postfix 2.2.9
This commit is contained in:
parent
c9ec09a52e
commit
b540f1d62f
|
@ -10794,3 +10794,81 @@ Apologies for any names omitted.
|
|||
|
||||
Portability: FreeBSD 6 is a supported platform. Files:
|
||||
util/sys_defs.h, makedefs.
|
||||
|
||||
20010604
|
||||
|
||||
Safety: new "smtp_cname_overrides_servername" parameter.
|
||||
The default value ("yes") is backwards compatible.
|
||||
|
||||
With a value of "no", the Postfix SMTP client no longer
|
||||
allows CNAME expansion to override the hostname that is
|
||||
used for logging, SASL password lookup, TLS policy decisions,
|
||||
or TLS certificate verification. Instead it uses the name
|
||||
of the recipient domain, the host or domain name specified
|
||||
in Postfix configuration files, or the hostnames obtained
|
||||
with MX lookups. To prevent cheating with hostnames in MX
|
||||
lookup results, you will have to suppress MX lookups with
|
||||
explicit [hostname] entries in transport maps. Files:
|
||||
dns/dns_lookup.c, dns/dns_rr.c, proto/postconf.proto.
|
||||
|
||||
20060108
|
||||
|
||||
Bugfix: mailbox_command_maps was not subject to $name
|
||||
expansion. File: local/local.c.
|
||||
|
||||
20060115
|
||||
|
||||
Bugfix: don't ignore the per-site policy when SSL library
|
||||
initialization fails. Introduced after adopting the TLS
|
||||
patch. File: smtp/smtp_session.c.
|
||||
|
||||
20060121
|
||||
|
||||
Bugfix: a TLS per-site MUST_NOPEERMATCH policy could not
|
||||
override a stronger main.cf policy, while a per-site NONE
|
||||
policy could. Fixed with a clean re-implementation from
|
||||
Postfix 2.3. File: smtp/smtp_session.c.
|
||||
|
||||
Bugfix: a combined TLS per-site (host, recipient) policy
|
||||
of (NONE, MAY) changed a global MUST policy into NONE, and
|
||||
a global MUST_NOPEERMATCH into MAY. The result is now NONE.
|
||||
Problem found by exhaustive simulation. Fixed with a clean
|
||||
re-implementation from Postfix 2.3. File: smtp/smtp_session.c.
|
||||
|
||||
20060130
|
||||
|
||||
Bugfix: an empty remote_header_rewrite_domain value caused
|
||||
trivial-rewrite to dereference a null pointer, but only in
|
||||
regression tests, not in production. Postfix rewrites
|
||||
addresses in the remote rewriting context only when the
|
||||
remote_header_rewrite_domain parameter value is non-empty.
|
||||
File: trivial-rewrite/rewrite.c.
|
||||
|
||||
20060202
|
||||
|
||||
Workaround: a malformed domain name lookup result (such as
|
||||
null MX record) is now treated as a hard error, so that
|
||||
Postfix will no longer repeatedly try to deliver mail until
|
||||
the message expires in the queue. However, this will not
|
||||
reject mail with reject_unknown_sender/recipient_domain.
|
||||
That would require too much change for a stable release.
|
||||
File: dns/dns_lookup.c.
|
||||
|
||||
20060203
|
||||
|
||||
Bugfix: smtpd core dump when SASL is compiled in, turned
|
||||
off (smtpd_sasl_auth_enable = no) and permit_sasl_authenticated
|
||||
is specified in local_header_rewrite_clients. Victor Duchovni.
|
||||
File: smtpd/smtpd_check.c.
|
||||
|
||||
20060204
|
||||
|
||||
Bugfix: disable the content_filter feature for user-requested
|
||||
"sendmail -bv" probes, just like it is disabled for probes
|
||||
generated by Postfix itself. File: *qmgr/qmgr_message.c.
|
||||
|
||||
20060212
|
||||
|
||||
Workaround: don't consume in_flow tokens when incoming mail
|
||||
is placed on hold. Back-ported from Postfix 2.3. File:
|
||||
cleanup/cleanup_api.c.
