Dear Viktor, dear readers
Thank you very much for your quick reply and insight. I went ahead and
disabled wrapper mode in master.cf (and there's no wrapper mode in
main.cf), and I still can't telnet to port 465, even though it's in use
in the container. When I try to do that, the connection is closed
immediately (44465 forwards to docker's 465):
telnet localhost 44465
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
This is what smtps looks like in master.cf
smtps inet n - y - - smtpd
-o smtpd_tls_wrappermode=no
Are there other things to be enabled to allow this? How can I debug
this? postfix still doesn't print anything except when I do wrong
config, even though I attempted to enable debug printing at level 3 for
address 0.0.0.0/0.
On the other topic:
You've provided advice on security and I'd really appreciate it
expanding on that a little bit. First, no, haproxy doesn't provide
STARTTLS support, so it will be supporting only raw encryption for tcp
packets, which seems to be equivalent to "wrapper mode". So all network
packets will be encrypted. This is also extremely tempting for me
because I can centrally control encryption properties without touching
anything from the inside (like allowing specific ciphers, disabling
specific encryption protocols, etc), which I may need to do once every
few years without digging back into every different application.
Management is not error-prone like when handling many different
encryption configurations on the server.
With that in mind (and given also that I don't fully understand SASL, so
I may be missing something), why should postfix know about the security
properties of the connection? Why should it care? What kind of problem
are we trying to solve here? Because if all network packets going in and
out of the server are encrypted with haproxy, I guess, mission
accomplished, right? My plan is to pass port 465 straight to haproxy,
then haproxy does the encryption in and out. Ports 587 and 25 won't even
be exposed. I only need one port. What kind of scenario are we trying to
prevent?
Can you please also elaborate on the fragile security boundaries on
docker? Typically my bare-metals are fully firewalled (and even docker
port bindings are only on localhost). So the only access to postfix will
be through the port we allow (which seems to be 465). The user from the
outside won't notice the difference, but my hope is that this will make
migrations much easier, because I don't have time to keep doing this
again and again every time there's a potential security threat or some
kind of machine failure (which require me to migrate with minimal
effort, which happened recently, and I'm a software engineer running my
own little infrastructure with limited resources). What am I missing in
this plan?
Thank you again.
Best regards,
Sam
On 08/12/2022 1:30 AM, Viktor Dukhovni wrote:
On Wed, Dec 07, 2022 at 11:51:32PM +0400, Sam wrote:
I would like to run postfix in a docker container, and receive emails
through HaProxy with SSL termination. So the setup I would like to
achieve is:
It is generally preferrable to let Postfix do TLS-termination, so that
Postfix can be aware of the connection security properties, and e.g.
not offer SASL for cleartext connections.
Also, does "haproxy" support doing STARTTLS? On port 587 TLS does not
start at the beginning of the connection, but instead negotiated after
EHLO. I am not sure how haproxy handles that.
Is that even possible?
Yes. Postfix supports cleartext SMTP. You'd have disable wrapper-mode
TLS on port 465, disable STARTTLS on port 587, and not require TLS for
submission or SASL.
But why TLS termination at HaProxy specifically? Because the plan is to
only keep HaProxy with root access on bare-metal (and access to
certificates as root), while it wires all connections to internal ports.
I think you're optimising for the wrong security properties.
Containerised Postfix relies on much more fragile security boundaries
than Postfix running in a full VM.
I would not recommend this design.