody else?

smtpd_tls_mandatory_ciphers = low

Comments

Re: Enforced inbound TLS ciphers

By Viktor Dukhovni at 12/06/2017 - 13:09

No. To configure mandatory TLS for some clients you'd
need a separate TCP endpoint which has security level
"encrypt". They could, for example, use port 587...

Re: Enforced inbound TLS ciphers

By Micah Anderson at 12/06/2017 - 14:41

Viktor Dukhovni <postfix- ... at dukhovni dot org> writes:

Is there a reason why 'smtpd_tls_security_level = may' is not default in
postfix? What needs to be done to make it default? It seems harmless to
have that enabled by default, with no negative effects that I can decern
and improves the overall opportunistic landscape if it were
default.

thanks,
micah

Re: Enforced inbound TLS ciphers

By Viktor Dukhovni at 12/06/2017 - 15:09

Someone has to decide what sort of certificate is appropriate for the
domain. That decision requires some administrator oversight. Therefore,
it is something that a package installer can prompt for. And some OS
distributions of Postfix do in fact enable inbound TLS IIRC.

On the Postfix side of things we make generating a self-signed certificate
easy via:

# postfix tls enable-server

<a href="http://www.postfix.org/postfix-tls.1.html" title="http://www.postfix.org/postfix-tls.1.html">http://www.postfix.org/postfix-tls.1.html</a>

Re: Enforced inbound TLS ciphers

By Micah Anderson at 12/06/2017 - 15:27

Viktor Dukhovni <postfix- ... at dukhovni dot org> writes:

I'm sorry, I meant 'smtp_tls_security_level = may' - not
smtpd_tls_security_level.

You are correct that smtpd_tls_security_level would need a certificate,
but 'smtp_tls_security_level' does not, and as an opportunistic mode, it
is designed to fall back to cleartext, so I do not see any problem with
it being the default.

Outbound opportunistic TLS by default?

By Viktor Dukhovni at 12/06/2017 - 15:39

At least it is easy enough to turn on:

<a href="http://www.postfix.org/postfix-tls.1.html" title="http://www.postfix.org/postfix-tls.1.html">http://www.postfix.org/postfix-tls.1.html</a>

# postfix tls all-default-client && postfix tls enable-client

As for changing the default, I am not opposed, perhaps given the
changes in the SMTP ecosystem since 2014:

<a href="https://transparencyreport.google.com/safer-email/overview?encrypt_in=end:1512518400000;series:inbound;start:1388534400000&amp;lu=encrypt_in&amp;encrypt_out=end:1512518400000;series:outbound;start:1388534400000" title="https://transparencyreport.google.com/safer-email/overview?encrypt_in=end:1512518400000;series:inbound;start:1388534400000&amp;lu=encrypt_in&amp;encrypt_out=end:1512518400000;series:outbound;start:1388534400000">https://transparencyreport.google.com/safer-email/overview?encrypt_in=en...</a>

a case can be made that Postfix 3.3 should do "may" out of the box.
I am curious what other users and Wietse think of such a change...

Re: Outbound opportunistic TLS by default?

By Noel Jones at 12/06/2017 - 15:47

On 12/6/2017 1:39 PM, Viktor Dukhovni wrote:
Postfix does not require TLS support. This probably shouldn't change.

Postfix logs a warning if TLS is enabled but not available. This
probably shouldn't change.

That said, it's not unreasonable to change postfix-install to run
the postfix tls commands during first-time installation if TLS is
available. This might make things easier for first-time casual users
and probably won't trip up more experienced users.

-- Noel Jones

Re: Outbound opportunistic TLS by default?

By Wietse Venema at 12/06/2017 - 17:24

Noel Jones:
Noel has a good point. Let's not make OpenSSL a hard dependency.

How would one recognize 'first-time' installation? If that helps
only the tiny minority of sites that install Postfix from source,then
it does not seem to be a good target. Better to get the vendors to
run those commands instead.

Wietse

Re: Outbound opportunistic TLS by default?

By Micah Anderson at 12/06/2017 - 21:08

Wietse Venema < ... at porcupine dot org> writes:

Is there any reason why postfix, when compiled with TLS, can simply set
the default to 'may'?

If it is compiled without TLS, the default should be 'no'.

micah

Re: Outbound opportunistic TLS by default?

By Viktor Dukhovni at 12/06/2017 - 21:14

This is easy enough to implement, the only complication is
that the documentation would need to explain the variable
default.

This is certainly possible.

Re: Outbound opportunistic TLS by default?

By Micah Anderson at 12/09/2017 - 12:01

Viktor Dukhovni <postfix- ... at dukhovni dot org> writes:

It seems like the right thing to do. What needs to be done to move it
forward?

micah

Re: Outbound opportunistic TLS by default?

By Noel Jones at 12/06/2017 - 19:22

On 12/6/2017 3:24 PM, Wietse Venema wrote:
I was thinking "make install" rather than "make upgrade" is a good
enough indicator of first time install. Deciding if TLS is available
might be trickier.

Leaving it up to the vendors is fine.

-- Noel Jones

Re: Outbound opportunistic TLS by default?

By Eray Aslan at 12/07/2017 - 04:00

On Wed, Dec 06, 2017 at 05:22:19PM -0600, Noel Jones wrote:
Source based distros like Gentoo make install to a seperate destination
dir and then transfer the resulting image to real root during upgrades.
Determining first-time installation should be left to the package
manager.