Loading ...
Sorry, an error occurred while loading the content.
 

Re: smtp_tls_security_level = may combined wit smtp_tls_policy_maps

Expand Messages
  • Viktor Dukhovni
    ... The policy table applies policy to destination domains, not MX hosts. So what do you mean when you say with the example.com mailserver? If it has a
    Message 1 of 8 , Mar 15, 2013
      On Fri, Mar 15, 2013 at 10:09:17AM -0400, JL Hill wrote:

      > /etc/postfix/tls_policy
      >
      > example.com none
      > .example.com none
      >
      > From the documentation I read, I thought postfix would not try negotiating
      > TLS with the example.com mail server, but it does.
      >
      > (I posted this question Mar. 5, but received no response).
      >
      > Best regards,

      The policy table applies policy to destination domains, not MX
      hosts. So what do you mean when you say "with the example.com"
      mailserver? If it has a stable IP address, you can use

      smtp_discard_ehlo_keyword_address_maps

      suppress a given host's "STARTTLS" announcement.

      --
      Viktor.
    • JL Hill
      Thank you for your response. I assume I have something wrong, or I misunderstood the documentation. I have tested sending mail to example.com. A dig
      Message 2 of 8 , Mar 15, 2013
        Thank you for your response. I assume I have something wrong, or I misunderstood the documentation. 

        I have tested sending mail to example.com. A "dig example.com MX" gives:


        I had assumed that having
             
           .example.com none

        in my tls_policy would keep postfix from negotiating TLS with these servers.

        I will try with smtp_discard_ehlo_keyword_address_maps.

        Thank you again,

        JL Hill

        p.s. in case it is of value, my tls config:

        smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
        smtpd_tls_auth_only = no
        smtpd_tls_security_level = may
        smtp_tls_security_level = may
        tls_random_source = dev:/dev/urandom
        smtpd_tls_received_header = yes
        smtp_tls_note_starttls_offer = yes
        smtpd_tls_key_file = /etc/postfix/ssl/host.mydom.com.key
        smtpd_tls_cert_file = /etc/postfix/ssl/host.mydom.com.crt
        smtpd_tls_CAfile = /etc/postfix/ssl/gd_bundle.crt
        smtp_tls_CAfile = /etc/postfix/ssl/gd_bundle.crt
        smtpd_tls_CApath = /etc/ssl/certs
        smtp_tls_CApath = /etc/ssl/certs
        smtp_tls_loglevel = 2
        smtpd_tls_loglevel = 2

        On Fri, Mar 15, 2013 at 11:28 AM, Viktor Dukhovni <postfix-users@...> wrote:
        On Fri, Mar 15, 2013 at 10:09:17AM -0400, JL Hill wrote:

        > /etc/postfix/tls_policy
        >
        > example.com          none
        > .example.com          none
        >
        > From the documentation I read, I thought postfix would not try negotiating
        > TLS with the example.com mail server, but it does.
        >
        > (I posted this question Mar. 5, but received no response).
        >
        > Best regards,

        The policy table applies policy to destination domains, not MX
        hosts.  So what do you mean when you say "with the example.com"
        mailserver?  If it has a stable IP address, you can use

                smtp_discard_ehlo_keyword_address_maps

        suppress a given host's "STARTTLS" announcement.

        --
                Viktor.

      • Viktor Dukhovni
        ... No, when sending mail example.com you set TLS policy for example.com example.com none. TLS policy is by destination (domain), not by MX host. The setting
        Message 3 of 8 , Mar 15, 2013
          On Fri, Mar 15, 2013 at 04:09:47PM -0400, JL Hill wrote:

          > Thank you for your response. I assume I have something wrong, or I
          > misunderstood the documentation.
          >
          > I have tested sending mail to example.com. A "dig example.com MX" gives:
          >
          > example.com. 2546 IN MX 10 smtp1.example.com.
          > example.com. 2546 IN MX 20 smtp2.example.com.
          > example.com. 2546 IN MX 30 smtp3.example.com.
          >
          > I had assumed that having
          >
          > .example.com none
          >
          > in my tls_policy would keep postfix from negotiating TLS with these servers.

