Offering STARTTLS in postfix. need help!

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Offering STARTTLS in postfix. need help!

Sean Son
hello everyone

I hope you all had a wonderful holiday season. 


How does one configure an internet facing Postfix SMTP mail relay server, to offer STARTTLS?  I have been googling around and seeing various different articles and blog entries, but I cannot figure out what is the quickest and easiest way to do so.  I am running postfix on RHEL 7.  Any help is greatly appreciated!


Thanks!!

Sean
Reply | Threaded
Open this post in threaded view
|

Re: Offering STARTTLS in postfix. need help!

Philip Paeps
On 2018-01-12 15:45:33 (-0500), Sean Son wrote:
>How does one configure an internet facing Postfix SMTP mail relay
>server, to offer STARTTLS?  I have been googling around and seeing
>various different articles and blog entries, but I cannot figure out
>what is the quickest and easiest way to do so.  I am running postfix on
>RHEL 7.  Any help is greatly appreciated!

I'm surprised Google couldn't find
http://www.postfix.org/TLS_README.html

DuckDuckGo returns it as the first hit for "Postfix TLS".

Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information
Reply | Threaded
Open this post in threaded view
|

Re: Offering STARTTLS in postfix. need help!

Sean Son


On Fri, Jan 12, 2018 at 3:48 PM, Philip Paeps <[hidden email]> wrote:
On 2018-01-12 15:45:33 (-0500), Sean Son wrote:
How does one configure an internet facing Postfix SMTP mail relay server, to offer STARTTLS?  I have been googling around and seeing various different articles and blog entries, but I cannot figure out what is the quickest and easiest way to do so.  I am running postfix on RHEL 7.  Any help is greatly appreciated!

I'm surprised Google couldn't find http://www.postfix.org/TLS_README.html

DuckDuckGo returns it as the first hit for "Postfix TLS".

Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information

Hello Philip

Thank you for the response. I did see that documentation but it was too confusing for me to figure it out. But upon further research I found this:


By default, TLS is disabled in the Postfix SMTP server, so no difference to plain Postfix is visible. Explicitly switch it on with "smtpd_tls_security_level = may".

Example:

/etc/postfix/main.cf:
    smtpd_tls_security_level = may

With this, the Postfix SMTP server announces STARTTLS support to remote SMTP clients, but does not require that clients use TLS encryption.


I think this is the correct solution?   Would this require an SSL cert?  


Thanks

Reply | Threaded
Open this post in threaded view
|

RE: Offering STARTTLS in postfix. need help!

Fazzina, Angelo
In reply to this post by Philip Paeps
My RHEL7 install but it install Postfix 2.10 and I use a LDAP backend for password storage. Not sure it helps you ?
-ALF

RAN     vi /etc/postfix/master.cf
        submission inet n       -       n       -       -       smtpd
          -o syslog_name=postfix/submission
          -o smtpd_tls_security_level=encrypt
          -o smtpd_sasl_auth_enable=yes
          -o smtpd_client_restrictions=permit_sasl_authenticated,reject
          -o milter_macro_daemon_name=ORIGINATING
        smtps     inet  n       -       n       -       -       smtpd
          -o syslog_name=postfix/smtps
          -o smtpd_tls_wrappermode=yes
          -o smtpd_sasl_auth_enable=yes
          -o smtpd_client_restrictions=permit_sasl_authenticated,reject
          -o milter_macro_daemon_name=ORIGINATING
RAN     vi /etc/postfix/main.cf
smtpd_relay_restrictions = check_recipient_access hash:/etc/postfix/maps/block_to, permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination

RAN     yum install sssd
RAN     yum install pamtester
RAN     vi /etc/pam.d/smtp
        auth      sufficient pam_unix_auth.so
        auth      required   pam_ldap.so use_first_pass
        account   sufficient pam_unix_acct.so
        account   required   pam_ldap.so
        comment out other lines(2)

