Enforce TLS to MX

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Enforce TLS to MX

postfix@xmas.de
Hi,

isn't it possible to enforce TLS outbound to an MX ?
In the example below, if mx0.example.com isn't offering TLS the email is
sent unencrypted !?
Enforcing TLS to a domain ist working as expected.

tls_policy:
[mx0.example.com]         encrypt
[4.3.2.1]                encrypt

postfix-3.2.0

alias_database = hash:/etc/mail/aliases
alias_maps = hash:/etc/mail/aliases
append_dot_mydomain = no
authorized_submit_users = root
canonical_classes = envelope_sender, envelope_recipient
canonical_maps = regexp:/etc/postfix-mx1/canonical
compatibility_level = 2
config_directory = /usr/local/postfix/postfix-outgoing
data_directory = /var/lib/postfix-outgoing
default_database_type = btree
default_destination_concurrency_limit = 500
default_destination_recipient_limit = 500
disable_vrfy_command = yes
fast_flush_domains =
hopcount_limit = 50
in_flow_delay = 0
inet_interfaces = 192.168.0.41
inet_protocols = ipv4
local_recipient_maps =
local_transport = error:5.1.1 Mailbox unavailable
mailq_path = /usr/local/postfix/bin/mailq
masquerade_classes = envelope_recipient, envelope_sender, header_sender,
header_recipient
masquerade_domains = xyz.com pallas.de xyz.com
master_service_disable =
maximal_queue_lifetime = 5d
message_size_limit = 50000000
multi_instance_enable = yes
multi_instance_group = mta
multi_instance_name = postfix-outgoing
mydestination =
mydomain = xyz.com
myhostname = outgoing.xyz.com
mynetworks = $config_directory/mynetworks
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/local/postfix/bin/newaliases
queue_directory = /var/spool/postfix-outgoing
sender_dependent_relayhost_maps =
btree:/etc/postfix-outgoing/transport_sender
sendmail_path = /usr/local/postfix/sbin/sendmail
smtp_bind_address = 192.168.0.41
smtp_dns_support_level = enabled
smtp_host_lookup = dns, native
smtp_tls_cert_file = ${smtpd_tls_cert_file}
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = aNULL eNULL EXPORT DES RC4 MD5 PSK aECDH
EDH-DSS-DES-CBC3-SHA EDH-RSA-DES-CDC3-SHA KRB5-DE5 CBC3-SHA
smtp_tls_key_file = ${smtpd_tls_key_file}
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_policy_maps = btree:/etc/postfix-outgoing/tls_policy
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP
smtpd_discard_ehlo_keywords = silent-discard, etrn
smtpd_error_sleep_time = 3s
smtpd_helo_required = yes
smtpd_recipient_limit = 500
smtpd_recipient_restrictions = reject_unknown_recipient_domain,
permit_mynetworks, reject
smtpd_relay_restrictions =
smtpd_tls_CAfile = /etc/postfix-outgoing/cacert.pem
smtpd_tls_cert_file = /etc/postfix-outgoing/outgoing.xyz.com.crt
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = /etc/postfix-outgoing/dhparams.pem
smtpd_tls_exclude_ciphers = aNULL eNULL EXPORT DES RC4 MD5 PSK aECDH
EDH-DSS-DES-CBC3-SHA EDH-RSA-DES-CDC3-SHA KRB5-DE5 CBC3-SHA
smtpd_tls_key_file = /etc/postfix-outgoing/outgoing.xyz.com.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtputf8_enable = no
tls_preempt_cipherlist = yes
transport_maps = btree:/etc/postfix-outgoing/transport
unknown_local_recipient_reject_code = 550


192.168.0.41:25 inet n  -       n       -       -       smtpd
pickup     unix  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       - trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Enforce TLS to MX

Paul Menzel
Dear anonymous,


On 07/24/17 14:33, [hidden email] wrote:

> isn't it possible to enforce TLS outbound to an MX ?
> In the example below, if mx0.example.com isn't offering TLS the email is
> sent unencrypted !?
> Enforcing TLS to a domain ist working as expected. >
> tls_policy:
> [mx0.example.com]         encrypt
> [4.3.2.1]                encrypt

What isn’t working as expected? Please provide the log entries.


