Page MenuHomePhorge

Update postfix master.cf template for possibly better TLS
Open, LowPublic

Description

Right now postfix uses the policy "smtp_tls_security_level = may" when
sending mail. My aim was to switch to "smtp_tls_security_level = secure".
I'm sending all mail to a smarthost which offers good encryption,
but I wanted to force the encryption.
When I added that level "secure" to /etc/postfix/main.cf mail
was stuck in the queue because amavis and wallace won't do TLS.

There is possibly more than one solution, one might be around
smtp_tls_policy_maps, but I decided to go another route.
In /etc/postfix/master.cf we can follow the mail flow through
postfix, amavis, and wallace. First the mail gets handed
over to amavis due to:

content_filter = smtp-amavis:[127.0.0.1]:10024

Amavis is only listening on 127.0.0.1, so all communication is local.
Amavis is also not offering TLS and with the default policy
"smtp_tls_security_level = may" it is perfectly valid and secure
to not use TLS. With a level "secure" mail get's stuck in the
postfix queue due to no working encryption. To work around that
let's add "-o smtp_tls_security_level=none" to smtp-amavis in master.cf.

Now the mail flows to amavis, is processed there and delivered
back to postfix via "127.0.0.1:10025" (also unencrypted). Again
the port is only listening an localhost and it is fine to have
no encryption. Once we want to enfoce TLS for the smtpd part in
postfix we would fail here. So let's add "-o smtpd_tls_security_level=none".

It might be advisable to use "may" here to be prepared for
amavis in the future learning encryption. I don't think
that this will happen and use "none" here.

Once we've got the mail back from amavis it is sent to the next
"-o content_filter=smtp-wallace:[127.0.0.1]:10026" e.g. wallace.
Again only listening on localhost, so we again configure
no encryption with "-o smtp_tls_security_level=none".

Wallace injects the mail back into postfix via port 10027
which is also only listening on localhost only. So
switch also to "-o smtpd_tls_security_level=none" as I
also don't think wallace will do encryption.

Now the mail flows through amavis and wallace unencrypted
as before (policy "may" failed back to no TLS).
We now don't even try that any longer, but can now switch
to "smtp_tls_security_level = secure" in /etc/postfix/main.cf
and still have mail getting through.

We are now also prepared to maybe enforce TLS on the smtpd
part of postfix, but that's something for another day.
diff --git a/share/templates/master.cf.tpl b/share/templates/master.cf.tpl
index 498d6b6..2f3b5af 100644
--- a/share/templates/master.cf.tpl
+++ b/share/templates/master.cf.tpl
@@ -68,6 +68,7 @@ smtp-amavis         unix        -       -       n       -       3       smtp
     -o smtp_send_xforward_command=yes
     -o max_use=20
     -o smtp_bind_address=127.0.0.1
+    -o smtp_tls_security_level=none

 # Listener to re-inject email from Amavisd into Postfix
 127.0.0.1:10025     inet        n       -       n       -       100     smtpd
@@ -82,6 +83,8 @@ smtp-amavis         unix        -       -       n       -       3       smtp
     -o smtpd_recipient_restrictions=permit_mynetworks,reject
     -o mynetworks=127.0.0.0/8
     -o smtpd_authorized_xforward_hosts=127.0.0.0/8
+    -o smtpd_tls_security_level=none
+    -o smtp_tls_security_level=none

 # Filter email through Wallace
 smtp-wallace        unix        -       -       n       -       3       smtp
@@ -90,6 +93,7 @@ smtp-wallace        unix        -       -       n       -       3       smtp
     -o disable_dns_lookups=yes
     -o smtp_send_xforward_command=yes
     -o max_use=20
+    -o smtp_tls_security_level=none

 # Listener to re-inject email from Wallace into Postfix
 127.0.0.1:10027     inet        n       -       n       -       100     smtpd
@@ -104,6 +108,7 @@ smtp-wallace        unix        -       -       n       -       3       smtp
     -o smtpd_recipient_restrictions=permit_mynetworks,reject
     -o mynetworks=127.0.0.0/8
     -o smtpd_authorized_xforward_hosts=127.0.0.0/8
+    -o smtpd_tls_security_level=none

 recipient_policy    unix        -       n       n       -       -       spawn
     user=kolab-n argv=$kolab_sap_executable_path --verify-recipient

Details

Ticket Type
Task