          No, when sending mail example.com you set TLS policy for "example.com"

          example.com none.

          TLS policy is by destination (domain), not by MX host. The setting you
          have disables TLS for email addressed to "mumble.example.com", assuming
          there is a valid "mumble.example.com" email domain.

          --
          Viktor.
        • JL Hill
          I feel more confused. I had originally tested example.com none and it failed. I searched the documentation, and found .example.com to use for subdomains, so
          Message 4 of 8 , Mar 15, 2013
            I feel more confused. I had originally tested

                example.com   none

            and it failed. I searched the documentation, and found .example.com to use for subdomains, so I thought that would fit my case as the negotiation is with smtp2.example.com, even though I am emailing john.doe@...

            When I tested without the dot, sending to john.doe@... my log shows "Host offered STARTTLS: [smtp2.example.com]" 

            I will test carefully again using just "example.com none" -- I guess I could have made a typo or other error; I thought not.

            Thank you again,

            JL Hill

            On Fri, Mar 15, 2013 at 4:42 PM, Viktor Dukhovni <postfix-users@...> wrote:
            On Fri, Mar 15, 2013 at 04:09:47PM -0400, JL Hill wrote:

            > Thank you for your response. I assume I have something wrong, or I
            > misunderstood the documentation.
            >
            > I have tested sending mail to example.com. A "dig example.com MX" gives:
            >
            > example.com. 2546 IN MX 10 smtp1.example.com.
            > example.com. 2546 IN MX 20 smtp2.example.com.
            > example.com. 2546 IN MX 30 smtp3.example.com.
            >
            > I had assumed that having
            >
            >    .example.com none
            >
            > in my tls_policy would keep postfix from negotiating TLS with these servers.

            No, when sending mail example.com you set TLS policy for "example.com"

                    example.com none.

            TLS policy is by destination (domain), not by MX host. The setting you
            have disables TLS for email addressed to "mumble.example.com", assuming
            there is a valid "mumble.example.com" email domain.

            --
                    Viktor.

          • Viktor Dukhovni
            ... This means that TLS was NOT used. This is a helpful log message that tells you could use TLS, but you re not. Your configuration turns on this non-default
            Message 5 of 8 , Mar 15, 2013
              On Fri, Mar 15, 2013 at 05:19:30PM -0400, JL Hill wrote:

              > I feel more confused. I had originally tested
              >
              > example.com none
              >
              > and it failed. I searched the documentation, and found .example.com to use
              > for subdomains, so I thought that would fit my case as the negotiation is
              > with smtp2.example.com, even though I am emailing john.doe@...
              >
              > When I tested without the dot, sending to john.doe@... my log shows
              > "Host offered STARTTLS: [smtp2.example.com]"

              This means that TLS was NOT used. This is a helpful log message that
              tells you could use TLS, but you're not. Your configuration turns
              on this non-default helpful log message.

              # default:
              smtp_tls_note_starttls_offer = no

              --
              Viktor.
            • JL Hill
              My apologies, I grabbed the wrong snippet of log file (same host, different server). Here is the entire connection log (I changed only the domain name and
              Message 6 of 8 , Mar 15, 2013
                My apologies, I grabbed the wrong snippet of log file (same host, different server). Here is the entire connection log (I changed only the domain name and xxx'd the ip address):