Kind regards,

Paul
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Enforce TLS to MX

Noel Jones-2
In reply to this post by postfix@xmas.de
On 7/24/2017 7:33 AM, [hidden email] wrote:

> Hi,
>
> isn't it possible to enforce TLS outbound to an MX ?
> In the example below, if mx0.example.com isn't offering TLS the
> email is sent unencrypted !?
> Enforcing TLS to a domain ist working as expected.
>
> tls_policy:
> [mx0.example.com]         encrypt
> [4.3.2.1]                encrypt

According to the docs, the MX is not a supported key for the map.
Use the recipient domain or if you use a transport_maps entry, use
the verbatim next-hop from transport_maps.

http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps




  -- Noel Jones



>
> postfix-3.2.0
>
> alias_database = hash:/etc/mail/aliases
> alias_maps = hash:/etc/mail/aliases
> append_dot_mydomain = no
> authorized_submit_users = root
> canonical_classes = envelope_sender, envelope_recipient
> canonical_maps = regexp:/etc/postfix-mx1/canonical
> compatibility_level = 2
> config_directory = /usr/local/postfix/postfix-outgoing
> data_directory = /var/lib/postfix-outgoing
> default_database_type = btree
> default_destination_concurrency_limit = 500
> default_destination_recipient_limit = 500
> disable_vrfy_command = yes
> fast_flush_domains =
> hopcount_limit = 50
> in_flow_delay = 0
> inet_interfaces = 192.168.0.41
> inet_protocols = ipv4
> local_recipient_maps =
> local_transport = error:5.1.1 Mailbox unavailable
> mailq_path = /usr/local/postfix/bin/mailq
> masquerade_classes = envelope_recipient, envelope_sender,
> header_sender, header_recipient
> masquerade_domains = xyz.com pallas.de xyz.com
> master_service_disable =
> maximal_queue_lifetime = 5d
> message_size_limit = 50000000
> multi_instance_enable = yes
> multi_instance_group = mta
> multi_instance_name = postfix-outgoing
> mydestination =
> mydomain = xyz.com
> myhostname = outgoing.xyz.com
> mynetworks = $config_directory/mynetworks
> mynetworks_style = host
> myorigin = $mydomain
> newaliases_path = /usr/local/postfix/bin/newaliases
> queue_directory = /var/spool/postfix-outgoing
> sender_dependent_relayhost_maps =
> btree:/etc/postfix-outgoing/transport_sender
> sendmail_path = /usr/local/postfix/sbin/sendmail
> smtp_bind_address = 192.168.0.41
> smtp_dns_support_level = enabled
> smtp_host_lookup = dns, native
> smtp_tls_cert_file = ${smtpd_tls_cert_file}
> smtp_tls_ciphers = high
> smtp_tls_exclude_ciphers = aNULL eNULL EXPORT DES RC4 MD5 PSK aECDH
> EDH-DSS-DES-CBC3-SHA EDH-RSA-DES-CDC3-SHA KRB5-DE5 CBC3-SHA
> smtp_tls_key_file = ${smtpd_tls_key_file}
> smtp_tls_loglevel = 1
> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
> smtp_tls_policy_maps = btree:/etc/postfix-outgoing/tls_policy
> smtp_tls_protocols = !SSLv2, !SSLv3
> smtp_tls_security_level = may
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_banner = $myhostname ESMTP
> smtpd_discard_ehlo_keywords = silent-discard, etrn
> smtpd_error_sleep_time = 3s
> smtpd_helo_required = yes
> smtpd_recipient_limit = 500
> smtpd_recipient_restrictions = reject_unknown_recipient_domain,
> permit_mynetworks, reject
> smtpd_relay_restrictions =
> smtpd_tls_CAfile = /etc/postfix-outgoing/cacert.pem
> smtpd_tls_cert_file = /etc/postfix-outgoing/outgoing.xyz.com.crt
> smtpd_tls_ciphers = high
> smtpd_tls_dh1024_param_file = /etc/postfix-outgoing/dhparams.pem
> smtpd_tls_exclude_ciphers = aNULL eNULL EXPORT DES RC4 MD5 PSK aECDH
> EDH-DSS-DES-CBC3-SHA EDH-RSA-DES-CDC3-SHA KRB5-DE5 CBC3-SHA
> smtpd_tls_key_file = /etc/postfix-outgoing/outgoing.xyz.com.key
> smtpd_tls_loglevel = 1
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
> smtpd_tls_protocols = !SSLv2, !SSLv3
> smtpd_tls_received_header = yes
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtputf8_enable = no
> tls_preempt_cipherlist = yes
> transport_maps = btree:/etc/postfix-outgoing/transport
> unknown_local_recipient_reject_code = 550
>
>
> 192.168.0.41:25 inet n  -       n       -       -       smtpd
> pickup     unix  n       -       n       60      1       pickup
> cleanup    unix  n       -       n       -       0       cleanup
> qmgr       unix  n       -       n       300     1       qmgr
> tlsmgr     unix  -       -       n       1000?   1       tlsmgr
> rewrite    unix  -       -       n       -       - trivial-rewrite
> bounce     unix  -       -       n       -       0       bounce
> defer      unix  -       -       n       -       0       bounce
> trace      unix  -       -       n       -       0       bounce
> verify     unix  -       -       n       -       1       verify
> flush      unix  n       -       n       1000?   0       flush
> proxymap   unix  -       -       n       -       -       proxymap
> proxywrite unix  -       -       n       -       1       proxymap
> smtp       unix  -       -       n       -       -       smtp
> relay      unix  -       -       n       -       -       smtp
> showq      unix  n       -       n       -       -       showq
> error      unix  -       -       n       -       -       error
> retry      unix  -       -       n       -       -       error
> discard    unix  -       -       n       -       -       discard
> local      unix  -       n       n       -       -       local
> virtual    unix  -       n       n       -       -       virtual
> lmtp       unix  -       -       n       -       -       lmtp
> anvil      unix  -       -       n       -       1       anvil
> scache     unix  -       -       n       -       1       scache
>
>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Enforce TLS to MX

