Enforced inbound TLS ciphers

classic Classic list List threaded Threaded
28 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Enforced inbound TLS ciphers

lists
I'm enforcing inbound TLS from my internal network with these settings:

main.cf
   smtpd_tls_security_level = may

   smtpd_sender_restrictions =
    check_client_access cidr:/etc/postfix/enforced_inbound_tls.cidr

enforced_inbound_tls.cidr
   10.0.0.0/8      reject_plaintext_session

My question is, does the following setting in main.cf apply to tls
connections that are enforced with check_client_access? If yes, then is
there a way to set this to low for a particular IP or subnet, and leave
it to medium for everybody else?

smtpd_tls_mandatory_ciphers = low
Reply | Threaded
Open this post in threaded view
|

Re: Enforced inbound TLS ciphers

Viktor Dukhovni


> On Dec 6, 2017, at 10:21 AM, [hidden email] wrote:
>
> main.cf
>  smtpd_tls_security_level = may
>
>  smtpd_sender_restrictions =
>   check_client_access cidr:/etc/postfix/enforced_inbound_tls.cidr
>
> enforced_inbound_tls.cidr
>  10.0.0.0/8      reject_plaintext_session
>
> My question is, does the following setting in main.cf apply to tls connections that are enforced with check_client_access?

No.  To configure mandatory TLS for some clients you'd
need a separate TCP endpoint which has security level
"encrypt".  They could, for example, use port 587...

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Enforced inbound TLS ciphers

Micah Anderson-2
Viktor Dukhovni <[hidden email]> writes:

>> On Dec 6, 2017, at 10:21 AM, [hidden email] wrote:
>>
>> main.cf
>>  smtpd_tls_security_level = may

Is there a reason why 'smtpd_tls_security_level = may' is not default in
postfix? What needs to be done to make it default? It seems harmless to
have that enabled by default, with no negative effects that I can decern
and improves the overall opportunistic landscape if it were
default.

thanks,
micah
Reply | Threaded
Open this post in threaded view
|

Re: Enforced inbound TLS ciphers

Viktor Dukhovni


> On Dec 6, 2017, at 1:41 PM, micah <[hidden email]> wrote:
>
>>> main.cf
>>> smtpd_tls_security_level = may
>
> Is there a reason why 'smtpd_tls_security_level = may' is not default in
> postfix? What needs to be done to make it default? It seems harmless to
> have that enabled by default, with no negative effects that I can decern
> and improves the overall opportunistic landscape if it were
> default.

Someone has to decide what sort of certificate is appropriate for the
domain.  That decision requires some administrator oversight.  Therefore,
it is something that a package installer can prompt for.  And some OS
distributions of Postfix do in fact enable inbound TLS IIRC.

On the Postfix side of things we make generating a self-signed certificate
easy via:

    # postfix tls enable-server

    http://www.postfix.org/postfix-tls.1.html

--
--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Enforced inbound TLS ciphers

Micah Anderson-2
Viktor Dukhovni <[hidden email]> writes:

>> On Dec 6, 2017, at 1:41 PM, micah <[hidden email]> wrote:
>>
>>>> main.cf
>>>> smtpd_tls_security_level = may
>>
>> Is there a reason why 'smtpd_tls_security_level = may' is not default in
>> postfix? What needs to be done to make it default? It seems harmless to
>> have that enabled by default, with no negative effects that I can decern
>> and improves the overall opportunistic landscape if it were
>> default.
>
> Someone has to decide what sort of certificate is appropriate for the
> domain.  That decision requires some administrator oversight.  Therefore,
> it is something that a package installer can prompt for.  And some OS
> distributions of Postfix do in fact enable inbound TLS IIRC.

I'm sorry, I meant 'smtp_tls_security_level = may' - not
smtpd_tls_security_level.

You are correct that smtpd_tls_security_level would need a certificate,
but 'smtp_tls_security_level' does not, and as an opportunistic mode, it
is designed to fall back to cleartext, so I do not see any problem with
it being the default.

Reply | Threaded
Open this post in threaded view
|

Outbound opportunistic TLS by default?