RAN     vi /etc/sssd/sssd.conf
        [domain/default]

        autofs_provider = ldap
        cache_credentials = True
        ldap_search_base = ou=people,dc=uconn,dc=edu
        krb5_realm = UCONN.EDU
        krb5_server = kerberos.uconn.edu
        id_provider = ldap
        auth_provider = ldap
        chpass_provider = ldap
        ldap_uri = ldaps://ldap.uconn.edu
        ldap_id_use_start_tls = False
        ldap_tls_cacertdir = /etc/openldap/cacerts
        #ldap_tls_cacertdir = /etc/openldap/cacerts
        krb5_store_password_if_offline = True
        krb5_kpasswd = kadmin.uconn.edu
        [sssd]
        services = nss, pam, autofs
        config_file_version = 2

        domains = default
        [nss]
        homedir_substring = /home

        [pam]

        [autofs]

RAN     chmod 600 /etc/sssd/sssd.conf
RAN     yum install nss-pam-ldapd
RAN     vi /etc/nslcd.conf
        uri ldaps://ldap.uconn.edu
        base dc=uconn,dc=edu
        binddn <REMOVED>
        bindpw  <REMOVED>
        tls_reqcert never
        ssl no
        tls_cacertdir /etc/openldap/cacerts
RAN     yum install pam_ldap
RAN     authconfig-tui
        In "User information" pick "use LDAP"
        In "Authentication" pick Use LDAP Authentication"
RAN     yum install cyrus-sasl
RAN     systemctl status saslauthd
RAN     systemctl enable saslauthd
RAN     systemctl start saslauthd
RAN     yum install cyrus-sasl-plain
RAN     pamtester smtp zzz00036 authenticate


-ANGELO FAZZINA

UITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

[hidden email]
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Philip Paeps
Sent: Friday, January 12, 2018 3:49 PM
To: [hidden email]
Subject: Re: Offering STARTTLS in postfix. need help!

On 2018-01-12 15:45:33 (-0500), Sean Son wrote:
>How does one configure an internet facing Postfix SMTP mail relay
>server, to offer STARTTLS?  I have been googling around and seeing
>various different articles and blog entries, but I cannot figure out
>what is the quickest and easiest way to do so.  I am running postfix on
>RHEL 7.  Any help is greatly appreciated!

I'm surprised Google couldn't find
http://www.postfix.org/TLS_README.html

DuckDuckGo returns it as the first hit for "Postfix TLS".

Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information
Reply | Threaded
Open this post in threaded view
|

Re: Offering STARTTLS in postfix. need help!

Viktor Dukhovni
In reply to this post by Sean Son


> On Jan 12, 2018, at 3:55 PM, Sean Son <[hidden email]> wrote:
>
> By default, TLS is disabled in the Postfix SMTP server, so no difference to plain Postfix is visible. Explicitly switch it on with "smtpd_tls_security_level = may".
>
> Example:
>
> /etc/postfix/main.cf
> :
>    
> smtpd_tls_security_level
>  = may
>
> With this, the Postfix SMTP server announces STARTTLS support to remote SMTP clients, but does not require that clients use TLS encryption.
>
> I think this is the correct solution?   Would this require an SSL cert?

Yes, of course.  See:

   http://www.postfix.org/TLS_README.html#quick-start

and if your Postfix release is older than Postfix 3.1, in particular:

   http://www.postfix.org/TLS_README.html#self-signed

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Offering STARTTLS in postfix. need help!

Sean Son


On Fri, Jan 12, 2018 at 4:06 PM, Viktor Dukhovni <[hidden email]> wrote:


> On Jan 12, 2018, at 3:55 PM, Sean Son <[hidden email]> wrote:
>
> By default, TLS is disabled in the Postfix SMTP server, so no difference to plain Postfix is visible. Explicitly switch it on with "smtpd_tls_security_level = may".
>
> Example:
>
> /etc/postfix/main.cf
> :
>
> smtpd_tls_security_level
>  = may
>
> With this, the Postfix SMTP server announces STARTTLS support to remote SMTP clients, but does not require that clients use TLS encryption.
>
> I think this is the correct solution?   Would this require an SSL cert?