Viktor Dukhovni
In reply to this post by postfix@xmas.de
On Mon, Jul 24, 2017 at 02:33:01PM +0200, [hidden email] wrote:

> isn't it possible to enforce TLS outbound to an MX ?

No, Postfix TLS policy is based on the locally (securely) determined
nexthop domain, not the remotely (insecurely in most cases, given
still sparse DNSSEC deployment) determmined MX host.

> In the example below, if mx0.example.com isn't offering TLS the email is
> sent unencrypted !?
> Enforcing TLS to a domain ist working as expected.
>
> tls_policy:
> [mx0.example.com]         encrypt
> [4.3.2.1]                encrypt

The lookup keys below are only supported when they are the nexthop
domain from the transport table.  There is no documented lookup
by MX host in the SMTP policy table.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Enforce TLS to MX

Wietse Venema
In reply to this post by postfix@xmas.de
[hidden email]:
> Hi,
>
> isn't it possible to enforce TLS outbound to an MX ?

Sure there is.

/etc/postfix/master.cf
    smtp-encrypt .. .. .. .. .. .. smtp -o smtp_tls_security_level=encrypt

/etc/postfix/transport
    example.com smtp-encrypt

/etc/postfix/main.cf
    transport_maps = hash:/etc/postfix/transport

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Enforce TLS to MX

Viktor Dukhovni
On Mon, Jul 24, 2017 at 01:53:57PM -0400, Wietse Venema wrote:

> [hidden email]:
> > Hi,
> >
> > isn't it possible to enforce TLS outbound to an MX ?
>
> Sure there is.
>
> /etc/postfix/master.cf
>     smtp-encrypt .. .. .. .. .. .. smtp -o smtp_tls_security_level=encrypt
>
> /etc/postfix/transport
>     example.com smtp-encrypt
>
> /etc/postfix/main.cf
>     transport_maps = hash:/etc/postfix/transport

I think the OP is asking for policy based on the MX host.  I am
reluctant to (re)introduce such a mechanism, since its security
properties are rather dubious.  If the remote domain has DNSSEC,
they may as well also do DANE.  Absent DNSSEC, per-MX policy is
in my view illusory security.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Enforce TLS to MX

postfix@xmas.de

Zitat von Viktor Dukhovni <[hidden email]>:

> On Mon, Jul 24, 2017 at 01:53:57PM -0400, Wietse Venema wrote:
>> [hidden email]:
>> > Hi,
>> >
>> > isn't it possible to enforce TLS outbound to an MX ?
>>
>> Sure there is.
>>
>> /etc/postfix/master.cf
>>     smtp-encrypt .. .. .. .. .. .. smtp -o smtp_tls_security_level=encrypt
>>
>> /etc/postfix/transport
>>     example.com smtp-encrypt
>>
>> /etc/postfix/main.cf
>>     transport_maps = hash:/etc/postfix/transport
>
> I think the OP is asking for policy based on the MX host.  I am
> reluctant to (re)introduce such a mechanism, since its security
> properties are rather dubious.  If the remote domain has DNSSEC,
> they may as well also do DANE.  Absent DNSSEC, per-MX policy is
> in my view illusory security.
>
> --
> Viktor.
Hi Wietse and Viktor,

sorry, my name is Frank.