|
||||
|
|
|
@ -43,7 +43,7 @@ how next message is chosen when delivery agent becomes available. You already
|
|||
know that oqmgr(8) uses round-robin by destination while qmgr(8) uses simple
|
||||
FIFO, except for some preemptive magic. The postconf(5) manual documents all
|
||||
the knobs the user can use to control this preemptive magic - there is nothing
|
||||
else to the preemption than the quite simple conditions described below.
|
||||
else to the preemption than the quite simple conditions described in there.
|
||||
|
||||
As for programmer-level documentation, this will have to be extracted from all
|
||||
those emails we have exchanged with Wietse [rats! I hoped that Patrik would do
|
||||
|
|
|
@ -68,6 +68,11 @@ To build Postfix with TLS support, first we need to generate the make(1) files
|
|||
with the necessary definitions. This is done by invoking the command "make
|
||||
makefiles" in the Postfix top-level directory and with arguments as shown next.
|
||||
|
||||
NNOOTTEE:: DDoo nnoott uussee GGnnuu TTLLSS.. IItt wwiillll ssppoonnttaanneeoouussllyy tteerrmmiinnaattee aa PPoossttffiixx ddaaeemmoonn
|
||||
pprroocceessss wwiitthh eexxiitt ssttaattuuss ccooddee 22,, iinnsstteeaadd ooff aalllloowwiinngg PPoossttffiixx ttoo 11)) rreeppoorrtt tthhee
|
||||
eerrrroorr ttoo tthhee mmaaiilllloogg ffiillee,, aanndd ttoo 22)) pprroovviiddee ppllaaiinntteexxtt sseerrvviiccee wwhheerree tthhiiss iiss
|
||||
aapppprroopprriiaattee..
|
||||
|
||||
* If the OpenSSL include files (such as ssl.h) are in directory /usr/include/
|
||||
openssl, and the OpenSSL libraries (such as libssl.so and libcrypto.so) are
|
||||
in directory /usr/lib:
|
||||
|
@ -364,7 +369,9 @@ between multiple smtpd(8) processes, a persistent session cache can be used.
|
|||
You can specify any database type that can store objects of several kbytes and
|
||||
that supports the sequence operator. DBM databases are not suitable because
|
||||
they can only store small objects. The cache is maintained by the tlsmgr(8)
|
||||
process, so there is no problem with concurrent access.
|
||||
process, so there is no problem with concurrent access. Session caching is
|
||||
highly recommended, because the cost of repeatedly negotiating TLS session keys
|
||||
is high.
|
||||
|
||||
Example:
|
||||
|
||||
|
@ -420,7 +427,7 @@ Example:
|
|||
...
|
||||
|
||||
The Postfix list manipulation routines give special treatment to whitespace and
|
||||
some other characters, making the use of certificate names unpractical. Instead
|
||||
some other characters, making the use of certificate names impractical. Instead
|
||||
we use the certificate fingerprints as they are difficult to fake but easy to
|
||||
use for lookup. Postfix lookup tables are in the form of (key, value) pairs.
|
||||
Since we only need the key, the value can be chosen freely, e.g. the name of
|
||||
|
@ -485,7 +492,12 @@ Topics covered in this section:
|
|||
* Client-side TLS activity logging
|
||||
* Client-side TLS session cache
|
||||
* Enabling TLS in the Postfix SMTP client
|
||||
* Server certificate verification
|
||||
* Requiring TLS encryption
|
||||
* Disabling server certificate verification
|
||||
* Per-site TLS policies
|
||||
* Closing a DNS loophole with per-site TLS policies
|
||||
* Discovering servers that support TLS
|
||||
* Server certificate verification depth
|
||||
* Client-side cipher controls
|
||||
* Miscellaneous client controls
|
||||
|
||||
|
@ -530,12 +542,12 @@ If you want the Postfix SMTP client to accept remote SMTP server certificates
|
|||
issued by these CAs, append the root certificate to $smtp_tls_CAfile or install
|
||||
it in the $smtp_tls_CApath directory. When you configure trust in a root CA, it
|
||||
is not necessary to explicitly trust intermediary CAs signed by the root CA,
|
||||
unless $smtp_tls_verify_depth is less than the number of CAs in the certificate
|
||||
chain for the servers of interest. With a verify depth of 1 you can only verify
|
||||
certificates directly signed by a trusted CA, and all trusted intermediary CAs
|
||||
need to be configured explicitly. With a verify depth of 2 you can verify
|
||||
servers signed by a root CA or a direct intermediary CA (so long as the server
|
||||
is correctly configured to supply its intermediate CA certificate).