Yes, of course.  See:

   http://www.postfix.org/TLS_README.html#quick-start

and if your Postfix release is older than Postfix 3.1, in particular:

   http://www.postfix.org/TLS_README.html#self-signed

--
        Viktor.


Thank you Viktor.. it looks like I will need either a self signed or signed SSL cert from a CA to be able to offer STARTTLS. Please let me know if I am wrong.

Thanks


Reply | Threaded
Open this post in threaded view
|

Re: Offering STARTTLS in postfix. need help!

Sean Son
Hello all

Is it possible to use a Wildcard cert with Postfix? Or does it have to be a cert for an exact FQDN?

Thanks!

On Fri, Jan 12, 2018 at 4:35 PM, Sean Son <[hidden email]> wrote:


On Fri, Jan 12, 2018 at 4:06 PM, Viktor Dukhovni <[hidden email]> wrote:


> On Jan 12, 2018, at 3:55 PM, Sean Son <[hidden email]> wrote:
>
> By default, TLS is disabled in the Postfix SMTP server, so no difference to plain Postfix is visible. Explicitly switch it on with "smtpd_tls_security_level = may".
>
> Example:
>
> /etc/postfix/main.cf
> :
>
> smtpd_tls_security_level
>  = may
>
> With this, the Postfix SMTP server announces STARTTLS support to remote SMTP clients, but does not require that clients use TLS encryption.
>
> I think this is the correct solution?   Would this require an SSL cert?

Yes, of course.  See:

   http://www.postfix.org/TLS_README.html#quick-start

and if your Postfix release is older than Postfix 3.1, in particular:

   http://www.postfix.org/TLS_README.html#self-signed

--
        Viktor.


Thank you Viktor.. it looks like I will need either a self signed or signed SSL cert from a CA to be able to offer STARTTLS. Please let me know if I am wrong.

Thanks



Reply | Threaded
Open this post in threaded view
|

Re: Offering STARTTLS in postfix. need help!

Benny Pedersen-2
Sean Son skrev den 2018-01-16 04:49:

> Is it possible to use a Wildcard cert with Postfix? Or does it have to
> be a cert for an exact FQDN?

both is supported in openssl

common praksis is imap.example.org and smtp.example.org with a wildcard
signed cert for *.example.org
Reply | Threaded
Open this post in threaded view
|

Re: Offering STARTTLS in postfix. need help!

Sean Son

On Mon, Jan 15, 2018 at 11:01 PM, Benny Pedersen <[hidden email]> wrote:
Sean Son skrev den 2018-01-16 04:49:

Is it possible to use a Wildcard cert with Postfix? Or does it have to
be a cert for an exact FQDN?

both is supported in openssl

common praksis is imap.example.org and smtp.example.org with a wildcard signed cert for *.example.org


Thanks Benny!
Reply | Threaded
Open this post in threaded view
|

Re: Offering STARTTLS in postfix. need help!

Viktor Dukhovni
In reply to this post by Benny Pedersen-2


> On Jan 15, 2018, at 11:01 PM, Benny Pedersen <[hidden email]> wrote:
>
> common praksis is imap.example.org and smtp.example.org with a wildcard signed cert for *.example.org

The rule is: there are no rules.

TLS in SMTP is largely unauthenticated opportunistic TLS, and the
content of the certificate is ignored by most peers, there just
needs to be a certificate for interoperability reasons, since
many peers don't enable anon-DH ciphersuites.

Thus the certificate name can be anything, but matching the MX hostname
is best.  Wildcard certificates are best avoided simply because they are
likely to be misused for multiple services, increasing opportunities for
cross-protocol attacks or creating a single point of failure when cert
rotation is performed across all service instances that share the cert.

--
        Viktor.