Loading ...
Sorry, an error occurred while loading the content.

Re: sasl on smtps: allowing plaintext

Expand Messages
  • Viktor Dukhovni
    ... The suggestion is I believe to use smtp_tls_policy_maps to ensure that TLS is used for destinations where you will be using plaintext authentication. #
    Message 1 of 7 , Jul 17, 2013
    • 0 Attachment
      On Wed, Jul 17, 2013 at 08:19:56AM +0200, Vincent Pelletier wrote:

      > Maybe I'm being paranoid, but because not all my relays support TLS I
      > cannot be stricter than
      > smtp_tls_security_level = may
      > without also having separate transports (if I understand correctly).
      > So if I do not set noplaintext and someday one of the
      > usually-TLS-enabled relays doesn't offer TLS (config hickup...),
      > postfix will AUTH.

      The suggestion is I believe to use smtp_tls_policy_maps to ensure
      that TLS is used for destinations where you will be using plaintext
      authentication.

      # MITM resistant authenticated TLS
      [smtp.example.com]:587 secure match=smtp.example.com

      # MITM vulnerable unauthenticated TLS
      [smtp.example.com]:587 encrypt

      # Some day when provider adopts DNSSEC and publishes a suitable TLSA
      # RRset and you've deployed Postfix 2.11
      #
      [smtp.example.com]:587 dane-only

      --
      Viktor.
    • Vincent Pelletier
      On Wed, 17 Jul 2013 13:37:53 +0000, Viktor Dukhovni ... Thanks, I think I understand now: main.cf (or a few -o in master.cf s submission service):
      Message 2 of 7 , Jul 17, 2013
      • 0 Attachment
        On Wed, 17 Jul 2013 13:37:53 +0000, Viktor Dukhovni
        <postfix-users@...> wrote:
        > The suggestion is I believe to use smtp_tls_policy_maps to ensure
        > that TLS is used for destinations where you will be using plaintext
        > authentication.

        Thanks, I think I understand now:
        main.cf (or a few -o in master.cf's submission service):
        smtp_sasl_security_options = noanonymous
        smtp_tls_security_level = must
        smtp_tls_policy_maps = hash:blah

        blah:
        [127.0.0.1] none

        This is indeed closer to the mental picture I had of the solution
        (host-based lookup), but I didn't notice the need for a laxist
        smtp_sasl_security_options value.

        I've the idea to someday move my postfix setup to a server also sending
        & receiving mails for its own domain. Is it a bad idea (error-prone)
        to mix both of those use cases on a single postfix, generally speaking ?

        If I understand correctly, a setup with both roles would need your
        initial suggestion (which I setup successfully before noticing the
        second reply).

        Regards,
        --
        Vincent Pelletier
      • Viktor Dukhovni
        ... must is not a valid value for smtp_tls_security_level , see the documentation for details. ... Either a secure default and insecure exceptions, or the
        Message 3 of 7 , Jul 17, 2013
        • 0 Attachment
          On Wed, Jul 17, 2013 at 08:10:44PM +0200, Vincent Pelletier wrote:

          > On Wed, 17 Jul 2013 13:37:53 +0000, Viktor Dukhovni
          > <postfix-users@...> wrote:
          > > The suggestion is I believe to use smtp_tls_policy_maps to ensure
          > > that TLS is used for destinations where you will be using plaintext
          > > authentication.
          >
          > Thanks, I think I understand now:
          > main.cf (or a few -o in master.cf's submission service):
          > smtp_sasl_security_options = noanonymous
          > smtp_tls_security_level = must

          "must" is not a valid value for "smtp_tls_security_level", see the
          documentation for details.

          > smtp_tls_policy_maps = hash:blah
          >
          > blah:
          > [127.0.0.1] none

          Either a secure default and insecure exceptions, or the converse.

          --
          Viktor.
        Your message has been successfully submitted and would be delivered to recipients shortly.