                Mar  3 06:36:10 host postfix/smtp[22224]: initializing the client-side TLS engine
                Mar  3 06:36:11 host postfix/smtp[22224]: setting up TLS connection to smtp1.example.com[70.186.xxx.xxx]:25
                Mar  3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
                Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:before/connect initialization
                Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:unknown state
                Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 read server hello A
                Mar  3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: certificate verification depth=2 verify=0 subject=/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
                Mar  3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: certificate verification depth=2 verify=0 subject=/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
                Mar  3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: certificate verification depth=1 verify=1 subject=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
                Mar  3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: certificate verification depth=0 verify=1 subject=/O=smtp1.example.com/OU=Domain Control Validated/CN=smtp1.example.com
                Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 read server certificate A
                Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 read server done A
                Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 write client key exchange A
                Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 write change cipher spec A
                Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 write finished A
                Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 flush data
                Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 read finished A
                Mar  3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: subject_CN=smtp1.example.com, issuer_CN=Go Daddy Secure Certification Authority, fingerprint 93:28:E6:D5:F1:6F:FD:34:09:8B:BF:52:35:BB:94:6C, pkey_fingerprint=E4:A4:55:48:AF:85:C5:A0:51:25:94:B8:57:54:D5:50
                Mar  3 06:36:11 host postfix/smtp[22224]: Untrusted TLS connection established to smtp1.example.com[70.186.xxx.xxx]:25: TLSv1 with cipher DES-CBC3-SHA (168/168 bits)
                Mar  3 06:36:11 host postfix/smtp[22224]: SSL3 alert write:fatal:protocol version
                Mar  3 06:36:11 host postfix/smtp[22224]: warning: TLS library problem: 22224:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:340:
                Mar  3 06:36:11 host postfix/smtp[22224]: ACFBAD746C: to=<brian@...>, relay=smtp1.example.com[70.186.xxx.xxx]:25, delay=222575, delays=222574/0.01/1/0, dsn=4.4.2, status=deferred (lost connection with smtp1.example.com[70.186.xxx.xxx] while sending MAIL FROM)

                As I said, I was trying to understand what was supposed to work in turning off TLS for a specific domain. I understand that I should be able to do it by specifying "example.com none" in tls_policy. I will test using  smtp_tls_policy_maps, as well as testing using smtpd_discard_ehlo_keyword_address_maps

                Thank you again, and again my apologies for grabbing the wrong snippet of log file.

                JL Hill

                On Fri, Mar 15, 2013 at 6:33 PM, Viktor Dukhovni <postfix-users@...> wrote:
                On Fri, Mar 15, 2013 at 05:19:30PM -0400, JL Hill wrote:

                > I feel more confused. I had originally tested
                >
                >     example.com   none
                >
                > and it failed. I searched the documentation, and found .example.com to use
                > for subdomains, so I thought that would fit my case as the negotiation is
                > with smtp2.example.com, even though I am emailing john.doe@...
                >
                > When I tested without the dot, sending to john.doe@... my log shows
                > "Host offered STARTTLS: [smtp2.example.com]"

                This means that TLS was NOT used. This is a helpful log message that
                tells you could use TLS, but you're not.  Your configuration turns
                on this non-default helpful log message.

                        # default:
                        smtp_tls_note_starttls_offer = no

                --
                        Viktor.

              • Viktor Dukhovni
                ... No, don t apologize, in fact you grabbed exactly the right logs then, and the wrong logs now. With TLS for example.com disabled the logs with the
                Message 7 of 8 , Mar 15, 2013
                  On Fri, Mar 15, 2013 at 07:20:24PM -0400, JL Hill wrote:

                  > My apologies, I grabbed the wrong snippet of log file (same host, different
                  > server). Here is the entire connection log (I changed only the domain name
                  > and xxx'd the ip address):

                  No, don't apologize, in fact you grabbed exactly the right logs then,
                  and the wrong logs now. With TLS for "example.com" disabled the logs
                  with the "STARTTLS offer" are exactly how Postfix behaves with TLS
                  disabled and:

                  smtp_tls_note_starttls_offer = yes

                  For peace of mind, set that parameter to no, and if you for some
                  reason want TLS off for some domain, place:

                  example.com none

                  in the policy table, you've already seen it work.

                  --
                  Viktor.
                Your message has been successfully submitted and would be delivered to recipients shortly.