Viktor Dukhovni


> On Dec 6, 2017, at 2:27 PM, micah <[hidden email]> wrote:
>
> I'm sorry, I meant 'smtp_tls_security_level = may' - not
> smtpd_tls_security_level.
>
> You are correct that smtpd_tls_security_level would need a certificate,
> but 'smtp_tls_security_level' does not, and as an opportunistic mode, it
> is designed to fall back to cleartext, so I do not see any problem with
> it being the default.

At least it is easy enough to turn on:

  http://www.postfix.org/postfix-tls.1.html

  # postfix tls all-default-client && postfix tls enable-client

As for changing the default, I am not opposed, perhaps given the
changes in the SMTP ecosystem since 2014:

https://transparencyreport.google.com/safer-email/overview?encrypt_in=end:1512518400000;series:inbound;start:1388534400000&lu=encrypt_in&encrypt_out=end:1512518400000;series:outbound;start:1388534400000

a case can be made that Postfix 3.3 should do "may" out of the box.
I am curious what other users and Wietse think of such a change...

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Outbound opportunistic TLS by default?

Noel Jones-2
On 12/6/2017 1:39 PM, Viktor Dukhovni wrote:
>
> As for changing the default, I am not opposed, perhaps given the
> changes in the SMTP ecosystem since 2014:
>
> https://transparencyreport.google.com/safer-email/overview?encrypt_in=end:1512518400000;series:inbound;start:1388534400000&lu=encrypt_in&encrypt_out=end:1512518400000;series:outbound;start:1388534400000
>
> a case can be made that Postfix 3.3 should do "may" out of the box.
> I am curious what other users and Wietse think of such a change...
>

Postfix does not require TLS support. This probably shouldn't change.

Postfix logs a warning if TLS is enabled but not available.  This
probably shouldn't change.

That said, it's not unreasonable to change postfix-install to run
the postfix tls commands during first-time installation if TLS is
available. This might make things easier for first-time casual users
and probably won't trip up more experienced users.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Outbound opportunistic TLS by default?

Wietse Venema
Noel Jones:

> On 12/6/2017 1:39 PM, Viktor Dukhovni wrote:
> >
> > As for changing the default, I am not opposed, perhaps given the
> > changes in the SMTP ecosystem since 2014:
> >
> > https://transparencyreport.google.com/safer-email/overview?encrypt_in=end:1512518400000;series:inbound;start:1388534400000&lu=encrypt_in&encrypt_out=end:1512518400000;series:outbound;start:1388534400000
> >
> > a case can be made that Postfix 3.3 should do "may" out of the box.
> > I am curious what other users and Wietse think of such a change...
> >
>
> Postfix does not require TLS support. This probably shouldn't change.
>
> Postfix logs a warning if TLS is enabled but not available.  This
> probably shouldn't change.
>
> That said, it's not unreasonable to change postfix-install to run
> the postfix tls commands during first-time installation if TLS is
> available. This might make things easier for first-time casual users
> and probably won't trip up more experienced users.

Noel has a good point. Let's not make OpenSSL a hard dependency.

How would one recognize 'first-time' installation? If that helps
only the tiny minority of sites that install Postfix from source,then
it does not seem to be a good target. Better to get the vendors to
run those commands instead.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Outbound opportunistic TLS by default?

Noel Jones-2
On 12/6/2017 3:24 PM, Wietse Venema wrote:
>
> How would one recognize 'first-time' installation? If that helps
> only the tiny minority of sites that install Postfix from source,then
> it does not seem to be a good target. Better to get the vendors to
> run those commands instead.
>
> Wietse
>

I was thinking "make install" rather than "make upgrade" is a good
enough indicator of first time install. Deciding if TLS is available
might be trickier.

Leaving it up to the vendors is fine.


  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Outbound opportunistic TLS by default?

Micah Anderson-2
In reply to this post by Wietse Venema
Wietse Venema <[hidden email]> writes:

