policy server, TLS only exeptions and restrictions

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

policy server, TLS only exeptions and restrictions

Stefan Bauer-2
Hi,

we have enforced TLS to all remote sites and have appropriate tls policy server, that checks if TLS is avail before accepting mails. That works as expected. we also only accept users with auth.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

smtpd_recipient_restrictions = check_policy_service unix:private/policy

policy server returns dunno or defer...

Now the problem:

for some destinations, we are aware, that TLS fails, so we skip checking and set "may" policy for specific users/destinations. However this settings seems to have no effect anymore, when we enable check_policy_service.

master.cf (snippet):
finance  unix -       -       n       -       -       smtp
smtp_tls_policy_maps=hash:/etc/postfix/tls/finance

tls/finance:

policy server responds with defer.... and custom smtp_tls_policy_maps are ignored.

Howto work around this?

thank you.

Stefan

Reply | Threaded
Open this post in threaded view
|

Re: policy server, TLS only exeptions and restrictions

Matus UHLAR - fantomas
On 04.01.19 14:44, Stefan Bauer wrote:

>we have enforced TLS to all remote sites and have appropriate tls policy
>server, that checks if TLS is avail before accepting mails. That works as
>expected. we also only accept users with auth.
>
>smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
>reject_unauth_destination
>
>smtpd_recipient_restrictions = check_policy_service unix:private/policy
>
>policy server returns dunno or defer...
>
>Now the problem:
>
>for some destinations, we are aware, that TLS fails, so we skip checking
>and set "may" policy for specific users/destinations. However this settings
>seems to have no effect anymore, when we enable check_policy_service.
>
>master.cf (snippet):
>finance  unix -       -       n       -       -       smtp
>smtp_tls_policy_maps=hash:/etc/postfix/tls/finance
>
>tls/finance:
>remote-site.de may
>
>policy server responds with defer.... and custom smtp_tls_policy_maps are
>ignored.
>
>Howto work around this?

this looks to me that you search for connection between smtpd_recipient_restrictions
and smtp_tls_policy_maps, and there is none.

the "check_policy_service private/policy" communicates via unix socket
private/policy (apparetly in postfix directory) to external program that
tells smtpd what to do.

if you want your policy server to return dunno for sending domain
"remote-site.de", your policy server must look to the /etc/postfix/tls/finance
table for the remote-site.de domain.

the policy server doesn't look to your "smtp_tls_policy_maps" settings,
usually it does not read postfix configuration at all.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.
Reply | Threaded
Open this post in threaded view
|

Re: policy server, TLS only exeptions and restrictions

Stefan Bauer-2
Understood. Thank you.

Am Fr., 4. Jan. 2019 um 15:11 Uhr schrieb Matus UHLAR - fantomas <[hidden email]>:
On 04.01.19 14:44, Stefan Bauer wrote:
>we have enforced TLS to all remote sites and have appropriate tls policy
>server, that checks if TLS is avail before accepting mails. That works as
>expected. we also only accept users with auth.
>
>smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
>reject_unauth_destination
>
>smtpd_recipient_restrictions = check_policy_service unix:private/policy
>
>policy server returns dunno or defer...
>
>Now the problem:
>
>for some destinations, we are aware, that TLS fails, so we skip checking
>and set "may" policy for specific users/destinations. However this settings
>seems to have no effect anymore, when we enable check_policy_service.
>
>master.cf (snippet):
>finance  unix -       -       n       -       -       smtp
>smtp_tls_policy_maps=hash:/etc/postfix/tls/finance
>
>tls/finance:
>remote-site.de may
>
>policy server responds with defer.... and custom smtp_tls_policy_maps are
>ignored.
>
>Howto work around this?

this looks to me that you search for connection between smtpd_recipient_restrictions
and smtp_tls_policy_maps, and there is none.

the "check_policy_service private/policy" communicates via unix socket
private/policy (apparetly in postfix directory) to external program that
tells smtpd what to do.

