smtp_tls_security_level = encrypt and MX-serves with mixed support for encryption

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

smtp_tls_security_level = encrypt and MX-serves with mixed support for encryption

Stefan Bauer-2
Hi,

i noticed the following today. Is this part of the standard?

For recipient domain:

MX 5 mx1.recipient.com - does not support TLS and refused delivery with temp error
MX 10 mx2.recipient.com - does support TLS and took the mail

Sep 18 10:36:29 B245080E75: TLS is required, but was not offered by host mx1.recipient.com[1.2.3.4]
Sep 18 10:36:29 Untrusted TLS connection established to mx2.recipient.com[5.4.3.2]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

smtp_delivery_status_filter was in place for above temp error, but it was not mapped to permanent error (which makes sense to me.
Reply | Threaded
Open this post in threaded view
|

Re: smtp_tls_security_level = encrypt and MX-serves with mixed support for encryption

Wietse Venema
Stefan Bauer:
> Hi,
>
> i noticed the following today. Is this part of the standard?

There is no standard that requires TLS for MTA-to-MTA deliveries.

> For recipient domain:
>
> MX 5 mx1.recipient.com - does not support TLS and refused delivery with
> temp error
> MX 10 mx2.recipient.com - does support TLS and took the mail
>
> Sep 18 10:36:29 B245080E75: TLS is required, but was not offered by host
> mx1.recipient.com[1.2.3.4]
> Sep 18 10:36:29 Untrusted TLS connection established to
> mx2.recipient.com[5.4.3.2]:25:
> TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>
> smtp_delivery_status_filter was in place for above temp error, but it was
> not mapped to permanent error (which makes sense to me.

What is the problem?

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: smtp_tls_security_level = encrypt and MX-serves with mixed support for encryption

Stefan Bauer-2
I was expecting that the mail would bounce as the first MX refuses to talk TLS and i mapped that to a perm error. But postfix skips the one with temporary/temp error and delivered to the second that offered TLS.


Am Di., 18. Sep. 2018 um 14:36 Uhr schrieb Wietse Venema <[hidden email]>:
Stefan Bauer:
> Hi,
>
> i noticed the following today. Is this part of the standard?

There is no standard that requires TLS for MTA-to-MTA deliveries.

> For recipient domain:
>
> MX 5 mx1.recipient.com - does not support TLS and refused delivery with
> temp error
> MX 10 mx2.recipient.com - does support TLS and took the mail
>
> Sep 18 10:36:29 B245080E75: TLS is required, but was not offered by host
> mx1.recipient.com[1.2.3.4]
> Sep 18 10:36:29 Untrusted TLS connection established to
> mx2.recipient.com[5.4.3.2]:25:
> TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>
> smtp_delivery_status_filter was in place for above temp error, but it was
> not mapped to permanent error (which makes sense to me.

What is the problem?

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: smtp_tls_security_level = encrypt and MX-serves with mixed support for encryption

Matus UHLAR - fantomas
On 18.09.18 14:43, Stefan Bauer wrote:
>I was expecting that the mail would bounce as the first MX refuses to talk
>TLS and i mapped that to a perm error. But postfix skips the one with
>temporary/temp error and delivered to the second that offered TLS.

I think your logic is flawed. the SSL handshake can fail because of many
(temporary) reasons. If you just want to generate problems, you can try to
make that error permanent.

But the fact that secondary MX does allow TLS should mean that you were able
to pass the message to recipient server via TLS, so what's the point of
generating permanent error in this case? This is exactly what backup MX
servers are for...

>Am Di., 18. Sep. 2018 um 14:36 Uhr schrieb Wietse Venema <
>[hidden email]>:
>
>> Stefan Bauer:
>> > Hi,
>> >
>> > i noticed the following today. Is this part of the standard?
>>
>> There is no standard that requires TLS for MTA-to-MTA deliveries.
>>
>> > For recipient domain:
>> >
>> > MX 5 mx1.recipient.com - does not support TLS and refused delivery with
>> > temp error
>> > MX 10 mx2.recipient.com - does support TLS and took the mail
>> >
>> > Sep 18 10:36:29 B245080E75: TLS is required, but was not offered by host
>> > mx1.recipient.com[1.2.3.4]
>> > Sep 18 10:36:29 Untrusted TLS connection established to
>> > mx2.recipient.com[5.4.3.2]:25:
>> > TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>> >
>> > smtp_delivery_status_filter was in place for above temp error, but it was
>> > not mapped to permanent error (which makes sense to me.
>>
>> What is the problem?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
Reply | Threaded
Open this post in threaded view
|

Re: smtp_tls_security_level = encrypt and MX-serves with mixed support for encryption

Stefan Bauer-2
my point is that i already map this error to a perm one but in this case a backup mx was avail that was tls aware and was used in a second attempt. i like the noticed behavior but asked, why it is like that. expected perm error and bounce like when no backup mx avail.