> Noel Jones:
>> On 12/6/2017 1:39 PM, Viktor Dukhovni wrote:
>> >
>> > As for changing the default, I am not opposed, perhaps given the
>> > changes in the SMTP ecosystem since 2014:
>> >
>> > https://transparencyreport.google.com/safer-email/overview?encrypt_in=end:1512518400000;series:inbound;start:1388534400000&lu=encrypt_in&encrypt_out=end:1512518400000;series:outbound;start:1388534400000
>> >
>> > a case can be made that Postfix 3.3 should do "may" out of the box.
>> > I am curious what other users and Wietse think of such a change...
>> >
>>
>> Postfix does not require TLS support. This probably shouldn't change.
>>
>> Postfix logs a warning if TLS is enabled but not available.  This
>> probably shouldn't change.
>>
>> That said, it's not unreasonable to change postfix-install to run
>> the postfix tls commands during first-time installation if TLS is
>> available. This might make things easier for first-time casual users
>> and probably won't trip up more experienced users.
>
> Noel has a good point. Let's not make OpenSSL a hard dependency.
>
> How would one recognize 'first-time' installation? If that helps
> only the tiny minority of sites that install Postfix from source,then
> it does not seem to be a good target. Better to get the vendors to
> run those commands instead.

Is there any reason why postfix, when compiled with TLS, can simply set
the default to 'may'?

If it is compiled without TLS, the default should be 'no'.

micah
Reply | Threaded
Open this post in threaded view
|

Re: Outbound opportunistic TLS by default?

Viktor Dukhovni


> On Dec 6, 2017, at 8:08 PM, micah <[hidden email]> wrote:
>
> Is there any reason why postfix, when compiled with TLS, can simply set
> the default to 'may'?

This is easy enough to implement, the only complication is
that the documentation would need to explain the variable
default.

> If it is compiled without TLS, the default should be 'no'.

This is certainly possible.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Outbound opportunistic TLS by default?

Eray Aslan-2
In reply to this post by Noel Jones-2
On Wed, Dec 06, 2017 at 05:22:19PM -0600, Noel Jones wrote:
> I was thinking "make install" rather than "make upgrade" is a good
> enough indicator of first time install. Deciding if TLS is available
> might be trickier.

Source based distros like Gentoo make install to a seperate destination
dir and then transfer the resulting image to real root during upgrades.
Determining first-time installation should be left to the package
manager.

--
Eray
Reply | Threaded
Open this post in threaded view
|

Re: Outbound opportunistic TLS by default?

Micah Anderson-2
In reply to this post by Viktor Dukhovni
Viktor Dukhovni <[hidden email]> writes:

>> On Dec 6, 2017, at 8:08 PM, micah <[hidden email]> wrote:
>>
>> Is there any reason why postfix, when compiled with TLS, can simply set
>> the default to 'may'?
>
> This is easy enough to implement, the only complication is
> that the documentation would need to explain the variable
> default.
>
>> If it is compiled without TLS, the default should be 'no'.
>
> This is certainly possible.

It seems like the right thing to do. What needs to be done to move it
forward?

micah
Reply | Threaded
Open this post in threaded view
|

Re: Outbound opportunistic TLS by default?

Micah Anderson-2
micah <[hidden email]> writes:

> Viktor Dukhovni <[hidden email]> writes:
>
>>> On Dec 6, 2017, at 8:08 PM, micah <[hidden email]> wrote:
>>>
>>> Is there any reason why postfix, when compiled with TLS, can simply set
>>> the default to 'may'?
>>
>> This is easy enough to implement, the only complication is
>> that the documentation would need to explain the variable
>> default.
>>
>>> If it is compiled without TLS, the default should be 'no'.
>>
>> This is certainly possible.
>
> It seems like the right thing to do. What needs to be done to move it
> forward?

Just wanted to "bump" this message, because it has been 1 year since the
original.

--
        micah
Reply | Threaded
Open this post in threaded view
|

Re: Outbound opportunistic TLS by default?

Viktor Dukhovni
On Wed, Dec 19, 2018 at 12:54:01PM -0500, micah anderson wrote:

> >> This is easy enough to implement, the only complication is
> >> that the documentation would need to explain the variable
> >> default.
> >>
> >>> If it is compiled without TLS, the default should be 'no'.
> >>
> >> This is certainly possible.
> >
> > It seems like the right thing to do. What needs to be done to move it
> > forward?
>
> Just wanted to "bump" this message, because it has been 1 year since the
> original.

I did not see a clear consensus for or against a compile-time
conditional default "may" for "smtp_tls_security_level":

    #ifdef USE_TLS
    #define DEF_SMTP_TLS_LEVEL "may"
    #else
    #define DEF_SMTP_TLS_LEVEL ""
    #endif

which would default to enable outbound opportunistic TLS whever TLS
support is compiled in.  Since this last came up, we have:

        https://tools.ietf.org/html/rfc8314

which "obsoletes" cleartext for IMAP, POP and SUBMIT, but does not
cover SMTP relay.  I am not opposed to changing the default, but
also agree that setting defaults is something that can be done at
package installation time.

