TLSv1.2 only for auth connection

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

TLSv1.2 only for auth connection

Thomas Bourdon
Hi,

First of all, I apologize for my bad english.

I use postfix-3.3.1 and openssl-1.0.2.

Actual ssl config : tlsv1.0 minimum is set for smtp and smtpd. tlsv1.2
minimum is set for submission/starttls.

My goal : All auth connections must be done with tlsv1.2 minimum. Others
connections can be done with tlsv1.0 minimum.

If I use tlsv1.2 minimum everywhere, I can't send/receive mail to/from
mail provider still using tlsv1.0 so I had to set tlsv1.0 minimum. But I
want to allow auth connections from users of my smtp/imap server with
tlsv1.2 minimum.

I already set up tlsv1.2 minimum for submission/starttls. I thought
about disable auth connection using 465 port but I don't want to force
my users to strictly use starttls.

Is there a way to allow tlsv1.0 minimum for unauth connection and allow
tlsv1.2 minimum for auth connection on port 465 ?

Have a nice day!

--
Thomas Bourdon
Reply | Threaded
Open this post in threaded view
|

Re: TLSv1.2 only for auth connection

B. Reino
On Thu, 25 Oct 2018, Thomas Bourdon wrote:

> Is there a way to allow tlsv1.0 minimum for unauth connection and allow
> tlsv1.2 minimum for auth connection on port 465 ?

Why would you want unauthenticated connections on port 465? (smtps).
It's AFAIK a submission port.

Reply | Threaded
Open this post in threaded view
|

Re: TLSv1.2 only for auth connection

Thomas Bourdon
Because mail providers send mail to my smtp server through this port,
don't they ?

Le 25.10.2018 15:00, B. Reino a écrit :
> On Thu, 25 Oct 2018, Thomas Bourdon wrote:
>
>> Is there a way to allow tlsv1.0 minimum for unauth connection and
>> allow tlsv1.2 minimum for auth connection on port 465 ?
>
> Why would you want unauthenticated connections on port 465? (smtps).
> It's AFAIK a submission port.

--
Thomas Bourdon
Reply | Threaded
Open this post in threaded view
|

Re: TLSv1.2 only for auth connection

B. Reino
On Thu, 25 Oct 2018, Thomas Bourdon wrote:

> Because mail providers send mail to my smtp server through this port, don't
> they ?
>
> Le 25.10.2018 15:00, B. Reino a écrit :
>> On Thu, 25 Oct 2018, Thomas Bourdon wrote:
>>
>>> Is there a way to allow tlsv1.0 minimum for unauth connection and allow
>>> tlsv1.2 minimum for auth connection on port 465 ?
>>
>> Why would you want unauthenticated connections on port 465? (smtps).
>> It's AFAIK a submission port.
SMTP<->SMTP is (should be) always on port 25, with or without STARTTLS.
Port 465 is submission with TLS wrapper-mode, and port 587 is submission
(with or without STARTTLS).

I don't know if there are any smtp clients (in the sense of postfix smtp
"client") using 465 for sending to a smtp server (in the sense of postfix
smtpd..)

Reply | Threaded
Open this post in threaded view
|

Re: TLSv1.2 only for auth connection

Matus UHLAR - fantomas
In reply to this post by Thomas Bourdon
>>On Thu, 25 Oct 2018, Thomas Bourdon wrote:
>>>Is there a way to allow tlsv1.0 minimum for unauth connection and
>>>allow tlsv1.2 minimum for auth connection on port 465 ?

>Le 25.10.2018 15:00, B. Reino a écrit :
>>Why would you want unauthenticated connections on port 465? (smtps).
>>It's AFAIK a submission port.

On 25.10.18 15:05, Thomas Bourdon wrote:
>Because mail providers send mail to my smtp server through this port,
>don't they ?

well, do they? are you sure?

maybe port 465 was originally taken (by microsoft, btw) for server-to-server
smtp over ssl, but I think I ever saw anyone using it as such.

for now, many companies use port 465 as authenticated submission-only port.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...
Reply | Threaded
Open this post in threaded view
|

Re: TLSv1.2 only for auth connection

Thomas Bourdon
In reply to this post by B. Reino
Thank you guys to explain me how works smtp<->smtp. I set up tlsv1.0
minimum for smtp<->smtp and tlsv1.2 minimum for auth connections, it
seems working. :)
Thanks again !

Le 25.10.2018 15:10, B. Reino a écrit :

> On Thu, 25 Oct 2018, Thomas Bourdon wrote:
>
>> Because mail providers send mail to my smtp server through this port,
>> don't they ?
>>
>> Le 25.10.2018 15:00, B. Reino a écrit :
>>> On Thu, 25 Oct 2018, Thomas Bourdon wrote:
>>>
>>>> Is there a way to allow tlsv1.0 minimum for unauth connection and
>>>> allow tlsv1.2 minimum for auth connection on port 465 ?
>>>
>>> Why would you want unauthenticated connections on port 465? (smtps).
>>> It's AFAIK a submission port.
>
> SMTP<->SMTP is (should be) always on port 25, with or without STARTTLS.
> Port 465 is submission with TLS wrapper-mode, and port 587 is
> submission (with or without STARTTLS).
>
> I don't know if there are any smtp clients (in the sense of postfix
> smtp "client") using 465 for sending to a smtp server (in the sense of
> postfix smtpd..)

