Require TLS on internet-facing servers?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Require TLS on internet-facing servers?

robgane
Hello,

I am starting to setup a Postfix server for our office.

I'm looking at TLS policy.

Reading old posts on the Postfix mailing lists there's lots of comments that REQUIRING tls should never be done on an public internet-facing server.

But those comments are from 5-7 yrs ago.

Is that still the case?

On a friend's server we just checked 3 months of logs.  IIUC there's been no non-TLS connections at all in that time:

grep -i "connection established" postfix*.log | wc -l
    125217

grep -i "connection established" postfix*.log  | grep -v TLS | wc -l  
     0

And that's with what I understand to be a 'may' policy.

First, is that a legitimate way to check?

Second, if there are actually no non-encrypted connections, is it time finally to simply require it?

Rob
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Require TLS on internet-facing servers?

Wietse Venema
[hidden email]:

> Hello,
>
> I am starting to setup a Postfix server for our office.
>
> I'm looking at TLS policy.
>
> Reading old posts on the Postfix mailing lists there's lots of
> comments that REQUIRING tls should never be done on an public
> internet-facing server.
>
> But those comments are from 5-7 yrs ago.
>
> Is that still the case?

Your server, your rules...

> On a friend's server we just checked 3 months of logs.  IIUC there's
> been no non-TLS connections at all in that time:
>
> grep -i "connection established" postfix*.log | wc -l
>     125217
>
> grep -i "connection established" postfix*.log  | grep -v TLS | wc
> -l
>      0
>
> First, is that a legitimate way to check?

No, because "connection established" is logged only for TLS
connections.  You'd also have to count the lines with "connect from"
which covers both TLS and non-TLS.

On my tiny server, only 4.6% of all inbound connections in June
2017 used TLS (a negligible portion of the "connection established"
lines were from tlsproxy).

And that is only for the 4.9% of connections that weren't blocked
by postscreen (25% of all unique clients).

If I were to block non-TLS email, I would miss a lot of email.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Require TLS on internet-facing servers?

Wietse Venema
Correction: my numbers were off because I used case-insensitive search.

[hidden email]:

> Hello,
>
> I am starting to setup a Postfix server for our office.
>
> I'm looking at TLS policy.
>
> Reading old posts on the Postfix mailing lists there's lots of
> comments that REQUIRING tls should never be done on an public
> internet-facing server.
>
> But those comments are from 5-7 yrs ago.
>
> Is that still the case?

Your server, your rules...

> On a friend's server we just checked 3 months of logs.  IIUC there's
> been no non-TLS connections at all in that time:
>
> grep -i "connection established" postfix*.log | wc -l
>     125217
>
> grep -i "connection established" postfix*.log  | grep -v TLS | wc
> -l
>      0
>
> First, is that a legitimate way to check?

No, because "connection established" is logged only for TLS
connections.  You'd also have to count the lines with "connect from"
which covers both TLS and non-TLS.

On my tiny server, only 43% of all inbound connections in June 2017
used TLS (a negligible portion of the "connection established" lines
were from tlsproxy).

And that is only for the 4.9% of connections that weren't blocked
by postscreen (25% of all unique clients).

If I were to block non-TLS email, I would miss a lot of email.

        Wietse

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Require TLS on internet-facing servers?

lists@lazygranch.com
Would there be some way to redirect unencrypted email to some other server. Gmail for instance.  I would then force encryption on my personal server.

I'm down to one contact (as in a person I know) that isn't using encryption. I made two converts!  I haven't checked mailing lists for encryption. 



  Original Message  
From: Wietse Venema
Sent: Friday, July 7, 2017 11:32 AM
To: Postfix users
Reply To: Postfix users
Subject: Re: Require TLS on internet-facing servers?

Correction: my numbers were off because I used case-insensitive search.

