New to Postfix. 3 questions about security functions.

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

New to Postfix. 3 questions about security functions.

robacons
Hello,

I'm starting the process of moving my mail from a hosted service to my own.  It'll include a Postfix server.

I got a test server running locally and 'sending & receiving' mail inside my lan.

Now I'm doing my reading on security issues, authentication, and the like.

I've got stacks of articles and notes.

I'm looking for any advice from opinionated, experienced Postfix users.

Couple of production questions:

(1)

For opensource authentication milters (DKIM, DMARC, ARC), that works with Postfix on Linux, there seem to be two main choices:

  https://github.com/fastmail/authentication_milter
  https://github.com/trusteddomainproject/

What do folks here recommend to use?

(2)

Is it time -- in the real-world -- to force STARTTLS yet?

What's the current advice for MTA-STS vs MTA-DANE?  Which should we implement?

(3)

The TLS 1.3 has been officially released.  I guess there will be a release of OpenSSL 1.1.1 that has it coming pretty soon.

What if anything should we be doing with Postfix and TLS 1.3?  I'm guessing it will be ABLE to use it.  But I don't want to make the mistake of turning it on just to be current, if I then make it impossible to communicate with my servers.

Thanks.

Rob Arlenn

Reply | Threaded
Open this post in threaded view
|

Re: New to Postfix. 3 questions about security functions.

Viktor Dukhovni


> On Aug 14, 2018, at 11:05 PM, [hidden email] wrote:
>
> (2)
>
> Is it time -- in the real-world -- to force STARTTLS yet?

Google reports ~90% of email (volume) inbound/outbound to Gmail uses TLS.
That 10% by volume is probably a larger fraction by count of destination
domains.  STARTTLS is now typical, but not yet nearly universal.

> What's the current advice for MTA-STS vs MTA-DANE?  Which should we implement?

DANE is ready for adoption, with multiple fielded implementations and many
(312 thousand inbound plus some large ones still outbound only) live domains.

Outbound DANE is simple.  Make sure you have a DNSSEC-validating resolver
running locally on the MTA (it can forward queries to an upstream cache
if you like), and set:

    main.cf:
        smtp_tls_security_level = dane
        smtp_dns_support_level = dnssec
       
    /etc/resolv.conf
        # DNSSEC AD-bit only secure from loopback servers
        # DO NOT list any remote servers here.
        nameserver 127.0.0.1

If DNSSEC is not a major barrier for you, please consider
inbound DANE, but don't do it as a fashion statement, there are operational
requirements that must not be ignored.  In particular your certificate
rotation needs to be coördinated correctly with TLSA record updates.  The
two best strategies I've identified are explained in my ICANN61 talk slides
(and audio).  See:

  https://dane.sys4.de/common_mistakes
  http://imrryr.org/~viktor/ICANN61-viktor.pdf
  http://imrryr.org/~viktor/icann61-viktor.mp3

Postfix does not presently support MTA-STS outbound.  MTA-STS inbound
does not involve Postfix, you just need to operate a suitably configured
web service at "mta-sts.example.com" (replace example.com with your domain),
and publish an _mta-sts.example.com TXT record that changes whenever (shortly
after) your MTA-STS policy changes.  And of course you'll need certificates
from some suitably widely trusted public CA.

> (3)
>
> The TLS 1.3 has been officially released.  I guess there will be a release of OpenSSL 1.1.1
> that has it coming pretty soon.

Likely some time in September.

> What if anything should we be doing with Postfix and TLS 1.3?

Nothing at present.

> I'm guessing it will be ABLE to use it.

It will be negotiated automatically if both ends support it, once you
deploy Postfix linked with OpenSSL 1.1.1.  That said, best to not do
that yet.  Let the browsers and web servers shake out the bugs.  There
is are few compelling improvements in TLS 1.3 for SMTP, and some potential
interoperability issues.

