Syntax question for smtp mandatory TLS encryption

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Syntax question for smtp mandatory TLS encryption

J Doe
Hi,

I have a syntax question regarding configuring mandatory TLS encryption for the smtp process as listed on: www.postfix.org/TLS_README.html#client_tls

In the second example on the page, square brackets are used when specifying the policy for specific destinations in the tls_policy file:

/etc/postfix/tls_policy
    [example.net]:587 encrypt protocols=TLSv1 ciphers=high

Are the square brackets only required when the port to use is specified (ie: in previous example when destination was example.net with no port specified, I notice that the square brackets are left out) or is this syntax specifying something else ?

Thanks,

- J
Reply | Threaded
Open this post in threaded view
|

Re: Syntax question for smtp mandatory TLS encryption

/dev/rob0
On Wed, Oct 11, 2017 at 05:36:07PM -0400, J Doe wrote:

> I have a syntax question regarding configuring mandatory TLS
> encryption for the smtp process as listed on:
> www.postfix.org/TLS_README.html#client_tls
>
> In the second example on the page, square brackets are used when
> specifying the policy for specific destinations in the tls_policy
> file:
>
> /etc/postfix/tls_policy
>     [example.net]:587 encrypt protocols=TLSv1 ciphers=high
>
> Are the square brackets only required when the port to use is
> specified (ie: in previous example when destination was example.net
> with no port specified, I notice that the square brackets are left
> out) or is this syntax specifying something else ?

The [] enclose a hostname which is to be looked up as a type A or
AAAA record.  Without the [] first a lookup of type MX is done, and
where found, prioritized lookups of further hostnames (A or AAAA)
would be done.

This is not specific to TLS, it is common to transport(5) and many
similar Postfix features.  The reason being, MX records exist to
control mail routing.
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: Syntax question for smtp mandatory TLS encryption

Wietse Venema
In reply to this post by J Doe
J Doe:
> Hi,
>
> I have a syntax question regarding configuring mandatory TLS encryption for the smtp process as listed on: www.postfix.org/TLS_README.html#client_tls
>
> In the second example on the page, square brackets are used when specifying the policy for specific destinations in the tls_policy file:
>
> /etc/postfix/tls_policy
>     [example.net]:587 encrypt protocols=TLSv1 ciphers=high

You need the [] and the :587 in the lookup key, if that is what you
specify as the destination in relayhost, transport_maps, etc.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Syntax question for smtp mandatory TLS encryption

J Doe
Hi Wietse,

> On Oct 11, 2017, at 7:11 PM, Wietse Venema <[hidden email]> wrote:
>
> J Doe:
>> Hi,
>>
>> I have a syntax question regarding configuring mandatory TLS encryption for the smtp process as listed on: www.postfix.org/TLS_README.html#client_tls
>>
>> In the second example on the page, square brackets are used when specifying the policy for specific destinations in the tls_policy file:
>>
>> /etc/postfix/tls_policy
>>    [example.net]:587 encrypt protocols=TLSv1 ciphers=high
>
> You need the [] and the :587 in the lookup key, if that is what you
> specify as the destination in relayhost, transport_maps, etc.
>
>    Wietse

Thank you for your reply.

Ok, I understand that I would need that if the hostname was specified in relayhost, etc. but I am still confused as to what the square brackets mean.

A previous reply to this thread from /dev/rob0 (thanks rob0), states:

“The [] enclose a hostname which is to be looked up as a type A or
AAAA record.  Without the [] first a lookup of type MX is done, and
where found, prioritized lookups of further hostnames (A or AAAA)
would be done.

This is not specific to TLS, it is common to transport(5) and many
similar Postfix features.  The reason being, MX records exist to
control mail routing.”

Does this mean that the square brackets determine the strategy for determining the address of the mail server ?

Thanks,

- J
Reply | Threaded
Open this post in threaded view
|

Re: Syntax question for smtp mandatory TLS encryption

Viktor Dukhovni
On Tue, Oct 17, 2017 at 11:03:46PM -0400, J Doe wrote:

> “The [] enclose a hostname which is to be looked up as a type A or
> AAAA record.  Without the [] first a lookup of type MX is done, and
> where found, prioritized lookups of further hostnames (A or AAAA)
> would be done.

That's what they mean as a nexthop destination via the transport
table or similar.

> This is not specific to TLS, it is common to transport(5) and many
> similar Postfix features.

The documentation for the TLS policy table clearly states that the
lookup key for the TLS policy is the *verbatim* nexthop.

So if the transport table reads:

    example.com smtp:[smtp.example.com]:smtp

Then the TLS policy entry for that would have to be:

    [smtp.example.com]:smtp   ...

exactly as specified in the transport table, or actual source
of nexthop information.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Syntax question for smtp mandatory TLS encryption

Viktor Dukhovni


> On Oct 18, 2017, at 12:45 AM, Viktor Dukhovni <[hidden email]> wrote:
>
> The documentation for the TLS policy table clearly states that the
> lookup key for the TLS policy is the *verbatim* nexthop.

http://www.postfix.org/TLS_README.html#client_tls_policy

    The TLS policy table is indexed by the full next-hop destination,
    which is either the recipient domain, or the verbatim next-hop
    specified in the transport table, $local_transport, $virtual_transport,
    $relay_transport or $default_transport. This includes any enclosing
    square brackets and any non-default destination server port suffix.
    The LMTP socket type prefix (inet: or unix:) is not included in the
    lookup key.

The above leaves out content_filter or access(5) FILTER rules, as these
can also specify a non-default nexthop, but usually not one that's
subject to TLS encryption.  If you have a blanket encryption policy,
then you might actually need to exempt any loopback SMTP nexthop used
with content_filter and similar.

--
        Viktor.