Re: Using TLS for certain domains
We wanted to test TLS and we've found this one: http://www.checktls.com/ Thanks to the list for all the help. On Wed, Jun 12, 2013 at 8:05 PM, Noel Jones njo...@megan.vbhcs.org wrote: On 6/12/2013 10:53 AM, polloxx wrote: Thanks Wietse. Can we test this setup? If you're asking how to test your TLS, use the openssl s_client. openssl s_client -connect se.rv.er.ip:port -starttls smtp If it's working, you'll get several screens full of connection info and certificate exchange, probably including some unable to verify messages you should ignore. The last thing displayed should be: 250 DSN which tells that TLS is working. Type quit to exit back to your shell. -- Noel Jones
Re: Using TLS for certain domains
I use vim to edit the Postfix config. What should I use? On Tue, Jun 11, 2013 at 10:28 PM, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Tue, Jun 11, 2013 at 09:34:38PM +0200, polloxx wrote: no luck yet. local_header_rewrite_clients = static:all smtp_tls_CAfile = /etc/postfix/cacert.pemsmtp_tls_session_cache_database = btree:/mailout/var/spool/postfix/smtp_tls_session_cache smtp_tls_security_level = maysmtp_use_tls = yessmtpd_tls_CAfile = /etc/postfix/cacert.pemsmtpd_tls_cert_file = /etc/postfix/company-cert.pemsmtpd_tls_key_file = /etc/postfix/company-key.pemsmtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/mailin/var/spool/postfix/smtpd_tls_session_cache smtpd_tls_security_level = maysmtpd_use_tls = yes There's your problem, this is all just one big single setting. Don't edit Postfix configuration files with editors that display CR as a new line. -- Viktor.
Re: Using TLS for certain domains
polloxx: local_header_rewrite_clients = static:all smtp_tls_CAfile = /etc/postfix/cacert.pemsmtp_tls_session_cache_database = btree:/mailout/var/spool/postfix/smtp_tls_session_cache smtp_tls_security_level = maysmtp_use_tls = yessmtpd_tls_CAfile = /etc/postfix/cacert.pemsmtpd_tls_cert_file = /etc/postfix/company-cert.pemsmtpd_tls_key_file = /etc/postfix/company-key.pemsmtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/mailin/var/spool/postfix/smtpd_tls_session_cache smtpd_tls_security_level = maysmtpd_use_tls = yes Victor: There's your problem, this is all just one big single setting. Don't edit Postfix configuration files with editors that display CR as a new line. polloxx: I use vim to edit the Postfix config. What should I use? The above text was word-wrapped. vim does that only when you told it to do that. The above should look be formatted as: local_header_rewrite_clients = static:all smtp_tls_CAfile = /etc/postfix/cacert.pem smtp_tls_session_cache_database = btree:/mailout/var/spool/postfix/smtp_tls_session_cache smtp_tls_security_level = may smtp_use_tls = yes smtpd_tls_CAfile = /etc/postfix/cacert.pem smtpd_tls_cert_file = /etc/postfix/company-cert.pem smtpd_tls_key_file = /etc/postfix/company-key.pem smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/mailin/var/spool/postfix/smtpd_tls_session_cache smtpd_tls_security_level = may smtpd_use_tls = yes Wietse
Re: Using TLS for certain domains
Thanks to all of you. Now it works, although set nowrap in vim did not solve the issue. I had to add the parameters using postconf -e. Is this normal? Now I see 250-STARTTLS when I telnet to the server on port 25. Is there another way to test if the setup works? On Wed, Jun 12, 2013 at 2:46 PM, Wietse Venema wie...@porcupine.org wrote: polloxx: local_header_rewrite_clients = static:all smtp_tls_CAfile = /etc/postfix/cacert.pemsmtp_tls_session_cache_database = btree:/mailout/var/spool/postfix/smtp_tls_session_cache smtp_tls_security_level = maysmtp_use_tls = yessmtpd_tls_CAfile = /etc/postfix/cacert.pemsmtpd_tls_cert_file = /etc/postfix/company-cert.pemsmtpd_tls_key_file = /etc/postfix/company-key.pemsmtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/mailin/var/spool/postfix/smtpd_tls_session_cache smtpd_tls_security_level = maysmtpd_use_tls = yes Victor: There's your problem, this is all just one big single setting. Don't edit Postfix configuration files with editors that display CR as a new line. polloxx: I use vim to edit the Postfix config. What should I use? The above text was word-wrapped. vim does that only when you told it to do that. The above should look be formatted as: local_header_rewrite_clients = static:all smtp_tls_CAfile = /etc/postfix/cacert.pem smtp_tls_session_cache_database = btree:/mailout/var/spool/postfix/smtp_tls_session_cache smtp_tls_security_level = may smtp_use_tls = yes smtpd_tls_CAfile = /etc/postfix/cacert.pem smtpd_tls_cert_file = /etc/postfix/company-cert.pem smtpd_tls_key_file = /etc/postfix/company-key.pem smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/mailin/var/spool/postfix/smtpd_tls_session_cache smtpd_tls_security_level = may smtpd_use_tls = yes Wietse
