New EFF certbot plugin for Postfix

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

New EFF certbot plugin for Postfix

Viktor Dukhovni

The EFF announced a certbot plugin for Postfix today, which
is still in beta.  A couple of things to keep in mind:

  * If you've already deployed DANE, this stands a good chance
    of breaking your DANE TLSA records.  For the moment do not
    deploy this if have inbound DANE.

  * Do consider sharing any substantive experience (issues you
    had to resolve that may say others grief).  Either on this
    list, or if you did figure out how to use this and avoid
    invalidating TLSA records, perhaps on the [hidden email]
    list.

  * The authors really should get in touch with me, if they're
    on this list, please reach out.  One immediate observation
    is that for many users Let's Encrypt certificates are more
    useful for the SUBMIT and IMAP services, more than inbound
    SMTP on port 25.  The plugin should support configuring
    SUBMIT and IMAP (say dovecot), while optionally leaving port
    25 alone.

    Secondly, instead of the code trying to directly manipulate
    Postfix configuration settings, it would be far better if
    it used a supported interface, such as suitable extensions to
    the "postfix tls ..." command documented at:

        http://www.postfix.org/postfix-tls.1.html

    we can probably work out a suitable interface "contract".

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: New EFF certbot plugin for Postfix

lists@lazygranch.com
Am i making a mistake using the same cert for web and email?


  Original Message  
From: [hidden email]
Sent: June 26, 2018 12:03 AM
To: [hidden email]
Reply-to: [hidden email]
Subject: New EFF certbot plugin for Postfix


The EFF announced a certbot plugin for Postfix today, which
is still in beta.  A couple of things to keep in mind:

  * If you've already deployed DANE, this stands a good chance
    of breaking your DANE TLSA records.  For the moment do not
    deploy this if have inbound DANE.

  * Do consider sharing any substantive experience (issues you
    had to resolve that may say others grief).  Either on this
    list, or if you did figure out how to use this and avoid
    invalidating TLSA records, perhaps on the [hidden email]
    list.

  * The authors really should get in touch with me, if they're
    on this list, please reach out.  One immediate observation
    is that for many users Let's Encrypt certificates are more
    useful for the SUBMIT and IMAP services, more than inbound
    SMTP on port 25.  The plugin should support configuring
    SUBMIT and IMAP (say dovecot), while optionally leaving port
    25 alone.

    Secondly, instead of the code trying to directly manipulate
    Postfix configuration settings, it would be far better if
    it used a supported interface, such as suitable extensions to
    the "postfix tls ..." command documented at:

http://www.postfix.org/postfix-tls.1.html

    we can probably work out a suitable interface "contract".

--
Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: New EFF certbot plugin for Postfix

Viktor Dukhovni


> On Jun 26, 2018, at 3:20 AM, Gary <[hidden email]> wrote:
>
> Am i making a mistake using the same cert for web and email?

Only to the extent that this constrains you operationally
to keep both services on the same key/cert rotation schedule.

From a security perspective, you're probably OK provided you've
disabled SSLv2 and SSLv3 (the default in recent Postfix versions).

Overall, I am somewhat skeptical that the STARTTLS everywhere
approach to improving SMTP security is a good idea, but something
that makes it easier to get Let's Encrypt certs for an MTA
(the actual certbot plugin) will be useful.  So I'd to see that
evolve into a robust tool, regardless of what one might think
of the larger "STARTTLS everywhere" story.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: New EFF certbot plugin for Postfix

Alice Wonder
In reply to this post by Viktor Dukhovni
On 06/26/2018 12:03 AM, Viktor Dukhovni wrote:
>
> The EFF announced a certbot plugin for Postfix today, which
> is still in beta.  A couple of things to keep in mind:
>
>   * If you've already deployed DANE, this stands a good chance
>     of breaking your DANE TLSA records.  For the moment do not
>     deploy this if have inbound DANE.

This is what I do for https w/ let's encrypt -

https://git.domblogger.net/letsencrypt.sh.txt

The CSR options might need to be tweaked for IMAP/POP3 - I'm not sure.

It requires manually changing the cert in the server configuration but
that's my preference, as when I do generate new private key I need to
update DNS and let it spread before it goes live anyway.

But any LE automated scripts should leave postscript alone. Even if they
do it right since CA signature is meaningless for SMTP anyway.
Reply | Threaded
Open this post in threaded view
|

Re: New EFF certbot plugin for Postfix

Philip Paeps
In reply to this post by Viktor Dukhovni
On 2018-06-26 03:37:03 (-0400), Viktor Dukhovni wrote:
>Overall, I am somewhat skeptical that the STARTTLS everywhere
>approach to improving SMTP security is a good idea

For MTA<->MTA communication, there really isn't another choice.  While
accepting authenticated mail on port 465 is commonly done, very few
servers will accept unauthenticated mail there.

The default (commented out) configuration for smtps in master.cf also
does not encourage use of this port for accepting unauthenticated mail.

It's actually quite convenient -- configuration-wise -- to have smtp +
STARTTLS be for unauthenticated mail and smtps or submission + STARTTLS
for authenticated mail.

Maybe the protocol just needs a fourth port.  I'm sure the IETF
discussions would be entertaining.

Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information