I'd also like to fine-tune some session ticket-related issues in Postfix
for TLS 1.3, if all goes well in Postfix 3.4 coming out in 2019.  Time
to start getting that into snapshots...

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: New to Postfix. 3 questions about security functions.

Viktor Dukhovni


> On Aug 14, 2018, at 11:53 PM, Viktor Dukhovni <[hidden email]> wrote:
>
> DANE is ready for adoption, with multiple fielded implementations and many
> (312 thousand inbound plus some large ones still outbound only) live domains.
>
> Outbound DANE is simple.  Make sure you have a DNSSEC-validating resolver
> running locally on the MTA (it can forward queries to an upstream cache
> if you like), and set:
>
>    main.cf:
> smtp_tls_security_level = dane
> smtp_dns_support_level = dnssec

One more thing I forgot to mention, should you be unlucky enough to run into
a domain whose TLSA records don't match reality, double-check this against:

   https://github.com/danefail/list

where some of some us keep track of a small number of domains with operational
difficulties.  If already listed, consider exempting from DANE on your end
with a policy table entry:

  main.cf:
        indexed = ${default_database_type}:${config_directory}/
        smtp_tls_policy_maps = ${indexed}tls-policy

  tls-policy:
        # Operator error: not DANE-capable:
        example.com may

If not yet listed, and not fixed promptly even after notifying the
domain holder, postmaster, ... open an issue to have it added.

Another way to get past such problems, is to disable DNSSEC for
the MX-host domain via a suitable resolver configuration directive.
For example in "unbound.conf":

        server:
                domain-insecure: "example.com"

This may need to be set for the containing zone, I don't recall
whether the option is valid for names not at the zone apex.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: New to Postfix. 3 questions about security functions.

lists@lazygranch.com
In reply to this post by robacons
When I set up my last email server, I got a cheap TLD to flog it on the internet. I used a dot-site TLD that cost a buck. (Mind you I reject all those goofy TLDs on my actual server.) With example.site, you get to test out everything except dnssec.

The last place I would be looking for email server software is on github. Maintenance is far easier using a repo.

My TLS is still at "may".  I have three contacts I can't get to set up encryption. When Google forces encryption, I will do so.

Signing your email with DKIM is more of a priority than authenticating incoming email, though both are important. If you don't sign with DKIM, you look spammy. I also do SPF.

One reason you want to be be online rather than on a lan is there are websites that will test your server.

http://dkimvalidator.com

If you are setting this server up for a small number of users, consider using a stick shift rather than an automatic. That is I try to keep the attack surface as small as possible. I have no web access to the email programs. I do everything with command line via ssh.

I'm guessing you will be using a VPS. I'm on Digital Ocean running Centos. But I assume this is a function of what country you reside in. Some sysadmins will assume if you are on a VPS, you are a spammed. ATT for example. They will whitelist your IP, but you need to ask.

I got a lot of grief when I disparaged OVH, but I swear they are bullet proof hosting and I would avoid them. You really should go for SSD based VPS if you go that route it all. In benchmarks, Linode is usually a bit faster than Digital Ocean.

I used this blog as a guide, but hacked it a bit for postfix 3.
https://blog.iandreev.com/?p=1975

On my current server, I skipped amavisd-new because sometimes it stalls the mail queue. Nor do I run SpamAssassin. I'm happy just using RBLs. I'm running opendkim, openspf, and opendmarc.


  Original Message  
From: [hidden email]
Sent: August 14, 2018 8:06 PM
To: [hidden email]
Subject: New to Postfix. 3 questions about security functions.

Hello,

I'm starting the process of moving my mail from a hosted service to my own.  It'll include a Postfix server.

I got a test server running locally and 'sending & receiving' mail inside my lan.

Now I'm doing my reading on security issues, authentication, and the like.

I've got stacks of articles and notes.

I'm looking for any advice from opinionated, experienced Postfix users.

