From 1df79f8132cb960b5ac42a6c3266a0ba14da5ba6 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sun, 1 Aug 2021 10:16:46 +0200 Subject: [PATCH 1/8] give PFS a chance --- core/postfix/conf/main.cf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf index 9cd4010e..d8b42223 100644 --- a/core/postfix/conf/main.cf +++ b/core/postfix/conf/main.cf @@ -50,7 +50,7 @@ smtpd_authorized_xclient_hosts={{ POD_ADDRESS_RANGE or SUBNET }} # General TLS configuration tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA tls_preempt_cipherlist = yes -tls_ssl_options = NO_COMPRESSION +tls_ssl_options = NO_COMPRESSION, NO_TICKET # By default, outgoing TLS is more flexible because # 1. not all receiving servers will support TLS, From b066a5e2ac4777935d4a072e81ee48f4b115ee83 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sun, 1 Aug 2021 11:09:44 +0200 Subject: [PATCH 2/8] add a default tls_policy_map --- core/postfix/conf/main.cf | 4 +++- core/postfix/start.py | 5 +++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf index d8b42223..e102f51a 100644 --- a/core/postfix/conf/main.cf +++ b/core/postfix/conf/main.cf @@ -55,10 +55,12 @@ tls_ssl_options = NO_COMPRESSION, NO_TICKET # By default, outgoing TLS is more flexible because # 1. not all receiving servers will support TLS, # 2. not all will have and up-to-date TLS stack. -smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }} smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_protocols =!SSLv2,!SSLv3 smtp_tls_session_cache_database = lmdb:${data_directory}/smtp_scache +smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }} +smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map +smtp_tls_CApath = /etc/ssl/certs ############### # Virtual diff --git a/core/postfix/start.py b/core/postfix/start.py index e0c781b7..f54ec911 100755 --- a/core/postfix/start.py +++ b/core/postfix/start.py @@ -66,6 +66,11 @@ for map_file in glob.glob("/overrides/*.map"): os.system("postmap {}".format(destination)) os.remove(destination) +if not os.path.exists("/etc/postfix/tls_policy.map.db"): + with open("/etc/postfix/tls_policy.map", "w") as f: + f.write("gmail.com\tsecure\n") + os.system("postmap /etc/postfix/tls_policy.map") + if "RELAYUSER" in os.environ: path = "/etc/postfix/sasl_passwd" conf.jinja("/conf/sasl_passwd", os.environ, path) From 6149c759f46ffb935dfa1f81c90d3f10bc856f6d Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sun, 1 Aug 2021 11:13:57 +0200 Subject: [PATCH 3/8] doc --- towncrier/newsfragments/1558.feature | 1 + 1 file changed, 1 insertion(+) create mode 100644 towncrier/newsfragments/1558.feature diff --git a/towncrier/newsfragments/1558.feature b/towncrier/newsfragments/1558.feature new file mode 100644 index 00000000..5c4ec30f --- /dev/null +++ b/towncrier/newsfragments/1558.feature @@ -0,0 +1 @@ +Make smtp_tls_policy_maps easily configurable From e1a765799993f85bf9d0b30bab6de95f4f4c0f1c Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Mon, 2 Aug 2021 09:07:10 +0200 Subject: [PATCH 4/8] Now that postfix has CAs we can switch to secure encrypt means "ensure we have some confidentiality" whereas secure means "ensure we have confidentiality while talking to the right peer" (protects against passive or/and active MITM attacks) --- docs/configuration.