diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf index 0194324f..78ffcee1 100644 --- a/core/postfix/conf/main.cf +++ b/core/postfix/conf/main.cf @@ -58,13 +58,17 @@ tls_ssl_options = NO_COMPRESSION, NO_TICKET # 2. not all will have and up-to-date TLS stack. smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_protocols =!SSLv2,!SSLv3 -smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }} +smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('dane') }} +smtp_tls_dane_insecure_mx_policy = dane smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map, socketmap:unix:/tmp/mta-sts.socket:postfix smtp_tls_CApath = /etc/ssl/certs smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache smtp_host_lookup = dns smtp_dns_support_level = dnssec +delay_warning_time = 5m +smtp_tls_loglevel = 1 +notify_classes = resource, software, delay ############### # Virtual diff --git a/core/postfix/mta-sts-daemon.yml b/core/postfix/mta-sts-daemon.yml index 39f60e48..361bcbf9 100644 --- a/core/postfix/mta-sts-daemon.yml +++ b/core/postfix/mta-sts-daemon.yml @@ -6,5 +6,5 @@ cache: options: cache_size: 10000 default_zone: - strict_testing: false + strict_testing: {{ DEFER_ON_TLS_ERROR |default('true') }} timeout: 4 diff --git a/core/postfix/start.py b/core/postfix/start.py index de559b27..5e439bdb 100755 --- a/core/postfix/start.py +++ b/core/postfix/start.py @@ -76,6 +76,7 @@ for map_file in glob.glob("/overrides/*.map"): if os.path.exists("/overrides/mta-sts-daemon.yml"): shutil.copyfile("/overrides/mta-sts-daemon.yml", "/etc/mta-sts-daemon.yml") +conf.jinja("/etc/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml") if not os.path.exists("/etc/postfix/tls_policy.map.db"): with open("/etc/postfix/tls_policy.map", "w") as f: diff --git a/docs/configuration.rst b/docs/configuration.rst index 27f8db7d..4fd84c07 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -73,7 +73,7 @@ mail in following format: ``[HOST]:PORT``. By default postfix uses "opportunistic TLS" for outbound mail. This can be changed by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is highly recommended -if you are using a relayhost that supports TLS. +if you are using a relayhost that supports TLS but discouraged otherwise. ``DEFER_ON_TLS_ERROR`` (default: True) controls whether incomplete policies (DANE without DNSSEC or "testing" MTA-STS policies) will be taken into account and whether emails will be defered if the additional checks enforced by those policies fail. Similarily by default nginx uses "opportunistic TLS" for inbound mail. This can be changed by setting ``INBOUND_TLS_ENFORCE`` to ``True``. Please note that this is forbidden for