Postfix ignores smtpd_tls_security_level = encrypt ?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix ignores smtpd_tls_security_level = encrypt ?

Ferdinand Goldmann
Hi,

I need a Postfix (3.3) installation to only accept mails sent after STARTTLS,
so I've set smtpd_tls_security_level = encrypt in main.cf. However, Postfix
still allows sending mails withouth encryption.

Do the permit_mynetworks settings in smtpd_relay_restrictions and
smtpd_recipient_restrictions have an effect on the enforcement of TLS
encryption? Are hosts in mynetworks exempt from the smtpd_tls_security_level =
encrypt setting?

Thx and best regards
Ferdinand
--
Ferdinand Goldmann
System Administrator
Information Management

JOHANNES KEPLER
UNIVERSITY LINZ
Altenberger Stra├če 69
Hochschulfond Building, HF9902
4040 Linz, Austria
P +43 732 2468 3925
[hidden email]
www.jku.at/im

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Postfix ignores smtpd_tls_security_level = encrypt ?

Bastian Blank-3
On Thu, Oct 31, 2019 at 03:58:03PM +0100, Ferdinand Goldmann wrote:
> I need a Postfix (3.3) installation to only accept mails sent after STARTTLS,
> so I've set smtpd_tls_security_level = encrypt in main.cf. However, Postfix
> still allows sending mails withouth encryption.

accept != send.

Accepting, aka receiving, mails is done in smtpd, so smtpd_* options are
in effect.

Sending mails is done in smtp, so smtp_* options are in effect.

Bastian

--
Lots of people drink from the wrong bottle sometimes.
                -- Edith Keeler, "The City on the Edge of Forever",
                   stardate unknown
Reply | Threaded
Open this post in threaded view
|

Re: Postfix ignores smtpd_tls_security_level = encrypt ?

Wietse Venema
In reply to this post by Ferdinand Goldmann
Ferdinand Goldmann:
> Hi,
>
> I need a Postfix (3.3) installation to only accept mails sent after STARTTLS,
> so I've set smtpd_tls_security_level = encrypt in main.cf. However, Postfix
> still allows sending mails withouth encryption.

I assume that you are talking about receiving emailwith Postfix.

What is the output from:
postconf -n smtpd_tls_security_level
postconf -P '*/*/smtpd_tls_security_level'

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Postfix ignores smtpd_tls_security_level = encrypt ?

Viktor Dukhovni
In reply to this post by Ferdinand Goldmann
> On Oct 31, 2019, at 10:58 AM, Ferdinand Goldmann <[hidden email]> wrote:
>
> I need a Postfix (3.3) installation to only accept mails sent after STARTTLS,
> so I've set smtpd_tls_security_level = encrypt in main.cf. However, Postfix
> still allows sending mails withouth encryption.

That's not correct.  Postfix does reject "MAIL FROM" over cleartext
when "smtpd_tls_security_level = encrypt" and STARTTLS was not used.
(More precisely, all commands other than XCLIENT, EHLO/HELO, STARTTLS,
NOOP and QUIT are rejected).

It seems your configuration was not as you intended.  For help, post
the output of:

        $ postconf -nf

and

        $ postconf -Mf

> Do the permit_mynetworks settings in smtpd_relay_restrictions and
> smtpd_recipient_restrictions have an effect on the enforcement of TLS
> encryption?

Not generally, but "reject_plaintext_session" can be used instead
instead of "smtpd_tls_security_level", possibly selectively by
client ip, sender domain, recipient address, ...

> Are hosts in mynetworks exempt from the smtpd_tls_security_level =
> encrypt setting?

No.

--
        Viktor.