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuration.rst b/docs/configuration.rst index 21effc52..3536928c 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -70,7 +70,7 @@ mail in following format: ``[HOST]:PORT``. ``RELAYUSER`` and ``RELAYPASSWORD`` can be used when authentication is needed. By default postfix uses "opportunistic TLS" for outbound mail. This can be changed -by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt``. This setting is highly recommended +by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is highly recommended if you are a relayhost that supports TLS. Similarily by default nginx uses "opportunistic TLS" for inbound mail. This can be changed From 1db08018da9bf4d9dd61d8535a8b2c772d3570da Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Mon, 2 Aug 2021 13:14:40 +0200 Subject: [PATCH 5/8] Ensure that we get certificate validation on top90 I have found a list of the top100 email destinations online and ran them through a script to ensure that all of their MX servers had valid configuration... this is the result --- core/postfix/start.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/core/postfix/start.py b/core/postfix/start.py index f54ec911..8df1537f 100755 --- a/core/postfix/start.py +++ b/core/postfix/start.py @@ -68,7 +68,8 @@ for map_file in glob.glob("/overrides/*.map"): if not os.path.exists("/etc/postfix/tls_policy.map.db"): with open("/etc/postfix/tls_policy.map", "w") as f: - f.write("gmail.com\tsecure\n") + for domain in ['gmail.com', 'yahoo.com', 'hotmail.com', 'aol.com', 'outlook.com', 'comcast.net', 'icloud.com', 'msn.com', 'hotmail.co.uk', 'live.com', 'yahoo.co.in', 'me.com', 'mail.ru', 'cox.net', 'yahoo.co.uk', 'verizon.net', 'ymail.com', 'hotmail.it', 'kw.com', 'yahoo.com.tw', 'mac.com', 'live.se', 'live.nl', 'yahoo.com.br', 'googlemail.com', 'libero.it', 'web.de', 'allstate.com', 'btinternet.com', 'online.no', 'yahoo.com.au', 'live.dk', 'earthlink.net', 'yahoo.fr', 'yahoo.it', 'gmx.de', 'hotmail.fr', 'shawinc.com', 'yahoo.de', 'moe.edu.sg', 'naver.com', 'bigpond.com', 'statefarm.com', 'remax.net', 'rocketmail.com', 'live.no', 'yahoo.ca', 'bigpond.net.au', 'hotmail.se', 'gmx.at', 'live.co.uk', 'mail.com', 'yahoo.in', 'yandex.ru', 'qq.com', 'charter.net', 'indeedemail.com', 'alice.it', 'hotmail.de', 'bluewin.ch', 'optonline.net', 'wp.pl', 'yahoo.es', 'hotmail.no', 'pindotmedia.com', 'orange.fr', 'live.it', 'yahoo.co.id', 'yahoo.no', 'hotmail.es', 'morganstanley.com', 'wellsfargo.com', 'wanadoo.fr', 'facebook.com', 'yahoo.se', 'fema.dhs.gov', 'rogers.com', 'yahoo.com.hk', 'live.com.au', 'nic.in', 'nab.com.au', 'ubs.com', 'shaw.ca', 'umich.edu', 'westpac.com.au', 'yahoo.com.mx', 'yahoo.com.sg', 'farmersagent.com', 'yahoo.dk', 'dhs.gov'] + f.write(f'{domain}\tsecure\n') os.system("postmap /etc/postfix/tls_policy.map") if "RELAYUSER" in os.environ: From 7b847852afc3097f48cc6d0cd4577fa17655baa2 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Tue, 3 Aug 2021 13:30:12 +0200 Subject: [PATCH 6/8] fix typo --- docs/configuration.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuration.rst b/docs/configuration.rst index 3536928c..88e60095 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -71,7 +71,7 @@ mail in following format: ``[HOST]:PORT``. By default postfix uses "opportunistic TLS" for outbound mail. This can be changed by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is highly recommended -if you are a relayhost that supports TLS. +if you are using a relayhost that supports TLS. Similarily by default nginx uses "opportunistic TLS" for inbound mail. This can be changed by setting ``INBOUND_TLS_ENFORCE`` to ``True``. Please note that this is forbidden for From 0b162911532741fda2a6a213d723b9e41a0b45c7 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sat, 14 Aug 2021 08:49:28 +0200 Subject: [PATCH 7/8] doh --- core/postfix/start.