Couple of production questions:

(1)

For opensource authentication milters (DKIM, DMARC, ARC), that works with Postfix on Linux, there seem to be two main choices:

  https://github.com/fastmail/authentication_milter
  https://github.com/trusteddomainproject/

What do folks here recommend to use?

(2)

Is it time -- in the real-world -- to force STARTTLS yet?

What's the current advice for MTA-STS vs MTA-DANE?  Which should we implement?

(3)

The TLS 1.3 has been officially released.  I guess there will be a release of OpenSSL 1.1.1 that has it coming pretty soon.

What if anything should we be doing with Postfix and TLS 1.3?  I'm guessing it will be ABLE to use it.  But I don't want to make the mistake of turning it on just to be current, if I then make it impossible to communicate with my servers.

Thanks.

Rob Arlenn
Reply | Threaded
Open this post in threaded view
|

Re: New to Postfix. 3 questions about security functions.

Dominic Raferd
On Wed, 15 Aug 2018 at 09:32, Gary <[hidden email]> wrote:
...
I'm guessing you will be using a VPS. I'm on Digital Ocean running Centos. But I assume this is a function of what country you reside in. Some sysadmins will assume if you are on a VPS, you are a spammed. ATT for example. They will whitelist your IP, but you need to ask.
 
I got a lot of grief when I disparaged OVH, but I swear they are bullet proof hosting and I would avoid them. You really should go for SSD based VPS if you go that route it all. In benchmarks, Linode is usually a bit faster than Digital Ocean.
 
On my current server, I skipped amavisd-new because sometimes it stalls the mail queue. Nor do I run SpamAssassin. I'm happy just using RBLs. I'm running opendkim, openspf, and opendmarc.

  Original Message  
From: [hidden email]

I'm starting the process of moving my mail from a hosted service to my own.  It'll include a Postfix server.
 
I got a test server running locally and 'sending & receiving' mail inside my lan.
 
Now I'm doing my reading on security issues, authentication, and the like.
 
I've got stacks of articles and notes.
 
I'm looking for any advice from opinionated, experienced Postfix users.
 
Couple of production questions:

(1)
For opensource authentication milters (DKIM, DMARC, ARC), that works with Postfix on Linux, there seem to be two main choices:
  https://github.com/fastmail/authentication_milter
  https://github.com/trusteddomainproject/
What do folks here recommend to use?

Regarding DKIM and DMARC I would stick with the standard opensource packages which are opendkim and opendmarc, they play well together and you should be able to install them from your distro packaging system. Then you don't need any SPF package - it's unwise IMO to block emails solely on SPF (because they may be relayed), and opendmarc v1.3.2+ has a reliable built-in spf checker.

I use Amavis as content-filter and it works well although the consequent re-injection of emails makes log tracing more complicated. It normally calls SpamAssassin and ClamAV - the latter is pointless without the Sanesecurity addon signatures. Virus-laden emails that aren't stopped by other defences before they reach amavis/ClamAV are surprisingly rare. Amavis has its own quarantine-hold and quarantine-release system - it would be more elegant if it used postfix's hold queue. I have found Amavis setting '$child_timeout = 20;' helpful - sometimes the children (ClamAV especially) do go on a bit ;-)

I use OVH for a mailserver and don't have problems with it, and they are the best value I know for VPS with static ipv4. Of course everyone is entitled to their own opinion.

Reply | Threaded
Open this post in threaded view
|

Re: New to Postfix. 3 questions about security functions.

robacons
Thanks alot for the comments so far!

>> (1)
>>
>>What do folks here recommend to use?

> On my current server, I skipped amavisd-new because sometimes it stalls the mail queue. Nor do I run SpamAssassin. I'm happy just using RBLs. I'm running opendkim, openspf, and opendmarc.

> Regarding DKIM and DMARC I would stick with the standard opensource packages which are opendkim and opendmarc, they play well together and you should be able to install them from your distro packaging system.


