Loading ...
Sorry, an error occurred while loading the content.
 

do i understand tls_policy_maps right?

Expand Messages
  • weber@...
    hello, when i set in main.cf: smtp_tls_policy_maps = hash:/etc/postfix/tls_policy and do in /etc/postfix/tls_policy =
    Message 1 of 2 , Feb 10, 2013
      hello,

      when i set in main.cf:


      smtp_tls_policy_maps =
      hash:/etc/postfix/tls_policy

      and do in


      /etc/postfix/tls_policy =

      externaldomain.com encrpyt


      will then every mail leaving my server to externaldomain.com forced
      using tls ?


      and when i set in the same map


      external2.com verify


      every incoming mail is checked if the cert is signed by the CA , that
      i have stored in the CA_path ?


      marko
    • Viktor Dukhovni
      ... Yes, but without validation of the peer certificate. Thus you get protection from passive eavesdropping, but not active man-in-the-middle attacks (on TLS).
      Message 2 of 2 , Feb 10, 2013
        On Sun, Feb 10, 2013 at 09:22:34PM +0100, weber@... wrote:

        > When I set in main.cf:
        >
        > smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
        >
        > and in
        >
        > /etc/postfix/tls_policy:
        >
        > example.com encrypt
        >
        > Will then every mail leaving my server to example.com be required
        > to use TLS?

        Yes, but without validation of the peer certificate. Thus you get
        protection from passive eavesdropping, but not active man-in-the-middle
        attacks (on TLS).

        > And when I set in the same map
        >
        > example.net verify
        >
        > Every incoming mail is checked if the cert is signed by the CA,
        > that i have stored in the CA_path ?

        No. The policy table as documented applies only to outgoing mail.
        Also the "verify" security level is not immune to MITM attacks that
        return forged DNS responses. To avoid all MITM attacks, use "secure",
        not "verify", provided the destination's SMTP servers have suitable
        certificates.

        Often you need to explicity provide non-default "match" parameters
        along with the "secure" policy. Once you do so, the "verify" and
        "secure" levels become identical, they only differ in their default
        match policies.

        All of this is explained in

        http://www.postfix.org/TLS_README.html#client_tls_limits
        http://www.postfix.org/TLS_README.html#client_tls_levels
        http://www.postfix.org/TLS_README.html#client_tls_verify
        http://www.postfix.org/TLS_README.html#client_tls_secure
        http://www.postfix.org/TLS_README.html#client_tls_policy

        --
        Viktor.
      Your message has been successfully submitted and would be delivered to recipients shortly.