Re: Using TLS for certain domains
polloxx: Thanks to all of you. Now it works, although set nowrap in vim did not solve the issue. I had to add the parameters using postconf -e. Is this normal? set nowrap has no effect after the text is already wrapped. Wietse
Re: Using TLS for certain domains
Thanks Wietse. Can we test this setup? On Wed, Jun 12, 2013 at 5:29 PM, Wietse Venema wie...@porcupine.org wrote: polloxx: Thanks to all of you. Now it works, although set nowrap in vim did not solve the issue. I had to add the parameters using postconf -e. Is this normal? set nowrap has no effect after the text is already wrapped. Wietse
Re: Using TLS for certain domains
polloxx: Thanks to all of you. Now it works, although set nowrap in vim did not solve the issue. I had to add the parameters using postconf -e. Is this normal? Wietse: set nowrap has no effect after the text is already wrapped. polloxx: Thanks Wietse. Can we test this setup? If you mean that set nowrap in vim did not put the line breaks back, then that is to be expected. If you mean that set nowrap in vim removes line breaks, then that is a question for vim users/faqs/maintainers. Wietse
Re: Using TLS for certain domains
On 2013-06-12 Wietse Venema wrote: If you mean that set nowrap in vim did not put the line breaks back, then that is to be expected. If you mean that set nowrap in vim removes line breaks, then that is a question for vim users/faqs/maintainers. FTR: set wrap or set nowrap don't add or remove any linebreaks. They just modify how the text is displayed. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Using TLS for certain domains
On 6/12/2013 10:53 AM, polloxx wrote: Thanks Wietse. Can we test this setup? If you're asking how to test your TLS, use the openssl s_client. openssl s_client -connect se.rv.er.ip:port -starttls smtp If it's working, you'll get several screens full of connection info and certificate exchange, probably including some unable to verify messages you should ignore. The last thing displayed should be: 250 DSN which tells that TLS is working. Type quit to exit back to your shell. -- Noel Jones
Re: Using TLS for certain domains
Thanks for the answers. Till now with no success. One of the things: In http://www.postfix.org/TLS_README.html#quick-start there is smtp_tls_session_cache_database = btree:/mailin/var/spool/postfix/smtp_tls_session_cache (/mailin/var/spool/postfix/ is my inbound queue directotory) When I try to send a mail I get the following error in the log: Jun 11 16:53:45 smtp6 postfix-in/smtpd[25014]: fatal: open database /mailin/var/spool/postfix/smtp_tls_session_cache.db: No such file or directory what do I miss here? On Sat, Jun 8, 2013 at 8:56 AM, LuKreme krem...@kreme.com wrote: On 07 Jun 2013, at 21:17 , Nikolas Kallis n...@nikolaskallis.com wrote: Its not true that there is no benefit using a SSL certificate from a CA. Some MTA's will reject connecting to a remote host if it cannot validate its security credentials from a CA. Are you sure about that? I've *never* seen TLS session abort because of a self-signed vert, and I checked the logs rather closely when I enabled TLS. Certainly none of the big mailers do. -- These are my rules, I make 'em up. ~George Carlin
Re: Using TLS for certain domains
On Tue, Jun 11, 2013 at 05:01:42PM +0200, polloxx wrote: Thanks for the answers. Till now with no success. One of the things: In http://www.postfix.org/TLS_README.html#quick-start there is smtp_tls_session_cache_database = btree:/mailin/var/spool/postfix/smtp_tls_session_cache (/mailin/var/spool/postfix/ is my inbound queue directotory) Firstly this setting is for outgoing mail, for incoming mail: smtpd_tls_session_cache_database = btree:/mailin/var/spool/postfix/smtpd_tls_session_cache make sure the database files for smtp and smtpd are distinct. When I try to send a mail I get the following error in the log: Jun 11 16:53:45 smtp6 postfix-in/smtpd[25014]: fatal: open database /mailin/var/spool/postfix/smtp_tls_session_cache.db: No such file or directory what do I miss here? Your version of Postfix must be ancient. The session cache database is opened by the tlsmgr not smtpd. Post postconf -n output and the output of: postconf mail_version mail_release_date -- Viktor.