I don't have any experience yet with one or the other.

Whatever I use I'll likely build instead of using distro packages.  I'm not a huge fan of some of the spec files I see.  I like simple and understandable!  But I'll see yet.

That 'trusteddomainproject' sounds a bit more official. Or at least broader.  But I really don't know.  Seems like there aren't a lot of people working on it.  Or that bugs get the attention they need.

The 'fastmail' project sounds like its attached to one specific vendor, Fastmail.  But that's been my mail vendor, and they've been great.  And it has the advantage of being an all-in-one-milter tool.  Looks like a smaller project though.

> Amavis, Spamassassin, Clamav

Still thinking about those.

> OVH

I've seen way more spam attempts from OVH blocks than any other provider.  By far.  Could be because they're big.  I'm not convinced.

> DigitalOcean

They've been the 2nd worst in my sample set.

I'd rather setup my mail in a better 'neighborhood'.  For me that will be Linode.

Yeah I know.  Different strokes!


>>(2)
>>
>>What's the current advice for MTA-STS vs MTA-DANE?  Which should we implement?

> Outbound DANE is simple.  Make sure you have a DNSSEC-validating resolver running locally on the MTA (it can forward queries to an upstream cache if you like), and set:

Didn't realize it was THAT simple. Thanks.

How do you TEST it once you turn it on?  Is it just the obvious "if you can send, and there are no Postfix reported errors, then it works"?

> If DNSSEC is not a major barrier for you

In principle, no.

> inbound DANE, but don't do it as a fashion statement,

Roger that!

> there are operational requirements that must not be ignored.  In particular your certificate rotation needs to be coördinated correctly with TLSA record updates.  

I'm looking at Opendnssec and got it updating my DNS locally.

What's got me antsy is the whole automation bit for the DS-Records updates at the registrar (right now I'm at Gandi).  And rotation automation stuff.  Still seems like there's a lot of Do-It-Yourself scripting needed.

> ICANN61 talk slides

Thanks alot.  Those are some good reading.

> One more thing I forgot to mention, should you be unlucky enough to run into a domain whose TLSA records don't match reality, double-check this against:

Back to the TESTing question.  How does Postfix notify you if you do?

Only in the error logs?  Or some response that I should get as a response in my mailer?


>>(3)
>>
>>I'm guessing it will be ABLE to use it.

> It will be negotiated automatically if both ends support it, once you
deploy Postfix linked with OpenSSL 1.1.1.

But I'll have to SET Postfix to use TLS1.3 in the config?  In the 'smtp_tls_mandatory_protocols' setting?

Not sure yet about that one.  Looks like you don't necessarily INCLUDE what to use, but EXCLUDE what NOT to use?

> That said, best to not do that yet.

Meaning?

When Openssl 1.1.1 comes out, should you still only build Postfix with Openssl 1.1.0?  Or are you talking about *config*?

Thanks.

Rob Arlenn

Reply | Threaded
Open this post in threaded view
|

Re: New to Postfix. 3 questions about security functions.

Dominic Raferd
On Wed, 15 Aug 2018 at 10:52, <[hidden email]> wrote:
That 'trusteddomainproject' sounds a bit more official. Or at least broader.  But I really don't know.  Seems like there aren't a lot of people working on it.  Or that bugs get the attention they need.

That is the home of opendkim and opendmarc (and also, I see now, openarc - haven't heard about anyone's experience with that yet). They work well in production. For Ubuntu there is a PPA at https://launchpad.net/~haberland/+archive/ubuntu/opendmarc which is maintained by Juri and includes some additional bells and whistles for opendmarc 1.3.2.

I've seen way more spam attempts from OVH blocks than any other provider.  By far.  Could be because they're big.  I'm not convinced.

Probably because they are the cheapest, so some spammers choose them. I don't see problems with incoming or outgoing email - YMMV.
Reply | Threaded
Open this post in threaded view
|

Re: New to Postfix. 3 questions about security functions.