So the real question is whether there is a non-trivial community
of users who:

  * Have no explit "smtp_tls_security_level" setting in their main.cf
    file.

  * Would not mind to see TLS turned on as a side-effect of a future
    upgrade, but can't find the activation energy to do it explicitly.

Or, whether there are Postfix package maintainers in the same boat:
too busy to add code to enable opportunistic TLS in the client at
package install time, but would be happy to see it happen upstream.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Outbound opportunistic TLS by default?

Scott Kitterman-4
On Wednesday, December 19, 2018 01:27:42 PM Viktor Dukhovni wrote:

> On Wed, Dec 19, 2018 at 12:54:01PM -0500, micah anderson wrote:
> > >> This is easy enough to implement, the only complication is
> > >> that the documentation would need to explain the variable
> > >> default.
> > >>
> > >>> If it is compiled without TLS, the default should be 'no'.
> > >>
> > >> This is certainly possible.
> > >
> > > It seems like the right thing to do. What needs to be done to move it
> > > forward?
> >
> > Just wanted to "bump" this message, because it has been 1 year since the
> > original.
>
> I did not see a clear consensus for or against a compile-time
> conditional default "may" for "smtp_tls_security_level":
>
>     #ifdef USE_TLS
>     #define DEF_SMTP_TLS_LEVEL "may"
>     #else
>     #define DEF_SMTP_TLS_LEVEL ""
>     #endif
>
> which would default to enable outbound opportunistic TLS whever TLS
> support is compiled in.  Since this last came up, we have:
>
> https://tools.ietf.org/html/rfc8314
>
> which "obsoletes" cleartext for IMAP, POP and SUBMIT, but does not
> cover SMTP relay.  I am not opposed to changing the default, but
> also agree that setting defaults is something that can be done at
> package installation time.
>
> So the real question is whether there is a non-trivial community
> of users who:
>
>   * Have no explit "smtp_tls_security_level" setting in their main.cf
>     file.
>
>   * Would not mind to see TLS turned on as a side-effect of a future
>     upgrade, but can't find the activation energy to do it explicitly.
>
> Or, whether there are Postfix package maintainers in the same boat:
> too busy to add code to enable opportunistic TLS in the client at
> package install time, but would be happy to see it happen upstream.

I don't know why the previous Debian Postfix maintainer didn't enable it by
default.  We have bug reports, including one from 2002, requesting it.

I'm definitely in favor of it being enabled by default, but, in addition to
being busy, I've been trying to work towards less deviation from upstream in
Debian vice more.  There is already plenty that is well baked into our
ecosystem that would be hard to cleanly remove without causing upgrade
problems.

Bottom line, I'd love to see it upstream and am unlikely to do it myself.

Scott K
Reply | Threaded
Open this post in threaded view
|

Re: Outbound opportunistic TLS by default?

Viktor Dukhovni
On Wed, Dec 19, 2018 at 01:51:19PM -0500, Scott Kitterman wrote:

> > So the real question is whether there is a non-trivial community
> > of users who:
> >
> >   * Have no explit "smtp_tls_security_level" setting in their main.cf
> >     file.
> >
> >   * Would not mind to see TLS turned on as a side-effect of a future
> >     upgrade, but can't find the activation energy to do it explicitly.
> >
> > Or, whether there are Postfix package maintainers in the same boat:
> > too busy to add code to enable opportunistic TLS in the client at
> > package install time, but would be happy to see it happen upstream.
>
> I'm definitely in favor of it being enabled by default, but, in addition to
> being busy, I've been trying to work towards less deviation from upstream in
> Debian vice more.  There is already plenty that is well baked into our
> ecosystem that would be hard to cleanly remove without causing upgrade
> problems.
>
> Bottom line, I'd love to see it upstream and am unlikely to do it myself.

If there are no objections, I can change the default to "may" when
TLS is compiled in.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Outbound opportunistic TLS by default?

