DevHeads.net

Syntax question for smtp mandatory TLS encryption

Hi,

I have a syntax question regarding configuring mandatory TLS encryption for the smtp process as listed on: <a href="http://www.postfix.org/TLS_README.html#client_tls" title="www.postfix.org/TLS_README.html#client_tls">www.postfix.org/TLS_README.html#client_tls</a>

In the second example on the page, square brackets are used when specifying the policy for specific destinations in the tls_policy file:

/etc/postfix/tls_policy
[example.net]:587 encrypt protocols=TLSv1 ciphers=high

Are the square brackets only required when the port to use is specified (ie: in previous example when destination was example.net with no port specified, I notice that the square brackets are left out) or is this syntax specifying something else ?

Thanks,

- J

Comments

Re: Syntax question for smtp mandatory TLS encryption

By Wietse Venema at 10/11/2017 - 18:11

J Doe:
You need the [] and the :587 in the lookup key, if that is what you
specify as the destination in relayhost, transport_maps, etc.

Wietse

Re: Syntax question for smtp mandatory TLS encryption

By J Doe at 10/17/2017 - 22:03

Hi Wietse,

Thank you for your reply.

Ok, I understand that I would need that if the hostname was specified in relayhost, etc. but I am still confused as to what the square brackets mean.

A previous reply to this thread from /dev/rob0 (thanks rob0), states:

“The [] enclose a hostname which is to be looked up as a type A or
AAAA record. Without the [] first a lookup of type MX is done, and
where found, prioritized lookups of further hostnames (A or AAAA)
would be done.

This is not specific to TLS, it is common to transport(5) and many
similar Postfix features. The reason being, MX records exist to
control mail routing.”

Does this mean that the square brackets determine the strategy for determining the address of the mail server ?

Thanks,

- J

Re: Syntax question for smtp mandatory TLS encryption

By Viktor Dukhovni at 10/17/2017 - 23:45

That's what they mean as a nexthop destination via the transport
table or similar.

The documentation for the TLS policy table clearly states that the
lookup key for the TLS policy is the *verbatim* nexthop.

So if the transport table reads:

example.com smtp:[smtp.example.com]:smtp

Then the TLS policy entry for that would have to be:

[smtp.example.com]:smtp ...

exactly as specified in the transport table, or actual source
of nexthop information.

Re: Syntax question for smtp mandatory TLS encryption

By Viktor Dukhovni at 10/18/2017 - 00:15

<a href="http://www.postfix.org/TLS_README.html#client_tls_policy" title="http://www.postfix.org/TLS_README.html#client_tls_policy">http://www.postfix.org/TLS_README.html#client_tls_policy</a>

The TLS policy table is indexed by the full next-hop destination,
which is either the recipient domain, or the verbatim next-hop
specified in the transport table, $local_transport, $virtual_transport,
$relay_transport or $default_transport. This includes any enclosing
square brackets and any non-default destination server port suffix.
The LMTP socket type prefix (inet: or unix:) is not included in the
lookup key.

The above leaves out content_filter or access(5) FILTER rules, as these
can also specify a non-default nexthop, but usually not one that's
subject to TLS encryption. If you have a blanket encryption policy,
then you might actually need to exempt any loopback SMTP nexthop used
with content_filter and similar.

Re: Syntax question for smtp mandatory TLS encryption

By dev rob0 at 10/11/2017 - 17:37

On Wed, Oct 11, 2017 at 05:36:07PM -0400, J Doe wrote:
The [] enclose a hostname which is to be looked up as a type A or
AAAA record. Without the [] first a lookup of type MX is done, and
where found, prioritized lookups of further hostnames (A or AAAA)
would be done.

This is not specific to TLS, it is common to transport(5) and many
similar Postfix features. The reason being, MX records exist to
control mail routing.