Right now postfix uses the policy "smtp_tls_security_level = may" when sending mail. My aim was to switch to "smtp_tls_security_level = secure". I'm sending all mail to a smarthost which offers good encryption, but I wanted to force the encryption. When I added that level "secure" to /etc/postfix/main.cf mail was stuck in the queue because amavis and wallace won't do TLS. There is possibly more than one solution, one might be around smtp_tls_policy_maps, but I decided to go another route. In /etc/postfix/master.cf we can follow the mail flow through postfix, amavis, and wallace. First the mail gets handed over to amavis due to: content_filter = smtp-amavis:[127.0.0.1]:10024 Amavis is only listening on 127.0.0.1, so all communication is local. Amavis is also not offering TLS and with the default policy "smtp_tls_security_level = may" it is perfectly valid and secure to not use TLS. With a level "secure" mail get's stuck in the postfix queue due to no working encryption. To work around that let's add "-o smtp_tls_security_level=none" to smtp-amavis in master.cf. Now the mail flows to amavis, is processed there and delivered back to postfix via "127.0.0.1:10025" (also unencrypted). Again the port is only listening an localhost and it is fine to have no encryption. Once we want to enfoce TLS for the smtpd part in postfix we would fail here. So let's add "-o smtpd_tls_security_level=none". It might be advisable to use "may" here to be prepared for amavis in the future learning encryption. I don't think that this will happen and use "none" here. Once we've got the mail back from amavis it is sent to the next "-o content_filter=smtp-wallace:[127.0.0.1]:10026" e.g. wallace. Again only listening on localhost, so we again configure no encryption with "-o smtp_tls_security_level=none". Wallace injects the mail back into postfix via port 10027 which is also only listening on localhost only. So switch also to "-o smtpd_tls_security_level=none" as I also don't think wallace will do encryption. Now the mail flows through amavis and wallace unencrypted as before (policy "may" failed back to no TLS). We now don't even try that any longer, but can now switch to "smtp_tls_security_level = secure" in /etc/postfix/main.cf and still have mail getting through. We are now also prepared to maybe enforce TLS on the smtpd part of postfix, but that's something for another day.
diff --git a/share/templates/master.cf.tpl b/share/templates/master.cf.tpl index 498d6b6..2f3b5af 100644 --- a/share/templates/master.cf.tpl +++ b/share/templates/master.cf.tpl @@ -68,6 +68,7 @@ smtp-amavis unix - - n - 3 smtp -o smtp_send_xforward_command=yes -o max_use=20 -o smtp_bind_address=127.0.0.1 + -o smtp_tls_security_level=none # Listener to re-inject email from Amavisd into Postfix 127.0.0.1:10025 inet n - n - 100 smtpd @@ -82,6 +83,8 @@ smtp-amavis unix - - n - 3 smtp -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o smtpd_authorized_xforward_hosts=127.0.0.0/8 + -o smtpd_tls_security_level=none + -o smtp_tls_security_level=none # Filter email through Wallace smtp-wallace unix - - n - 3 smtp @@ -90,6 +93,7 @@ smtp-wallace unix - - n - 3 smtp -o disable_dns_lookups=yes -o smtp_send_xforward_command=yes -o max_use=20 + -o smtp_tls_security_level=none # Listener to re-inject email from Wallace into Postfix 127.0.0.1:10027 inet n - n - 100 smtpd @@ -104,6 +108,7 @@ smtp-wallace unix - - n - 3 smtp -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o smtpd_authorized_xforward_hosts=127.0.0.0/8 + -o smtpd_tls_security_level=none recipient_policy unix - n n - - spawn user=kolab-n argv=$kolab_sap_executable_path --verify-recipient