Yes, Viktor you're right.
We have Partners who have numerous domains and don't wan't to tell me  
the whole list of domains.
I only have the MX and have to ensure that the transport is encrypted.
I understand that DNSSEC/DANE is the best way to do it.
But unfortunately, DNSSEC is still not common.

I think it would be worth to encrypt despite DNS is spoofable.

Maybe there is a workaround through transport and tcp-table ?


Thanks for all answers.

Frank


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Enforce TLS to MX

Bastian Blank-3
On Tue, Jul 25, 2017 at 09:59:43AM +0200, [hidden email] wrote:
> I only have the MX and have to ensure that the transport is encrypted.

Well.  If the remote system announces STARTTLS, it will be used.  So you
ensured to use encryption if the remote system tells you it works.

> I understand that DNSSEC/DANE is the best way to do it.
> But unfortunately, DNSSEC is still not common.

You need one piece of securely transmitted information, either the
domains or via secured DNS the public key information of the remote.

> I think it would be worth to encrypt despite DNS is spoofable.

As said, postfix will already encrypt things, if the remote is capable
of it.

Bastian

--
If I can have honesty, it's easier to overlook mistakes.
                -- Kirk, "Space Seed", stardate 3141.9
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Enforce TLS to MX

Viktor Dukhovni
In reply to this post by postfix@xmas.de

> On Jul 25, 2017, at 3:59 AM, [hidden email] wrote:
>
> We have partners who have numerous domains and don't wan't to tell me
> the whole list of domains.

Postfix TLS security is by destination domain.  Basing TLS security
policy on the insecurely obtained MX host is futile.  If there's no
man-in-the-middle attack, and you have "smtp_tls_security_level = may"
as the default (destination-independent) security level in main.cf, then
STARTTLS opportunistic encryption will be used to any destination that
supports TLS on its receiving MX hosts.

If there is a man-in-the-middle (MiTM) attack, then the MX records can
be forged in DNS, and MX-based policy will not protect the traffic. In
fact, unless the remote certificates are verified, the MiTM can also
impersonate the remote destination via unauthenticated TLS, so even
an "encrypt" (encryption without authentication) TLS policy does not
protect traffic against active attacks.

Any domain they're unwilling to tell you about can't be a domain that
you're likely to correspond with.  You may if you wish scan your logs
for email from your users to domains via the MX host in question, and
add those domains to the $smtp_tls_policy_maps table:

    main.cf:
        indexed = ${default_database_type}:${config_directory}/
        smtp_tls_policy_maps = ${indexed}tls-policy

    tls-policy:
        example.com secure match=mx.example.com tafile=/etc/ssl/example.com.CAs.pem

If you run smtp(8) chrooted, you'll need to have the "tafile" with the
root CAs trusted to authenticate "example.com" installed inside the
chroot jail, in this example, assuming the default queue_directory, it
would be:

    /var/spool/postfix/etc/ssl/example.com.CAs.pem

If smtp(8) is not chrooted, the tafile is as specified and not relative
to $queue_directory.

> I only have the MX and have to ensure that the transport is encrypted.

There is still in Postfix a legacy insecure TLS policy interface left
over from the initial TLS implementation in version 2.2.  That policy
interface is mutually exclusive with the preferred smtp_tls_policy_maps,
so if you're using that for destinations that don't refuse to disclose
their domain list, the legacy interface is not an option.  The legacy
interface is per-MX, and was deprecated precisely because it is insecure.
I do not recommend its use:

http://www.postfix.org/TLS_LEGACY_README.html#client_tls_per_site

> I understand that DNSSEC/DANE is the best way to do it.
> But unfortunately, DNSSEC is still not common.

Yes, around 1--2% of domains have DNSSEC.  As part of my DANE survey
I have thus far identified ~4.6 million DNSSEC domains, out of around
200 million domains combined in the various feeds I use.

> I think it would be worth to encrypt despite DNS is spoofable.

Well simple opportunistic encryption is pretty reliable in practice
and requires nothing beyond "may" security.  If you want stronger
security, then presumably DNS spoofing or unauthenticated TLS MiTM
is part of the threat model.

> Maybe there is a workaround through transport and tcp-table?

If you redirect all IP traffic to the MX host in question to a
loopback address with another Postfix instance, that Postfix
instance can implement a default "encrypt" or stronger security
policy.  This is a fragile hack, and not recommended.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Enforce TLS to MX

postfix@xmas.de

Hi Viktor,


thank you for your detailed explanations.


Greetings, Frank



Loading...