Enforced inbound TLS ciphers

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Enforced inbound TLS ciphers

lists
I'm enforcing inbound TLS from my internal network with these settings:

main.cf
   smtpd_tls_security_level = may

   smtpd_sender_restrictions =
    check_client_access cidr:/etc/postfix/enforced_inbound_tls.cidr

enforced_inbound_tls.cidr
   10.0.0.0/8      reject_plaintext_session

My question is, does the following setting in main.cf apply to tls
connections that are enforced with check_client_access? If yes, then is
there a way to set this to low for a particular IP or subnet, and leave
it to medium for everybody else?

smtpd_tls_mandatory_ciphers = low
Reply | Threaded
Open this post in threaded view
|

Re: Enforced inbound TLS ciphers

Viktor Dukhovni


> On Dec 6, 2017, at 10:21 AM, [hidden email] wrote:
>
> main.cf
>  smtpd_tls_security_level = may
>
>  smtpd_sender_restrictions =
>   check_client_access cidr:/etc/postfix/enforced_inbound_tls.cidr
>
> enforced_inbound_tls.cidr
>  10.0.0.0/8      reject_plaintext_session
>
> My question is, does the following setting in main.cf apply to tls connections that are enforced with check_client_access?

No.  To configure mandatory TLS for some clients you'd
need a separate TCP endpoint which has security level
"encrypt".  They could, for example, use port 587...

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Enforced inbound TLS ciphers

Micah Anderson-2
Viktor Dukhovni <[hidden email]> writes:

>> On Dec 6, 2017, at 10:21 AM, [hidden email] wrote:
>>
>> main.cf
>>  smtpd_tls_security_level = may

Is there a reason why 'smtpd_tls_security_level = may' is not default in
postfix? What needs to be done to make it default? It seems harmless to
have that enabled by default, with no negative effects that I can decern
and improves the overall opportunistic landscape if it were
default.

thanks,
micah
Reply | Threaded
Open this post in threaded view
|

Re: Enforced inbound TLS ciphers

Viktor Dukhovni


> On Dec 6, 2017, at 1:41 PM, micah <[hidden email]> wrote:
>
>>> main.cf
>>> smtpd_tls_security_level = may
>
> Is there a reason why 'smtpd_tls_security_level = may' is not default in
> postfix? What needs to be done to make it default? It seems harmless to
> have that enabled by default, with no negative effects that I can decern
> and improves the overall opportunistic landscape if it were
> default.

Someone has to decide what sort of certificate is appropriate for the
domain.  That decision requires some administrator oversight.  Therefore,
it is something that a package installer can prompt for.  And some OS
distributions of Postfix do in fact enable inbound TLS IIRC.

On the Postfix side of things we make generating a self-signed certificate
easy via:

    # postfix tls enable-server

    http://www.postfix.org/postfix-tls.1.html

--
--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Enforced inbound TLS ciphers

Micah Anderson-2
Viktor Dukhovni <[hidden email]> writes:

>> On Dec 6, 2017, at 1:41 PM, micah <[hidden email]> wrote:
>>
>>>> main.cf
>>>> smtpd_tls_security_level = may
>>
>> Is there a reason why 'smtpd_tls_security_level = may' is not default in
>> postfix? What needs to be done to make it default? It seems harmless to
>> have that enabled by default, with no negative effects that I can decern
>> and improves the overall opportunistic landscape if it were
>> default.
>
> Someone has to decide what sort of certificate is appropriate for the
> domain.  That decision requires some administrator oversight.  Therefore,
> it is something that a package installer can prompt for.  And some OS
> distributions of Postfix do in fact enable inbound TLS IIRC.

I'm sorry, I meant 'smtp_tls_security_level = may' - not
smtpd_tls_security_level.

You are correct that smtpd_tls_security_level would need a certificate,
but 'smtp_tls_security_level' does not, and as an opportunistic mode, it
is designed to fall back to cleartext, so I do not see any problem with
it being the default.

Reply | Threaded
Open this post in threaded view
|

Outbound opportunistic TLS by default?

Viktor Dukhovni


> On Dec 6, 2017, at 2:27 PM, micah <[hidden email]> wrote:
>
> I'm sorry, I meant 'smtp_tls_security_level = may' - not
> smtpd_tls_security_level.
>
> You are correct that smtpd_tls_security_level would need a certificate,
> but 'smtp_tls_security_level' does not, and as an opportunistic mode, it
> is designed to fall back to cleartext, so I do not see any problem with
> it being the default.

At least it is easy enough to turn on:

  http://www.postfix.org/postfix-tls.1.html

  # postfix tls all-default-client && postfix tls enable-client

As for changing the default, I am not opposed, perhaps given the
changes in the SMTP ecosystem since 2014:

https://transparencyreport.google.com/safer-email/overview?encrypt_in=end:1512518400000;series:inbound;start:1388534400000&lu=encrypt_in&encrypt_out=end:1512518400000;series:outbound;start:1388534400000

a case can be made that Postfix 3.3 should do "may" out of the box.
I am curious what other users and Wietse think of such a change...

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Outbound opportunistic TLS by default?

Noel Jones-2
On 12/6/2017 1:39 PM, Viktor Dukhovni wrote:
>
> As for changing the default, I am not opposed, perhaps given the
> changes in the SMTP ecosystem since 2014:
>
> https://transparencyreport.google.com/safer-email/overview?encrypt_in=end:1512518400000;series:inbound;start:1388534400000&lu=encrypt_in&encrypt_out=end:1512518400000;series:outbound;start:1388534400000
>
> a case can be made that Postfix 3.3 should do "may" out of the box.
> I am curious what other users and Wietse think of such a change...
>

Postfix does not require TLS support. This probably shouldn't change.