Bill Cole-3
In reply to this post by robacons
On 14 Aug 2018, at 23:05 (-0400), [hidden email] wrote:

> Hello,
>
> I'm starting the process of moving my mail from a hosted service to my
> own.  It'll include a Postfix server.
>
> I got a test server running locally and 'sending & receiving' mail
> inside my lan.
>
> Now I'm doing my reading on security issues, authentication, and the
> like.
>
> I've got stacks of articles and notes.
>
> I'm looking for any advice from opinionated, experienced Postfix
> users.
>
> Couple of production questions:
>
> (1)
>
> For opensource authentication milters (DKIM, DMARC, ARC), that works
> with Postfix on Linux, there seem to be two main choices:
>
>   https://github.com/fastmail/authentication_milter

That's checking only, not signing

>   https://github.com/trusteddomainproject/

The OpenDKIM and OpenDMARC tools there are what most people use.

> What do folks here recommend to use?

I'm an outlier in that I use & recommend none of the above. I use the
MIMEDefang milter as a harness for everything Postfix doesn't do itself,
and prefer letting it do DKIM checks via SpamAssassin and signing with
an internal implementation using the Perl Mail::DKIM module. I don't see
a lot of value as a receiver to do any DMARC implementation.

> (2)
>
> Is it time -- in the real-world -- to force STARTTLS yet?

No. See recent past traffic here on TLS issues for clues as to why.
Sturgeon's Law, unsurprisingly, applies to the deployed configurations
of production mail servers.

> What's the current advice for MTA-STS vs MTA-DANE?  Which should we
> implement?

If you insist on trying to do one and only one of those, DANE is by far
the better choice. Accepting the fundamentally broken CA-based security
model as the price of postponing deployment of trustworthy DNS is deeply
unwise.


> (3)
>
> The TLS 1.3 has been officially released.

You mean finalized as an IETF RFC. There is no "release" involved.

> I guess there will be a release of OpenSSL 1.1.1 that has it coming
> pretty soon.

The "pre-release" versions with support have been coming out for a few
months.

> What if anything should we be doing with Postfix and TLS 1.3?

Nothing. It has never been a good idea to fine-tune TLS version or
feature support in Postfix (aside from transient bug mitigation) and
TLSv1.3 cannot change the rationale for that.

> I'm guessing it will be ABLE to use it.

As long as there isn't something broken in OpenSSL 1.1.1, it should be
possible to build Postfix with it and get TLSv1.3 sessions when
possible.

> But I don't want to make the mistake of turning it on just to be
> current, if I then make it impossible to communicate with my servers.

Typically there is no need to "turn on" TLS versions in Postfix, it is
only a matter of how your Postfix is built and what libraries you have
installed for the build and at runtime. Given OpenSSL history, I would
expect that switching to v1.1.1 will require a rebuild of Postfix.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steadier Work: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: New to Postfix. 3 questions about security functions.

Viktor Dukhovni
In reply to this post by robacons


> On Aug 15, 2018, at 5:51 AM, [hidden email] wrote:
>
> Back to the TESTing question.  How does Postfix notify you if you do?
>
> Only in the error logs?  Or some response that I should get as a response in my mailer?

I would set:

        delay_warning_time = 2h

and if any mail is delayed due to certificate verification
failure or missing/broken STARTTLS support you'll get a
delay notice once it's been in the queue for two hours.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: New to Postfix. 3 questions about security functions.

Viktor Dukhovni
In reply to this post by Bill Cole-3


> On Aug 15, 2018, at 8:54 AM, Bill Cole <[hidden email]> wrote:
>
>> But I don't want to make the mistake of turning it on just to be current, if I then make it impossible to communicate with my servers.
>
> Typically there is no need to "turn on" TLS versions in Postfix, it is only a matter of how your Postfix is built and what libraries you have installed for the build and at runtime. Given OpenSSL history, I would expect that switching to v1.1.1 will require a rebuild of Postfix.