Am Dienstag, 18. September 2018 schrieb Matus UHLAR - fantomas :

> On 18.09.18 14:43, Stefan Bauer wrote:
>>
>> I was expecting that the mail would bounce as the first MX refuses to talk
>> TLS and i mapped that to a perm error. But postfix skips the one with
>> temporary/temp error and delivered to the second that offered TLS.
>
> I think your logic is flawed. the SSL handshake can fail because of many
> (temporary) reasons. If you just want to generate problems, you can try to
> make that error permanent.
>
> But the fact that secondary MX does allow TLS should mean that you were able
> to pass the message to recipient server via TLS, so what's the point of
> generating permanent error in this case? This is exactly what backup MX
> servers are for...
>
>> Am Di., 18. Sep. 2018 um 14:36 Uhr schrieb Wietse Venema <
>> [hidden email]>:
>>
>>> Stefan Bauer:
>>> > Hi,
>>> >
>>> > i noticed the following today. Is this part of the standard?
>>>
>>> There is no standard that requires TLS for MTA-to-MTA deliveries.
>>>
>>> > For recipient domain:
>>> >
>>> > MX 5 mx1.recipient.com - does not support TLS and refused delivery with
>>> > temp error
>>> > MX 10 mx2.recipient.com - does support TLS and took the mail
>>> >
>>> > Sep 18 10:36:29 B245080E75: TLS is required, but was not offered by host
>>> > mx1.recipient.com[1.2.3.4]
>>> > Sep 18 10:36:29 Untrusted TLS connection established to
>>> > mx2.recipient.com[5.4.3.2]:25:
>>> > TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>>> >
>>> > smtp_delivery_status_filter was in place for above temp error, but it was
>>> > not mapped to permanent error (which makes sense to me.
>>>
>>> What is the problem?
>
> --
> Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
>
Reply | Threaded
Open this post in threaded view
|

Re: smtp_tls_security_level = encrypt and MX-serves with mixed support for encryption

Viktor Dukhovni
In reply to this post by Stefan Bauer-2
> On Sep 18, 2018, at 5:58 AM, Stefan Bauer <[hidden email]> wrote:
>
> I noticed the following today. Is this part of the standard?

You should have asked "is this expected behaviour in Postfix"?  And the
answer is "yes".

> For recipient domain:
>
> MX 5 mx1.recipient.com - does not support TLS and refused delivery with temp error
> MX 10 mx2.recipient.com - does support TLS and took the mail
>
> Sep 18 10:36:29 B245080E75: TLS is required, but was not offered by host mx1.recipient.com[1.2.3.4]
> Sep 18 10:36:29 Untrusted TLS connection established to mx2.recipient.com[5.4.3.2]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>
> smtp_delivery_status_filter was in place for above temp error, but it
> was not mapped to permanent error (which makes sense to me.

This is because "smtp_delivery_status_filter" applies to the *final* status
of a recipient once all the applicable MX hosts have been tried:

   http://www.postfix.org/postconf.5.html#default_delivery_status_filter

   Note: the (smtp|lmtp)_delivery_status_filter is applied only once per
   recipient: when delivery is successful, when delivery is rejected with
   5XX, or when there are no more alternate MX or A destinations. Use
   smtp_reply_filter or lmtp_reply_filter to inspect responses for all
   delivery attempts.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: smtp_tls_security_level = encrypt and MX-serves with mixed support for encryption

Stefan Bauer-2
thank you. this is awesome!

Am Dienstag, 18. September 2018 schrieb Viktor Dukhovni :

>> On Sep 18, 2018, at 5:58 AM, Stefan Bauer <[hidden email]> wrote:
>>
>> I noticed the following today. Is this part of the standard?
>
> You should have asked "is this expected behaviour in Postfix"?  And the
> answer is "yes".
>
>> For recipient domain:
>>
>> MX 5 mx1.recipient.com - does not support TLS and refused delivery with temp error
>> MX 10 mx2.recipient.com - does support TLS and took the mail
>>
>> Sep 18 10:36:29 B245080E75: TLS is required, but was not offered by host mx1.recipient.com[1.2.3.4]
>> Sep 18 10:36:29 Untrusted TLS connection established to mx2.recipient.com[5.4.3.2]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>>
>> smtp_delivery_status_filter was in place for above temp error, but it
>> was not mapped to permanent error (which makes sense to me.
>
> This is because "smtp_delivery_status_filter" applies to the *final* status
> of a recipient once all the applicable MX hosts have been tried:
>
>    http://www.postfix.org/postconf.5.html#default_delivery_status_filter
>
>    Note: the (smtp|lmtp)_delivery_status_filter is applied only once per
>    recipient: when delivery is successful, when delivery is rejected with
>    5XX, or when there are no more alternate MX or A destinations. Use
>    smtp_reply_filter or lmtp_reply_filter to inspect responses for all
>    delivery attempts.
>
> --
>         Viktor.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: smtp_tls_security_level = encrypt and MX-serves with mixed support for encryption

Viktor Dukhovni
On Tue, Sep 18, 2018 at 08:43:16PM +0200, Stefan Bauer wrote:

> thank you. this is awesome!

Yes, it is.  Credit to Wietse for consistently taking the time to
think Postfix features through, and designing their semantics and
interface with care.

The choice to apply the delivery just filter once per-recipient is
one result of care in the Postfix design.

Postfix gives you high-level controls that are implemented securely,
do the right thing, are not fragile, offer good performance, and
have a human-readable user-interface.

--
        Viktor.