Postfix logs a warning if TLS is enabled but not available.  This
probably shouldn't change.

That said, it's not unreasonable to change postfix-install to run
the postfix tls commands during first-time installation if TLS is
available. This might make things easier for first-time casual users
and probably won't trip up more experienced users.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Outbound opportunistic TLS by default?

Wietse Venema
Noel Jones:

> On 12/6/2017 1:39 PM, Viktor Dukhovni wrote:
> >
> > As for changing the default, I am not opposed, perhaps given the
> > changes in the SMTP ecosystem since 2014:
> >
> > https://transparencyreport.google.com/safer-email/overview?encrypt_in=end:1512518400000;series:inbound;start:1388534400000&lu=encrypt_in&encrypt_out=end:1512518400000;series:outbound;start:1388534400000
> >
> > a case can be made that Postfix 3.3 should do "may" out of the box.
> > I am curious what other users and Wietse think of such a change...
> >
>
> Postfix does not require TLS support. This probably shouldn't change.
>
> Postfix logs a warning if TLS is enabled but not available.  This
> probably shouldn't change.
>
> That said, it's not unreasonable to change postfix-install to run
> the postfix tls commands during first-time installation if TLS is
> available. This might make things easier for first-time casual users
> and probably won't trip up more experienced users.

Noel has a good point. Let's not make OpenSSL a hard dependency.

How would one recognize 'first-time' installation? If that helps
only the tiny minority of sites that install Postfix from source,then
it does not seem to be a good target. Better to get the vendors to
run those commands instead.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Outbound opportunistic TLS by default?

Noel Jones-2
On 12/6/2017 3:24 PM, Wietse Venema wrote:
>
> How would one recognize 'first-time' installation? If that helps
> only the tiny minority of sites that install Postfix from source,then
> it does not seem to be a good target. Better to get the vendors to
> run those commands instead.
>
> Wietse
>

I was thinking "make install" rather than "make upgrade" is a good
enough indicator of first time install. Deciding if TLS is available
might be trickier.

Leaving it up to the vendors is fine.


  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Outbound opportunistic TLS by default?

Micah Anderson-2
In reply to this post by Wietse Venema
Wietse Venema <[hidden email]> writes:

> Noel Jones:
>> On 12/6/2017 1:39 PM, Viktor Dukhovni wrote:
>> >
>> > As for changing the default, I am not opposed, perhaps given the
>> > changes in the SMTP ecosystem since 2014:
>> >
>> > https://transparencyreport.google.com/safer-email/overview?encrypt_in=end:1512518400000;series:inbound;start:1388534400000&lu=encrypt_in&encrypt_out=end:1512518400000;series:outbound;start:1388534400000
>> >
>> > a case can be made that Postfix 3.3 should do "may" out of the box.
>> > I am curious what other users and Wietse think of such a change...
>> >
>>
>> Postfix does not require TLS support. This probably shouldn't change.
>>
>> Postfix logs a warning if TLS is enabled but not available.  This
>> probably shouldn't change.
>>
>> That said, it's not unreasonable to change postfix-install to run
>> the postfix tls commands during first-time installation if TLS is
>> available. This might make things easier for first-time casual users
>> and probably won't trip up more experienced users.
>
> Noel has a good point. Let's not make OpenSSL a hard dependency.
>
> How would one recognize 'first-time' installation? If that helps
> only the tiny minority of sites that install Postfix from source,then
> it does not seem to be a good target. Better to get the vendors to
> run those commands instead.

Is there any reason why postfix, when compiled with TLS, can simply set
the default to 'may'?

If it is compiled without TLS, the default should be 'no'.

micah
Reply | Threaded
Open this post in threaded view
|

Re: Outbound opportunistic TLS by default?

Viktor Dukhovni


> On Dec 6, 2017, at 8:08 PM, micah <[hidden email]> wrote:
>
> Is there any reason why postfix, when compiled with TLS, can simply set
> the default to 'may'?

This is easy enough to implement, the only complication is
that the documentation would need to explain the variable
default.

> If it is compiled without TLS, the default should be 'no'.

This is certainly possible.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Outbound opportunistic TLS by default?

Eray Aslan-2
In reply to this post by Noel Jones-2
On Wed, Dec 06, 2017 at 05:22:19PM -0600, Noel Jones wrote:
> I was thinking "make install" rather than "make upgrade" is a good
> enough indicator of first time install. Deciding if TLS is available
> might be trickier.

Source based distros like Gentoo make install to a seperate destination
dir and then transfer the resulting image to real root during upgrades.
Determining first-time installation should be left to the package
manager.

--
Eray
Reply | Threaded
Open this post in threaded view
|

Re: Outbound opportunistic TLS by default?

Micah Anderson-2
In reply to this post by Viktor Dukhovni
Viktor Dukhovni <[hidden email]> writes:

>> On Dec 6, 2017, at 8:08 PM, micah <[hidden email]> wrote:
>>
>> Is there any reason why postfix, when compiled with TLS, can simply set
>> the default to 'may'?
>
> This is easy enough to implement, the only complication is
> that the documentation would need to explain the variable
> default.
>
>> If it is compiled without TLS, the default should be 'no'.
>
> This is certainly possible.

It seems like the right thing to do. What needs to be done to move it
forward?

micah