OpenSSL 1.1.1 is ABI-compatible with OpenSSL 1.1.0 and the library
has the same SONAME.  Therefore, if a system is upgraded to OpenSSL
1.1.1, Postfix will use 1.1.1 without a rebuild.  That said, I would
not expect OS distributions to do that.  They'll ship 1.1.1 with
a newer OS release, with packages built against 1.1.1.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: New to Postfix. 3 questions about security functions.

A. Schulze

Viktor Dukhovni:

> Therefore, if a system is upgraded to OpenSSL 1.1.1, Postfix will  
> use 1.1.1 without a rebuild.

but the mail log get flooded with ugly warnings:
https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_misc.c#L971

I do run postfix-3.3.1 + openssl-1.1.1-pre* since some months without  
any negative impact.
But that's only a low volume, non-imortant infrastructure (my MX)...


Andreas

Reply | Threaded
Open this post in threaded view
|

Re: New to Postfix. 3 questions about security functions.

Viktor Dukhovni


> On Aug 16, 2018, at 6:30 AM, A. Schulze <[hidden email]> wrote:
>
> https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_misc.c#L971

I am planning a patch to silence these for Postfix 3.4, and Wietse
may choose to apply the same to some or all of 3.3, 3.2, 3.1 and 3.0.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: New to Postfix. 3 questions about security functions.

lists@lazygranch.com
In reply to this post by robacons
I suggest using port 587 (SUBMISSION). That was you can heavily firewall filter the IP space to geographic locations where you are not likely to be sending mail. Besides geographic filtering, I also limit access to 587 using my "no eyes" list of datacenters. This firewall filter list comprises major cloud providers like AWS, and any minor league datacenter that I have detected doing hacking. I'm filtering Linode and also Digital Ocean, with my own IP obviously not on the list.

You will probably find Linode automatically blocked by ATT, just like DO. Linode's Japanese IP space is notorious for bad behavior. Once your IP is removed from private blocking such as ATT uses, you should be good forever. When I set up the new email server, I had to contact ATT again to get cleared.

Ip2location.com provides free information on CIDRs used for individual countries. With enough firewall filtering, I don't need fail2ban. I just run SSHGuard.

www.postfix.org/anvil.8.html
Postfix anvil is highly suggested. I don't know if the intent was to stymie hackers, but it sure works well when one of those bots that tries to auth with guesses at usernames comes knocking.


  Original Message  
From: [hidden email]
Sent: August 15, 2018 2:51 AM
To: [hidden email]
Subject: Re: New to Postfix. 3 questions about security functions.

Thanks alot for the comments so far!

>> (1)
>>
>>What do folks here recommend to use?

> On my current server, I skipped amavisd-new because sometimes it stalls the mail queue. Nor do I run SpamAssassin. I'm happy just using RBLs. I'm running opendkim, openspf, and opendmarc.

> Regarding DKIM and DMARC I would stick with the standard opensource packages which are opendkim and opendmarc, they play well together and you should be able to install them from your distro packaging system.

I don't have any experience yet with one or the other.

Whatever I use I'll likely build instead of using distro packages.  I'm not a huge fan of some of the spec files I see.  I like simple and understandable!  But I'll see yet.

That 'trusteddomainproject' sounds a bit more official. Or at least broader.  But I really don't know.  Seems like there aren't a lot of people working on it.  Or that bugs get the attention they need.

The 'fastmail' project sounds like its attached to one specific vendor, Fastmail.  But that's been my mail vendor, and they've been great.  And it has the advantage of being an all-in-one-milter tool.  Looks like a smaller project though.

> Amavis, Spamassassin, Clamav

Still thinking about those.

> OVH

I've seen way more spam attempts from OVH blocks than any other provider.  By far.  Could be because they're big.  I'm not convinced.

