Introduce DEFER_ON_TLS_ERROR

This will default to True and defer emails that fail even "loose" validation of DANE or MTA-STS It should work most of the time but if it doesn't and you would rather see your emails delivered, you can turn it off.
3 years ago · a8142dabbe
parent 7c5dcfa025
commit a8142dabbe
4 changed files with 8 additions and 3 deletions
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@ -58,13 +58,17 @@ tls_ssl_options = NO_COMPRESSION, NO_TICKET
 # 2. not all will have and up-to-date TLS stack.
 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtp_tls_protocols =!SSLv2,!SSLv3
-smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }}
+smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('dane') }}
+smtp_tls_dane_insecure_mx_policy = dane
 smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map, socketmap:unix:/tmp/mta-sts.socket:postfix
 smtp_tls_CApath = /etc/ssl/certs
 smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
 smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache
 smtp_host_lookup = dns
 smtp_dns_support_level = dnssec
+delay_warning_time = 5m
+smtp_tls_loglevel = 1
+notify_classes = resource, software, delay

 ###############
 # Virtual
--- a/core/postfix/mta-sts-daemon.yml
+++ b/core/postfix/mta-sts-daemon.yml
@ -6,5 +6,5 @@ cache:
  options:
    cache_size: 10000
 default_zone:
-  strict_testing: false
+  strict_testing: {{ DEFER_ON_TLS_ERROR |default('true') }}
  timeout: 4
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@ -76,6 +76,7 @@ for map_file in glob.glob("/overrides/*.map"):

 if os.path.exists("/overrides/mta-sts-daemon.yml"):
    shutil.copyfile("/overrides/mta-sts-daemon.yml", "/etc/mta-sts-daemon.yml")
+conf.jinja("/etc/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")

 if not os.path.exists("/etc/postfix/tls_policy.map.db"):
    with open("/etc/postfix/tls_policy.map", "w") as f:
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@ -73,7 +73,7 @@ mail in following format: ``[HOST]:PORT``.

 By default postfix uses "opportunistic TLS" for outbound mail. This can be changed
 by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is highly recommended
-if you are using a relayhost that supports TLS.
+if you are using a relayhost that supports TLS but discouraged otherwise. ``DEFER_ON_TLS_ERROR`` (default: True) controls whether incomplete policies (DANE without DNSSEC or "testing" MTA-STS policies) will be taken into account and whether emails will be defered if the additional checks enforced by those policies fail.

 Similarily by default nginx uses "opportunistic TLS" for inbound mail. This can be changed
 by setting ``INBOUND_TLS_ENFORCE`` to ``True``. Please note that this is forbidden for