Re: Using TLS for certain domains
no luck yet. alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases alternate_config_directories = /etc/postfix-out append_dot_mydomain = no biff = no body_checks = regexp:/etc/postfix/body_checks bounce_queue_lifetime = 1d config_directory = /etc/postfix disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks inet_interfaces = $myhostname local_header_rewrite_clients = static:all smtp_tls_CAfile = /etc/postfix/cacert.pemsmtp_tls_session_cache_database = btree:/mailout/var/spool/postfix/smtp_tls_session_cache smtp_tls_security_level = maysmtp_use_tls = yessmtpd_tls_CAfile = /etc/postfix/cacert.pemsmtpd_tls_cert_file = /etc/postfix/company-cert.pemsmtpd_tls_key_file = /etc/postfix/company-key.pemsmtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/mailin/var/spool/postfix/smtpd_tls_session_cache smtpd_tls_security_level = maysmtpd_use_tls = yes mailbox_command = mailbox_size_limit = 0 masquerade_domains = company.be max_use = 75 maximal_queue_lifetime = 2d message_size_limit = 2524 mydestination = hex-alfa-06, localhost.localdomain, localhost.localdomain, localhost mydomain = smtp6.company.be myhostname = smtp6.company.be mynetworks = 192.168.0.0/16 127.0.0.0/8, 10.0.0.0/8, 62.213.207.0/26, 62.213.195.208/28, 193.105.36.0/24 myorigin = company.be queue_directory = /mailin/var/spool/postfix recipient_canonical_maps = hash:/etc/postfix/recipient_canonical recipient_delimiter = + relay_domains = mysql:/etc/postfix/mysql-relay_domains.cf relayhost = sender_canonical_maps = mysql:/etc/postfix/mysql-sender_canonical.cf smtpd_banner = $myhostname ESMTP $mail_name smtpd_data_restrictions = reject_unauth_pipelining,permit smtpd_helo_required = yes smtpd_recipient_restrictions = reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-recipient-access.cf smtpd_restriction_classes = strong, moderate, weak, no, restrictsenders, strong_restrictrecip, moderate_restrictrecip, weak_restrictrecip smtpd_sender_restrictions = syslog_facility = local1 syslog_name = postfix-in transport_maps = mysql:/etc/postfix/mysql-transport.cf smtp6:/etc/postfix# postconf mail_release_date mail_release_date = 20100608 smtp6:/etc/postfix# postconf mail_version mail_version = 2.7.1 smtp6:/etc/postfix# On Tue, Jun 11, 2013 at 5:14 PM, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Tue, Jun 11, 2013 at 05:01:42PM +0200, polloxx wrote: Thanks for the answers. Till now with no success. One of the things: In http://www.postfix.org/TLS_README.html#quick-startthere is smtp_tls_session_cache_database = btree:/mailin/var/spool/postfix/smtp_tls_session_cache (/mailin/var/spool/postfix/ is my inbound queue directotory) Firstly this setting is for outgoing mail, for incoming mail: smtpd_tls_session_cache_database = btree:/mailin/var/spool/postfix/smtpd_tls_session_cache make sure the database files for smtp and smtpd are distinct. When I try to send a mail I get the following error in the log: Jun 11 16:53:45 smtp6 postfix-in/smtpd[25014]: fatal: open database /mailin/var/spool/postfix/smtp_tls_session_cache.db: No such file or directory what do I miss here? Your version of Postfix must be ancient. The session cache database is opened by the tlsmgr not smtpd. Post postconf -n output and the output of: postconf mail_version mail_release_date -- Viktor.
Re: Using TLS for certain domains
On Tue, Jun 11, 2013 at 09:34:38PM +0200, polloxx wrote: no luck yet. local_header_rewrite_clients = static:all smtp_tls_CAfile = /etc/postfix/cacert.pemsmtp_tls_session_cache_database = btree:/mailout/var/spool/postfix/smtp_tls_session_cache smtp_tls_security_level = maysmtp_use_tls = yessmtpd_tls_CAfile = /etc/postfix/cacert.pemsmtpd_tls_cert_file = /etc/postfix/company-cert.pemsmtpd_tls_key_file = /etc/postfix/company-key.pemsmtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/mailin/var/spool/postfix/smtpd_tls_session_cache smtpd_tls_security_level = maysmtpd_use_tls = yes There's your problem, this is all just one big single setting. Don't edit Postfix configuration files with editors that display CR as a new line. -- Viktor.