> DigitalOcean

They've been the 2nd worst in my sample set.

I'd rather setup my mail in a better 'neighborhood'.  For me that will be Linode.

Yeah I know.  Different strokes!

>>(2)
>>
>>What's the current advice for MTA-STS vs MTA-DANE?  Which should we implement?

> Outbound DANE is simple.  Make sure you have a DNSSEC-validating resolver running locally on the MTA (it can forward queries to an upstream cache if you like), and set:

Didn't realize it was THAT simple. Thanks.

How do you TEST it once you turn it on?  Is it just the obvious "if you can send, and there are no Postfix reported errors, then it works"?

> If DNSSEC is not a major barrier for you

In principle, no.

> inbound DANE, but don't do it as a fashion statement,

Roger that!

> there are operational requirements that must not be ignored.  In particular your certificate rotation needs to be coördinated correctly with TLSA record updates. 

I'm looking at Opendnssec and got it updating my DNS locally.

What's got me antsy is the whole automation bit for the DS-Records updates at the registrar (right now I'm at Gandi).  And rotation automation stuff.  Still seems like there's a lot of Do-It-Yourself scripting needed.

> ICANN61 talk slides

Thanks alot.  Those are some good reading.

> One more thing I forgot to mention, should you be unlucky enough to run into a domain whose TLSA records don't match reality, double-check this against:

Back to the TESTing question.  How does Postfix notify you if you do?

Only in the error logs?  Or some response that I should get as a response in my mailer?

>>(3)
>>
>>I'm guessing it will be ABLE to use it.

> It will be negotiated automatically if both ends support it, once you
deploy Postfix linked with OpenSSL 1.1.1.

But I'll have to SET Postfix to use TLS1.3 in the config?  In the 'smtp_tls_mandatory_protocols' setting?

Not sure yet about that one.  Looks like you don't necessarily INCLUDE what to use, but EXCLUDE what NOT to use?

> That said, best to not do that yet.

Meaning?

When Openssl 1.1.1 comes out, should you still only build Postfix with Openssl 1.1.0?  Or are you talking about *config*?

Thanks.

Rob Arlenn
Reply | Threaded
Open this post in threaded view
|

Re: New to Postfix. 3 questions about security functions.

Wietse Venema
In reply to this post by Viktor Dukhovni
Viktor Dukhovni:
>
>
> > On Aug 16, 2018, at 6:30 AM, A. Schulze <[hidden email]> wrote:
> >
> > https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_misc.c#L971
>
> I am planning a patch to silence these for Postfix 3.4, and Wietse
> may choose to apply the same to some or all of 3.3, 3.2, 3.1 and 3.0.

        msg_warn("run-time library vs. compile-time header version mismatch: "
             "OpenSSL %d.%d.%d may not be compatible with OpenSSL %d.%d.%d",
                 lib_info.major, lib_info.minor, lib_info.micro,
                 hdr_info.major, hdr_info.minor, hdr_info.micro);

Are you assuming that Postfix won't run unless a library with
the right SOname exists? That is definitely not safe to assume.

It may make sense skip the warning when both versions are known to
share the same ABI. But that knowledge needs to be compiled in, or
specified with configuration settings.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: New to Postfix. 3 questions about security functions.

Viktor Dukhovni


> On Aug 16, 2018, at 11:03 AM, Wietse Venema <[hidden email]> wrote:
>
> Are you assuming that Postfix won't run unless a library with
> the right SOname exists? That is definitely not safe to assume.
>
> It may make sense skip the warning when both versions are known to
> share the same ABI. But that knowledge needs to be compiled in, or
> specified with configuration settings.

I am assuming that the OpenSSL team delivers on the promise that
micro version bumps are ABI-compatible.  For example, OpenSSL 1.1.1
is ABI-compatible with OpenSSL 1.1.0.  ABI changes will change the
SONAME, and the minor number.

--
        Viktor.