Viktor Dukhovni
In reply to this post by Scott Kitterman-4
> On Dec 19, 2018, at 1:51 PM, Scott Kitterman <[hidden email]> wrote:
>
> I'm definitely in favor of it being enabled by default, but, in addition to
> being busy, I've been trying to work towards less deviation from upstream in
> Debian vice more.  There is already plenty that is well baked into our
> ecosystem that would be hard to cleanly remove without causing upgrade
> problems.
>
> Bottom line, I'd love to see it upstream and am unlikely to do it myself.

For the record, the discussion is not about O/S package maintainers
making code changes to Postfix, but rather the content of the initial
"main.cf" file when the package is first installed.  A package can
not only enable outbound opportunistic TLS, but perhaps also (given
sufficient understanding of the platform) enable DANE when there's
a validating local resolver, and generate initial self-signed cert
and turn on inbound TLS!

Doing the integration with the rest of the O/S and install-time
provisioning is in part up to the package maintainers.

My job is to make it easier by providing higher-level interfaces
such as the various "postfix tls ..." commands, but some of the
rest is up to package maintainers like you and ultimately the
users.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Outbound opportunistic TLS by default?

Wietse Venema
In reply to this post by Viktor Dukhovni
Viktor Dukhovni:

> On Wed, Dec 19, 2018 at 01:51:19PM -0500, Scott Kitterman wrote:
>
> > > So the real question is whether there is a non-trivial community
> > > of users who:
> > >
> > >   * Have no explit "smtp_tls_security_level" setting in their main.cf
> > >     file.
> > >
> > >   * Would not mind to see TLS turned on as a side-effect of a future
> > >     upgrade, but can't find the activation energy to do it explicitly.
> > >
> > > Or, whether there are Postfix package maintainers in the same boat:
> > > too busy to add code to enable opportunistic TLS in the client at
> > > package install time, but would be happy to see it happen upstream.
> >
> > I'm definitely in favor of it being enabled by default, but, in addition to
> > being busy, I've been trying to work towards less deviation from upstream in
> > Debian vice more.  There is already plenty that is well baked into our
> > ecosystem that would be hard to cleanly remove without causing upgrade
> > problems.
> >
> > Bottom line, I'd love to see it upstream and am unlikely to do it myself.
>
> If there are no objections, I can change the default to "may" when
> TLS is compiled in.

Unrelated but related, what should happen when someone unwittingly
builds Postfix without TLS support, and Postfix configuration a)
enables opportunistic TLS or b) Postfix configuration requires TLS?
Will b) result in mail being sent as plaintext?

Should the build system be updated to use -DUSE_TLS by default and
to explicitly require -DNO_TLS if people want to build without TLS?

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Outbound opportunistic TLS by default?

Micah Anderson-2
In reply to this post by Viktor Dukhovni
Viktor Dukhovni <[hidden email]> writes:

> On Wed, Dec 19, 2018 at 01:51:19PM -0500, Scott Kitterman wrote:
>
>> > So the real question is whether there is a non-trivial community
>> > of users who:
>> >
>> >   * Have no explit "smtp_tls_security_level" setting in their main.cf
>> >     file.
>> >
>> >   * Would not mind to see TLS turned on as a side-effect of a future
>> >     upgrade, but can't find the activation energy to do it explicitly.
>> >
>> > Or, whether there are Postfix package maintainers in the same boat:
>> > too busy to add code to enable opportunistic TLS in the client at
>> > package install time, but would be happy to see it happen upstream.
>>
>> I'm definitely in favor of it being enabled by default, but, in addition to
>> being busy, I've been trying to work towards less deviation from upstream in
>> Debian vice more.  There is already plenty that is well baked into our
>> ecosystem that would be hard to cleanly remove without causing upgrade
>> problems.
>>
>> Bottom line, I'd love to see it upstream and am unlikely to do it myself.
>
> If there are no objections, I can change the default to "may" when
> TLS is compiled in.

I think this would be a good idea. It seems harmless to have it enabled
by default, with no negative effects and improves the overall
opportunistic landscape if it were enabled. Because STARTTLS was
designed to be enabled opportunistically, it is designed to fall back to
cleartext when it doesn't exist, so I do not see any problem with it
being the default.

I do not understand why anyone would complain about this. Anyone who
cannot handle this change to the defaults can explicitly set the config
option the way that the rest of the world has been explicitly setting
the config option all along anyway.

--
        micah
12