don't use ADH in server-to-server

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

don't use ADH in server-to-server

Bastien Durel
Hello,

I have a setup where a MTA will forward mail to another node, based on
ldap configuration.
It works well, but it uses ADH

Received: from corrin.geekwu.org (unknown [87.98.180.13])
        (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by arrakeen.geekwu.org (Postfix) with ESMTPS id A96DF6C07D
        for <[hidden email]>; Thu,  6 Jul 2017 01:52:53 +0200 (CEST)

I know I should not disable ADH on public interface, but I'd like to
prevent it on "private" interface (intra-cluster only), as "cluster"
nodes does communicate over Internet.

the private interface is defined in master.cf:
26      inet    n       -       -       -       -       smtpd
   -o smtpd_client_restrictions=permit_mynetworks,reject
   -o syslog_name=postfix/cluster
   -o smtpd_milters=
   -o check_policy_service=

but I did not succeed in fixing cipher for this interface (something
like -osmtpd_tls_ciphers=ECDH+AES does not work ...)

Is there a way to do that ?

Thanks,

--
Bastien
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: don't use ADH in server-to-server

Wietse Venema
Bastien Durel:

> Hello,
>
> I have a setup where a MTA will forward mail to another node, based on
> ldap configuration.
> It works well, but it uses ADH
>
> Received: from corrin.geekwu.org (unknown [87.98.180.13])
> (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
> (No client certificate requested)
> by arrakeen.geekwu.org (Postfix) with ESMTPS id A96DF6C07D
> for <[hidden email]>; Thu,  6 Jul 2017 01:52:53 +0200 (CEST)
>
> I know I should not disable ADH on public interface, but I'd like to
> prevent it on "private" interface (intra-cluster only), as "cluster"
> nodes does communicate over Internet.
>
> the private interface is defined in master.cf:
> 26      inet    n       -       -       -       -       smtpd
>    -o smtpd_client_restrictions=permit_mynetworks,reject
>    -o syslog_name=postfix/cluster
>    -o smtpd_milters=
>    -o check_policy_service=
>
> but I did not succeed in fixing cipher for this interface (something
> like -osmtpd_tls_ciphers=ECDH+AES does not work ...)

RTFM? As documented, smtpd_tls_ciphers takes a grade (such as
'medium' or 'export'). See 'smtpd_tls_mandatory_ciphers' for the
full list.

http://www.postfix.org/postconf.5.html#smtpd_tls_ciphers
http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_ciphers

> Is there a way to do that ?

The above links refer to, among other things,

http://www.postfix.org/postconf.5.html#smtpd_tls_exclude_ciphers

This has an example for excluding anonymous ciphers.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: don't use ADH in server-to-server

Bastian Blank-3
In reply to this post by Bastien Durel
On Thu, Jul 06, 2017 at 01:03:03PM +0200, Bastien Durel wrote:
> I have a setup where a MTA will forward mail to another node, based on ldap
> configuration.

> It works well, but it uses ADH
>
> Received: from corrin.geekwu.org (unknown [87.98.180.13])
> (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
> (No client certificate requested)
> by arrakeen.geekwu.org (Postfix) with ESMTPS id A96DF6C07D
> for <[hidden email]>; Thu,  6 Jul 2017 01:52:53 +0200 (CEST)
>
> I know I should not disable ADH on public interface, but I'd like to prevent
> it on "private" interface (intra-cluster only), as "cluster" nodes does
> communicate over Internet.

Just force authentication for this connection by setting
smtp_tls_security_level to an appropriate level:

- dane, with appropriate dns entries
- dane-only
- fingerprint
- verify
- secure

You can also override this setting via smtp_tls_policy_maps

Regards,
Bastian

--
Is truth not truth for all?
                -- Natira, "For the World is Hollow and I have Touched
                   the Sky", stardate 5476.4.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: don't use ADH in server-to-server

Viktor Dukhovni
In reply to this post by Bastien Durel

> On Jul 6, 2017, at 7:03 AM, Bastien Durel <[hidden email]> wrote:
>
> I have a setup where a MTA will forward mail to another node, based on ldap configuration.
> It works well, but it uses ADH
>
> Received: from corrin.geekwu.org (unknown [87.98.180.13])
> (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
> (No client certificate requested)
> by arrakeen.geekwu.org (Postfix) with ESMTPS id A96DF6C07D
> for <[hidden email]>; Thu,  6 Jul 2017 01:52:53 +0200 (CEST)
>
> I know I should not disable ADH on public interface, but I'd like to prevent it on "private" interface (intra-cluster only), as "cluster" nodes does communicate over Internet.

SMTP transport security policy is largely up to the client, not the
server.  See

        http://www.postfix.org/TLS_README.html#client_tls_limits
        http://www.postfix.org/TLS_README.html#client_tls_levels

The reason ADH is used, is that the client is not bothering to authenticate
the server, and so does not bother to ask for a certificate it will anyhow
ignore.  If you want secure transport, you need to set the client TLS
security level to "secure", "fingerprint", "dane" or "dane-only".

        http://www.postfix.org/TLS_README.html#client_tls_secure
        http://www.postfix.org/TLS_README.html#client_tls_fprint
        http://www.postfix.org/TLS_README.html#client_tls_dane

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: don't use ADH in server-to-server

Bastien Durel
Le 06/07/2017 à 15:59, Viktor Dukhovni a écrit :
> The reason ADH is used, is that the client is not bothering to authenticate
> the server, and so does not bother to ask for a certificate it will anyhow
> ignore.  If you want secure transport, you need to set the client TLS
> security level to "secure", "fingerprint", "dane" or "dane-only".
>
> http://www.postfix.org/TLS_README.html#client_tls_secure
> http://www.postfix.org/TLS_README.html#client_tls_fprint
> http://www.postfix.org/TLS_README.html#client_tls_dane
>
dane-only in client config is what I needed, thanks :)

--
Bastien Durel
Loading...