From 67db72d7743a5f2850e6c6a7d19b2ff99e8ea6d5 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Mon, 30 Aug 2021 17:00:12 +0200 Subject: [PATCH] Behave like documented --- core/postfix/conf/main.cf | 2 +- docs/configuration.rst | 8 ++++++-- towncrier/newsfragments/1798.feature | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf index 78ffcee1..ae54326d 100644 --- a/core/postfix/conf/main.cf +++ b/core/postfix/conf/main.cf @@ -59,7 +59,7 @@ tls_ssl_options = NO_COMPRESSION, NO_TICKET smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_protocols =!SSLv2,!SSLv3 smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('dane') }} -smtp_tls_dane_insecure_mx_policy = dane +smtp_tls_dane_insecure_mx_policy = {% if DEFER_ON_TLS_ERROR == 'false' %}may{% else %}dane{% endif %} smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map, socketmap:unix:/tmp/mta-sts.socket:postfix smtp_tls_CApath = /etc/ssl/certs smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache diff --git a/docs/configuration.rst b/docs/configuration.rst index 4fd84c07..7cf3c926 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -72,8 +72,12 @@ mail in following format: ``[HOST]:PORT``. ``RELAYUSER`` and ``RELAYPASSWORD`` can be used when authentication is needed. By default postfix uses "opportunistic TLS" for outbound mail. This can be changed -by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is highly recommended -if you are using a relayhost that supports TLS but discouraged otherwise. ``DEFER_ON_TLS_ERROR`` (default: True) controls whether incomplete policies (DANE without DNSSEC or "testing" MTA-STS policies) will be taken into account and whether emails will be defered if the additional checks enforced by those policies fail. +by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is +highly recommended if you are using a relayhost that supports TLS but discouraged +otherwise. ``DEFER_ON_TLS_ERROR`` (default: True) controls whether incomplete +policies (DANE without DNSSEC or "testing" MTA-STS policies) will be taken into +account and whether emails will be defered if the additional checks enforced by +those policies fail. Similarily by default nginx uses "opportunistic TLS" for inbound mail. This can be changed by setting ``INBOUND_TLS_ENFORCE`` to ``True``. Please note that this is forbidden for diff --git a/towncrier/newsfragments/1798.feature b/towncrier/newsfragments/1798.feature index 1b63a85c..125b1767 100644 --- a/towncrier/newsfragments/1798.feature +++ b/towncrier/newsfragments/1798.feature @@ -1 +1 @@ -Implement MTA-STS (use published policies) +Implement MTA-STS and DANE validation. Introduce DEFER_ON_TLS_ERROR (default: True) to harden or loosen the policy enforcement.