--
Thomas Bourdon
Reply | Threaded
Open this post in threaded view
|

Re: TLSv1.2 only for auth connection

Bastien Durel
In reply to this post by Matus UHLAR - fantomas
Le jeudi 25 octobre 2018 à 15:31 +0200, Matus UHLAR - fantomas a
écrit :
> maybe port 465 was originally taken (by microsoft, btw) for server-
> to-server
> smtp over ssl, but I think I ever saw anyone using it as such.
>
> for now, many companies use port 465 as authenticated submission-only
> port.
I used to be stmp over SSL (ssmtp), published by IANA in 1997
I used (configured) it in the 2000's although it was already deprecated
by IANA for a few years (in 1998). I retired it last year as rfc8314
was planned to replace it by submission over TLS. I did got a mail
(spam) on it every few days though.

--
Bastien

Reply | Threaded
Open this post in threaded view
|

Re: TLSv1.2 only for auth connection

Wietse Venema
In reply to this post by Thomas Bourdon
Thomas Bourdon:

> Hi,
>
> First of all, I apologize for my bad english.
>
> I use postfix-3.3.1 and openssl-1.0.2.
>
> Actual ssl config : tlsv1.0 minimum is set for smtp and smtpd. tlsv1.2
> minimum is set for submission/starttls.
>
> My goal : All auth connections must be done with tlsv1.2 minimum. Others
> connections can be done with tlsv1.0 minimum.
>
> If I use tlsv1.2 minimum everywhere, I can't send/receive mail to/from
> mail provider still using tlsv1.0 so I had to set tlsv1.0 minimum. But I
> want to allow auth connections from users of my smtp/imap server with
> tlsv1.2 minimum.
>
> I already set up tlsv1.2 minimum for submission/starttls. I thought
> about disable auth connection using 465 port but I don't want to force
> my users to strictly use starttls.
>
> Is there a way to allow tlsv1.0 minimum for unauth connection and allow
> tlsv1.2 minimum for auth connection on port 465 ?

Usually, AUTH is done on the submission or smtps ports, and non-AUTH
on port 25. If you want different TLS policies for different inbound
SMTP connections, you can specify different settings in master.cf.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: TLSv1.2 only for auth connection

@lbutlr
In reply to this post by Thomas Bourdon
On Oct 25, 2018, at 06:08, Thomas Bourdon <[hidden email]> wrote:
>
> My goal : All auth connections must be done with tlsv1.2 minimum. Others connections can be done with tlsv1.0 minimum.

This is fine. Authentication port 25 is often simply opportunistic and does not imply identify, only securing the data transfer. You could even allow SSL an poet 25 as long as you force submission to your TLSv1.2 connection on 587 or 466.

--
This is my signature. There are many like it, but this one is mine.
Reply | Threaded
Open this post in threaded view
|

Re: TLSv1.2 only for auth connection

@lbutlr
On Oct 25, 2018, at 15:04, @lbutlr <[hidden email]> wrote:
> Authentication port 25 is often simply opportunistic

Sorry. I meant to type encryption, not authentication.

--
This is my signature. There are many like it, but this one is mine.

Reply | Threaded
Open this post in threaded view
|

Re: TLSv1.2 only for auth connection

Thomas Bourdon
In reply to this post by Wietse Venema
That's what I do, it works perfectly.
Thanks.

Le 25.10.2018 19:39, Wietse Venema a écrit :

> Thomas Bourdon:
>> Hi,
>>
>> First of all, I apologize for my bad english.
>>
>> I use postfix-3.3.1 and openssl-1.0.2.
>>
>> Actual ssl config : tlsv1.0 minimum is set for smtp and smtpd. tlsv1.2
>> minimum is set for submission/starttls.
>>
>> My goal : All auth connections must be done with tlsv1.2 minimum.
>> Others
>> connections can be done with tlsv1.0 minimum.
>>
>> If I use tlsv1.2 minimum everywhere, I can't send/receive mail to/from
>> mail provider still using tlsv1.0 so I had to set tlsv1.0 minimum. But
>> I
>> want to allow auth connections from users of my smtp/imap server with
>> tlsv1.2 minimum.
>>
>> I already set up tlsv1.2 minimum for submission/starttls. I thought
>> about disable auth connection using 465 port but I don't want to force
>> my users to strictly use starttls.
>>
>> Is there a way to allow tlsv1.0 minimum for unauth connection and
>> allow
>> tlsv1.2 minimum for auth connection on port 465 ?
>
> Usually, AUTH is done on the submission or smtps ports, and non-AUTH
> on port 25. If you want different TLS policies for different inbound
> SMTP connections, you can specify different settings in master.cf.
>
> Wietse

--
Thomas Bourdon