lub
/
mailu
1
0
Fork 0
Code Issues Pull Requests Packages Releases Wiki Activity

Introduce DEFER_ON_TLS_ERROR

Browse Source 
This will default to True and defer emails that fail even "loose"
validation of DANE or MTA-STS

It should work most of the time but if it doesn't and you would rather
see your emails delivered, you can turn it off.
master
Florent Daigniere 3 years ago
parent 7c5dcfa025
commit a8142dabbe
4 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File

6
core/postfix/conf/main.cf
Unescape Escape View File

@ -58,13 +58,17 @@ tls_ssl_options = NO_COMPRESSION, NO_TICKET
# 2. not all will have and up-to-date TLS stack. # 2. not all will have and up-to-date TLS stack.
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols =!SSLv2,!SSLv3 smtp_tls_protocols =!SSLv2,!SSLv3
smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }} smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('dane') }}
smtp_tls_dane_insecure_mx_policy = dane
smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map, socketmap:unix:/tmp/mta-sts.socket:postfix smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map, socketmap:unix:/tmp/mta-sts.socket:postfix
smtp_tls_CApath = /etc/ssl/certs smtp_tls_CApath = /etc/ssl/certs
smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache
smtp_host_lookup = dns smtp_host_lookup = dns
smtp_dns_support_level = dnssec smtp_dns_support_level = dnssec
delay_warning_time = 5m
smtp_tls_loglevel = 1
notify_classes = resource, software, delay
############### ###############
# Virtual # Virtual

2
core/postfix/mta-sts-daemon.yml
Unescape Escape View File

@ -6,5 +6,5 @@ cache:
options: options:
cache_size: 10000 cache_size: 10000
default_zone: default_zone:
strict_testing: false strict_testing: {{ DEFER_ON_TLS_ERROR |default('true') }}
timeout: 4 timeout: 4

1
core/postfix/start.py
Unescape Escape View File

@ -76,6 +76,7 @@ for map_file in glob.glob("/overrides/*.map"):
if os.path.exists("/overrides/mta-sts-daemon.yml"): if os.path.exists("/overrides/mta-sts-daemon.yml"):
shutil.copyfile("/overrides/mta-sts-daemon.yml", "/etc/mta-sts-daemon.yml") shutil.copyfile("/overrides/mta-sts-daemon.yml", "/etc/mta-sts-daemon.yml")
conf.jinja("/etc/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
if not os.path.exists("/etc/postfix/tls_policy.map.db"): if not os.path.exists("/etc/postfix/tls_policy.map.db"):
with open("/etc/postfix/tls_policy.map", "w") as f: with open("/etc/postfix/tls_policy.map", "w") as f:

2
docs/configuration.rst
Unescape Escape View File

@ -73,7 +73,7 @@ mail in following format: ``[HOST]:PORT``.
By default postfix uses "opportunistic TLS" for outbound mail. This can be changed By default postfix uses "opportunistic TLS" for outbound mail. This can be changed
by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is highly recommended by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is highly recommended
if you are using a relayhost that supports TLS. if you are using a relayhost that supports TLS but discouraged otherwise. ``DEFER_ON_TLS_ERROR`` (default: True) controls whether incomplete policies (DANE without DNSSEC or "testing" MTA-STS policies) will be taken into account and whether emails will be defered if the additional checks enforced by those policies fail.
Similarily by default nginx uses "opportunistic TLS" for inbound mail. This can be changed Similarily by default nginx uses "opportunistic TLS" for inbound mail. This can be changed
by setting ``INBOUND_TLS_ENFORCE`` to ``True``. Please note that this is forbidden for by setting ``INBOUND_TLS_ENFORCE`` to ``True``. Please note that this is forbidden for

Write Preview
Loading…
Cancel
Save