[hidden email]:

> Hello,
>
> I am starting to setup a Postfix server for our office.
>
> I'm looking at TLS policy.
>
> Reading old posts on the Postfix mailing lists there's lots of
> comments that REQUIRING tls should never be done on an public
> internet-facing server.
>
> But those comments are from 5-7 yrs ago.
>
> Is that still the case?

Your server, your rules...

> On a friend's server we just checked 3 months of logs. IIUC there's
> been no non-TLS connections at all in that time:
>
> grep -i "connection established" postfix*.log | wc -l
> 125217
>
> grep -i "connection established" postfix*.log | grep -v TLS | wc
> -l
> 0
>
> First, is that a legitimate way to check?

No, because "connection established" is logged only for TLS
connections. You'd also have to count the lines with "connect from"
which covers both TLS and non-TLS.

On my tiny server, only 43% of all inbound connections in June 2017
used TLS (a negligible portion of the "connection established" lines
were from tlsproxy).

And that is only for the 4.9% of connections that weren't blocked
by postscreen (25% of all unique clients).

If I were to block non-TLS email, I would miss a lot of email.

Wietse

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Require TLS on internet-facing servers?

Viktor Dukhovni
On Fri, Jul 07, 2017 at 03:04:11PM -0700, [hidden email] wrote:

> Would there be some way to redirect unencrypted email to some other server.
> Gmail for instance.  I would then force encryption on my personal server.

SMTP does not have "redirects".  SMTP security policy is up to the client:

    http://www.postfix.org/TLS_README.html#client_tls_limits

Just enable STARTTLS on the server, and let the clients do the rest.
There's little to be gained on enforcing TLS on inbound SMTP servers
(``MX hosts'').  By all means enforce TLS for submission, and enable
opportunistic TLS or opportunistic DANE TLS on your outbound SMTP
transport.

Rumour has it that the US army is finally aiming to deploy STARTTLS
circa July 2018:

    https://motherboard.vice.com/en_us/article/bjxjxv/the-pentagon-says-it-will-start-encrypting-soldiers-emails-next-year

The fraction of mail using TLS reported by Gmail has grown considerably
over the last few years, and is now hovering around 90% by volume.
Of course much of their traffic is to other large consumer email
providers that also support STARTTLS, and not to mailing lists or
other "niche" destinations that might not bother.

    https://www.google.com/transparencyreport/saferemail/

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Require TLS on internet-facing servers?

/dev/rob0
In reply to this post by robgane
On Fri, Jul 07, 2017 at 10:40:47AM -0700,
  [hidden email] wrote:

> I am starting to setup a Postfix server for our office.
>
> I'm looking at TLS policy.
>
> Reading old posts on the Postfix mailing lists there's lots of
> comments that REQUIRING tls should never be done on an public
> internet-facing server.
>
> But those comments are from 5-7 yrs ago.
>
> Is that still the case?
>
> On a friend's server we just checked 3 months of logs.  IIUC
> there's been no non-TLS connections at all in that time:

I use a warn_if_reject reject_plaintext_session restriction at
end-of-DATA, so I have some numbers which might not be relevant to
anyone else, but there are two main classes of plaintext mail
arriving at my site:

        1. Legitimate (solicited & confirmed) marketing mail
        2. Free software project mailing lists (not this one)

Your numbers (and classes) would vary if you tinker with TLS settings
such that you won't accept "weak" ciphers.  (Is a weak cipher weaker
than plaintext?)  My cipher settings are all Postfix defaults.

> Second, if there are actually no non-encrypted connections, is
> it time finally to simply require it?

I won't.  It's not like TLS in SMTP is going to make a huge
difference for privacy.  I suppose big mail services like gmail are
scanning mail content for their own use, and quite likely are
allowing national governments to do the same.

TLS addresses a single, relatively minor security concern, of
protection of data in transit.  Yes, that is a good thing, but
remember: you're also trusting the administrators of the other
endpoint.

If you really want to be a privacy advocate, start using GnuPG for
end-to-end email encryption.
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Loading...