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/postfix/start.py b/core/postfix/start.py index 8df1537f..83954192 100755 --- a/core/postfix/start.py +++ b/core/postfix/start.py @@ -68,7 +68,7 @@ for map_file in glob.glob("/overrides/*.map"): if not os.path.exists("/etc/postfix/tls_policy.map.db"): with open("/etc/postfix/tls_policy.map", "w") as f: - for domain in ['gmail.com', 'yahoo.com', 'hotmail.com', 'aol.com', 'outlook.com', 'comcast.net', 'icloud.com', 'msn.com', 'hotmail.co.uk', 'live.com', 'yahoo.co.in', 'me.com', 'mail.ru', 'cox.net', 'yahoo.co.uk', 'verizon.net', 'ymail.com', 'hotmail.it', 'kw.com', 'yahoo.com.tw', 'mac.com', 'live.se', 'live.nl', 'yahoo.com.br', 'googlemail.com', 'libero.it', 'web.de', 'allstate.com', 'btinternet.com', 'online.no', 'yahoo.com.au', 'live.dk', 'earthlink.net', 'yahoo.fr', 'yahoo.it', 'gmx.de', 'hotmail.fr', 'shawinc.com', 'yahoo.de', 'moe.edu.sg', 'naver.com', 'bigpond.com', 'statefarm.com', 'remax.net', 'rocketmail.com', 'live.no', 'yahoo.ca', 'bigpond.net.au', 'hotmail.se', 'gmx.at', 'live.co.uk', 'mail.com', 'yahoo.in', 'yandex.ru', 'qq.com', 'charter.net', 'indeedemail.com', 'alice.it', 'hotmail.de', 'bluewin.ch', 'optonline.net', 'wp.pl', 'yahoo.es', 'hotmail.no', 'pindotmedia.com', 'orange.fr', 'live.it', 'yahoo.co.id', 'yahoo.no', 'hotmail.es', 'morganstanley.com', 'wellsfargo.com', 'wanadoo.fr', 'facebook.com', 'yahoo.se', 'fema.dhs.gov', 'rogers.com', 'yahoo.com.hk', 'live.com.au', 'nic.in', 'nab.com.au', 'ubs.com', 'shaw.ca', 'umich.edu', 'westpac.com.au', 'yahoo.com.mx', 'yahoo.com.sg', 'farmersagent.com', 'yahoo.dk', 'dhs.gov'] + for domain in ['gmail.com', 'yahoo.com', 'hotmail.com', 'aol.com', 'outlook.com', 'comcast.net', 'icloud.com', 'msn.com', 'hotmail.co.uk', 'live.com', 'yahoo.co.in', 'me.com', 'mail.ru', 'cox.net', 'yahoo.co.uk', 'verizon.net', 'ymail.com', 'hotmail.it', 'kw.com', 'yahoo.com.tw', 'mac.com', 'live.se', 'live.nl', 'yahoo.com.br', 'googlemail.com', 'libero.it', 'web.de', 'allstate.com', 'btinternet.com', 'online.no', 'yahoo.com.au', 'live.dk', 'earthlink.net', 'yahoo.fr', 'yahoo.it', 'gmx.de', 'hotmail.fr', 'shawinc.com', 'yahoo.de', 'moe.edu.sg', 'naver.com', 'bigpond.com', 'statefarm.com', 'remax.net', 'rocketmail.com', 'live.no', 'yahoo.ca', 'bigpond.net.au', 'hotmail.se', 'gmx.at', 'live.co.uk', 'mail.com', 'yahoo.in', 'yandex.ru', 'qq.com', 'charter.net', 'indeedemail.com', 'alice.it', 'hotmail.de', 'bluewin.ch', 'optonline.net', 'wp.pl', 'yahoo.es', 'hotmail.no', 'pindotmedia.com', 'orange.fr', 'live.it', 'yahoo.co.id', 'yahoo.no', 'hotmail.es', 'morganstanley.com', 'wellsfargo.com', 'wanadoo.fr', 'facebook.com', 'yahoo.se', 'fema.dhs.gov', 'rogers.com', 'yahoo.com.hk', 'live.com.au', 'nic.in', 'nab.com.au', 'ubs.com', 'shaw.ca', 'umich.edu', 'westpac.com.au', 'yahoo.com.mx', 'yahoo.com.sg', 'farmersagent.com', 'yahoo.dk', 'dhs.gov']: f.write(f'{domain}\tsecure\n') os.system("postmap /etc/postfix/tls_policy.map") From 65a27b1c7f57ce8d45573e500ee2792d74eb5d8b Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Fri, 20 Aug 2021 14:11:41 +0200 Subject: [PATCH 8/8] add additional options to make DANE easier --- core/postfix/conf/main.cf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf index e7a88a7c..7f84ade7 100644 --- a/core/postfix/conf/main.cf +++ b/core/postfix/conf/main.cf @@ -63,6 +63,8 @@ smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map smtp_tls_CApath = /etc/ssl/certs smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache +smtp_host_lookup = dns +smtp_dns_support_level = dnssec ############### # Virtual