Re: Using TLS for certain domains
On 07 Jun 2013, at 21:17 , Nikolas Kallis n...@nikolaskallis.com wrote: Its not true that there is no benefit using a SSL certificate from a CA. Some MTA's will reject connecting to a remote host if it cannot validate its security credentials from a CA. Are you sure about that? I've *never* seen TLS session abort because of a self-signed vert, and I checked the logs rather closely when I enabled TLS. Certainly none of the big mailers do. -- These are my rules, I make 'em up. ~George Carlin
Re: Using TLS for certain domains
On 6/7/2013 1:40 PM, polloxx wrote: Dear list, We need to implement TLS for one of our customers using our Postfix infrastructure (serving multiple domains) for inbound mail. The final delivery for that domain is a Exchange server, but we have a anti-virus server in front of that Exchange: internet - postfix-relay - AV-filter - Exchange. So we need to enable TLS at out postfix-relay. Lets say our server is called server.ourdomain.tld, and the customerdomain is customerdomain.tld. Do we need a cert for server.ourdomain.tld, or for customerdomain.tld? First read http://www.postfix.org/TLS_README.html http://www.postfix.org/TLS_README.html#server_vrfy_client As a general rule, MTAs do opportunistic anonymous TLS, meaning that TLS is automatically used if both sides support it, but the identity of neither the sender nor receiver is checked. This is sufficient to prevent casual eavesdropping or packet snooping, and works fine with a self-signed certificate. A purchased certificate provides no additional security in this situation. If you have end-users connecting directly to your postfix box, either to submit mail (postfix as an MSA), or to retrieve mail (via IMAP or POP server software on the same box), a purchased certificate is helpful so the end-users don't get various untrusted server errors in their desktop mail software. For this use, a low-cost certificate (godaddy, rapidssl, etc.) provides the same level of encryption as a high-dollar certificate (verisign, etc.). If you need to verify who you're talking to (secure channel), please see: http://www.postfix.org/TLS_README.html#server_vrfy_client http://www.postfix.org/TLS_README.html#client_tls_secure This does have some limitations, described in the referenced docs. Can we add multiple domains using TLS in the future? For opportunistic TLS, there is noting more to do; all servers and clients that support TLS will automatically use TLS. For secure-channel TLS, there is some manual configuration for each domain you wish to support. Is this possible? Can you point me to some good how-to? For the general use case, just enable TLS as described in http://www.postfix.org/TLS_README.html#quick-start then set both smtp_tls_security_level and smtpd_tls_security_level to may and TLS will just start working. -- Noel Jones
Re: Using TLS for certain domains
On 08/06/13 05:29, Noel Jones wrote: On 6/7/2013 1:40 PM, polloxx wrote: Dear list, We need to implement TLS for one of our customers using our Postfix infrastructure (serving multiple domains) for inbound mail. The final delivery for that domain is a Exchange server, but we have a anti-virus server in front of that Exchange: internet - postfix-relay - AV-filter - Exchange. So we need to enable TLS at out postfix-relay. Lets say our server is called server.ourdomain.tld, and the customerdomain is customerdomain.tld. Do we need a cert for server.ourdomain.tld, or for customerdomain.tld? First read http://www.postfix.org/TLS_README.html http://www.postfix.org/TLS_README.html#server_vrfy_client As a general rule, MTAs do opportunistic anonymous TLS, meaning that TLS is automatically used if both sides support it, but the identity of neither the sender nor receiver is checked. This is sufficient to prevent casual eavesdropping or packet snooping, and works fine with a self-signed certificate. A purchased certificate provides no additional security in this situation. If you have end-users connecting directly to your postfix box, either to submit mail (postfix as an MSA), or to retrieve mail (via IMAP or POP server software on the same box), a purchased certificate is helpful so the end-users don't get various untrusted server errors in their desktop mail software. For this use, a low-cost certificate (godaddy, rapidssl, etc.) provides the same level of encryption as a high-dollar certificate (verisign, etc.). If you need to verify who you're talking to (secure channel), please see: http://www.postfix.org/TLS_README.html#server_vrfy_client http://www.postfix.org/TLS_README.html#client_tls_secure This does have some limitations, described in the referenced docs. Can we add multiple domains using TLS in the future? For opportunistic TLS, there is noting more to do; all servers and clients that support TLS will automatically use TLS. For secure-channel TLS, there is some manual configuration for each domain you wish to support. Is this possible? Can you point me to some good how-to? For the general use case, just enable TLS as described in http://www.postfix.org/TLS_README.html#quick-start then set both smtp_tls_security_level and smtpd_tls_security_level to may and TLS will just start working. -- Noel Jones Its not true that there is no benefit using a SSL certificate from a CA. Some MTA's will reject connecting to a remote host if it cannot validate its security credentials from a CA.
Re: Using TLS for certain domains
On Sat, Jun 08, 2013 at 01:17:22PM +1000, Nikolas Kallis wrote: For the general use case, just enable TLS as described in http://www.postfix.org/TLS_README.html#quick-start then set both smtp_tls_security_level and smtpd_tls_security_level to may and TLS will just start working. Its not true that there is no benefit using a SSL certificate from a CA. Some MTA's will reject connecting to a remote host if it cannot validate its security credentials from a CA. You might think so, but that does not make it a fact. https://tools.ietf.org/html/draft-dukhovni-smtp-opportunistic-tls-00#section-1.2 -- Viktor.
