[Assp-test] variable TLS support?

Mon, 19 Nov 2018 14:44:19 -0800

I just setup a new server with the latest ASSP, Postfix, Dovecot on Ubuntu 18.04 Bionic.  It's been a while since I had to adjust parameters since things have Just Worked for quite a while.  But now...
TLS really gave me a headache - I believe some default behaviors changed in Postfix that may have caught me.  But now that I'm functional I'll ask about optimizing.  Some key config items: 

listenPort=25
SMTPDestination=127.0.0.1:125
listenPort2=587
smtpAuthServer=SSL:127.0.0.1:126
noAuthListenPorts=25
AuthrequireTLS=ALL
EnforceAuth=yes
DoTLS=do TLS
SSL_version=SSLv23:!SSLv3:!SSLv2
NoTLSlistenPorts=25

And the Postfix key items + listeners:

smtpd_tls_security_level=may
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

127.0.0.1:125 inet n    -       y       -       -       smtpd
  -o syslog_name=assp
  -o smtpd_proxy_filter=

127.0.0.1:126 inet n    -       y       -       -       smtpd
  -o syslog_name=assptls
  -o smtpd_tls_wrappermode=yes
  -o smtpd_proxy_filter=


So the above works - my internal and authorized external clients can 
send as needed and I now seem to be receiving properly. However - couple 
things bother me.  First, some remote senders (primarily anything hosted 
via Microsoft's outlook.com) seem to have a problem sending to me until 
I set "NoTLSlistenPorts=25". So...I'm assuming Microsoft, and some 
others, are either using old SSL/TLS versions or requiring newer 
versions.  So...is there a better way to handle this than simply "giving 
up" on allowing TLS for non-authenticated senders to my server?  Do I 
need to list pairings of special sender domains with TLS protocols 
somewhere?



Second, the "forced" nature of the submission path with Postfix set with 
"smtpd_tls_wrappermode=yes" and ASSP set with 
"smtpAuthServer=SSL:127.0.0.1:126" seems like a workaround.  Or is this 
in fact a correct method if indeed I want SSL-only authentication?  I 
feel like I should simply be able to leave ASSP configured with 
"AuthrequireTLS=ALL" and "EnforceAuth=yes" - while leaving 
"smtpAuthServer=" so ASSP enforces the TLS usage and Postfix, given the 
global "smtpd_tls_security_level=may", would adjust accordingly.  I 
believe that was the way my prior server operated - but it's not 
functioning that way for me now.


--
Daniel



_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test














    











					Reply via email to