if you want your policy server to return dunno for sending domain
"remote-site.de", your policy server must look to the /etc/postfix/tls/finance
table for the remote-site.de domain.

the policy server doesn't look to your "smtp_tls_policy_maps" settings,
usually it does not read postfix configuration at all.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.
Reply | Threaded
Open this post in threaded view
|

Re: policy server, TLS only exeptions and restrictions

Viktor Dukhovni
In reply to this post by Matus UHLAR - fantomas
> On Jan 4, 2019, at 9:10 AM, Matus UHLAR - fantomas <[hidden email]> wrote:
>
> this looks to me that you search for connection between smtpd_recipient_restrictions
> and smtp_tls_policy_maps, and there is none.
>
> the "check_policy_service private/policy" communicates via unix socket
> private/policy (apparetly in postfix directory) to external program that
> tells smtpd what to do.
>
> if you want your policy server to return dunno for sending domain
> "remote-site.de", your policy server must look to the /etc/postfix/tls/finance
> table for the remote-site.de domain.
>
> the policy server doesn't look to your "smtp_tls_policy_maps" settings,
> usually it does not read postfix configuration at all.

This is where recipient verification has an advantage over a policy
service.  For SASL authenticated users, who can relay outbound, the
OP could replace the policy service with a recipient verification
callout:

   smtpd_relay_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination

   smtpd_recipient_restrictions
        permit_auth_destination,
        reject_unverified_recipient

This *is* sensitive to outbound TLS policy, because recipient
verification uses outbound SMTP connections to probe for TLS
support, and will fail where TLS is mandated and not available.

Of course static configuration that are reflected in both the
policy service and the SMTP TLS policy yield more predictable,
if not always up to date behaviour.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: policy server, TLS only exeptions and restrictions

Stefan Bauer-2
great idea, but recipient verification is not something, remote servers like.really like.

Am Freitag, 4. Januar 2019 schrieb Viktor Dukhovni <[hidden email]>:

>> On Jan 4, 2019, at 9:10 AM, Matus UHLAR - fantomas <[hidden email]> wrote:
>>
>> this looks to me that you search for connection between smtpd_recipient_restrictions
>> and smtp_tls_policy_maps, and there is none.
>>
>> the "check_policy_service private/policy" communicates via unix socket
>> private/policy (apparetly in postfix directory) to external program that
>> tells smtpd what to do.
>>
>> if you want your policy server to return dunno for sending domain
>> "remote-site.de", your policy server must look to the /etc/postfix/tls/finance
>> table for the remote-site.de domain.
>>
>> the policy server doesn't look to your "smtp_tls_policy_maps" settings,
>> usually it does not read postfix configuration at all.
>
> This is where recipient verification has an advantage over a policy
> service.  For SASL authenticated users, who can relay outbound, the
> OP could replace the policy service with a recipient verification
> callout:
>
>    smtpd_relay_restrictions =
>         permit_mynetworks,
>         permit_sasl_authenticated,
>         reject_unauth_destination
>
>    smtpd_recipient_restrictions
>         permit_auth_destination,
>         reject_unverified_recipient
>
> This *is* sensitive to outbound TLS policy, because recipient
> verification uses outbound SMTP connections to probe for TLS
> support, and will fail where TLS is mandated and not available.
>
> Of course static configuration that are reflected in both the
> policy service and the SMTP TLS policy yield more predictable,
> if not always up to date behaviour.
>
> --
>         Viktor.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: policy server, TLS only exeptions and restrictions

Benny Pedersen-2
In reply to this post by Stefan Bauer-2
Stefan Bauer skrev den 2019-01-04 14:44:

> master.cf [1] (snippet):
> finance  unix -       -       n       -       -       smtp
>
> smtp_tls_policy_maps=hash:/etc/postfix/tls/finance

add -o before smtp_tls....