|
||||
unless $smtp_tls_scert_verifydepth is less than the number of CAs in the
|
||||
certificate chain for the servers of interest. With a verify depth of 1 you can
|
||||
only verify certificates directly signed by a trusted CA, and all trusted
|
||||
intermediary CAs need to be configured explicitly. With a verify depth of 2 you
|
||||
can verify servers signed by a root CA or a direct intermediary CA (so long as
|
||||
the server is correctly configured to supply its intermediate CA certificate).
|
||||
|
||||
RSA key and certificate examples:
|
||||
|
||||
|
@ -608,7 +620,10 @@ between multiple smtp(8) processes, a persistent session cache can be used. You
|
|||
can specify any database type that can store objects of several kbytes and that
|
||||
supports the sequence operator. DBM databases are not suitable because they can
|
||||
only store small objects. The cache is maintained by the tlsmgr(8) process, so
|
||||
there is no problem with concurrent access.
|
||||
there is no problem with concurrent access. Session caching is highly
|
||||
recommended, because the cost of repeatedly negotiating TLS session keys is
|
||||
high. Future Postfix SMTP servers may limit the number of sessions that a
|
||||
client is allowed to negotiate per unit time.
|
||||
|
||||
Example:
|
||||
|
||||
|
@ -630,20 +645,19 @@ By default, TLS is disabled in the Postfix SMTP client, so no difference to
|
|||
plain Postfix is visible. If you enable TLS, the Postfix SMTP client will send
|
||||
STARTTLS when TLS support is announced by the remote SMTP server.
|
||||
|
||||
WARNING: MS Exchange servers will announce STARTTLS support even when the
|
||||
service is not configured, so that the TLS handshake will fail. It may be wise
|
||||
to not use this option on your central mail hub, as you don't know in advance
|
||||
whether you are going to connect to such a host. Instead, use the
|
||||
smtp_tls_per_site recipient/site specific options that are described below.
|
||||
|
||||
When the TLS handshake fails and no other server is available, the Postfix SMTP
|
||||
client defers the delivery attempt, and the mail stays in the queue.
|
||||
When the server accepts the STARTTLS command, but the subsequent TLS handshake
|
||||
fails, and no other server is available, the Postfix SMTP client defers the
|
||||
delivery attempt, and the mail stays in the queue. After a handshake failure,
|
||||
the communications channel is in an indeterminate state and cannot be used for
|
||||
non-TLS deliveries.
|
||||
|
||||
Example:
|
||||
|
||||
/etc/postfix/main.cf:
|
||||
smtp_use_tls = yes
|
||||
|
||||
RReeqquuiirriinngg TTLLSS eennccrryyppttiioonn
|
||||
|
||||
You can ENFORCE the use of TLS, so that the Postfix SMTP client will not
|
||||
deliver mail over unencrypted connections. In this mode, the remote SMTP server
|
||||
hostname must match the information in the remote server certificate, and the
|
||||
|
@ -652,21 +666,22 @@ client. If the remote server certificate doesn't verify or the remote SMTP
|
|||
server hostname doesn't match, and no other server is available, the delivery
|
||||
attempt is deferred and the mail stays in the queue.
|
||||
|
||||
The remote SMTP server hostname used in the check is beyond question, as it
|
||||
must be the principal hostname (no CNAME allowed here). Checks are performed
|
||||
against all names provided as dNSNames in the SubjectAlternativeName. If no
|
||||
dNSNames are specified, the CommonName is checked. The behavior may be changed
|
||||
with the smtp_tls_enforce_peername option which is discussed below.
|
||||
The remote SMTP server hostname is verified against all names provided as
|
||||
dNSNames in the SubjectAlternativeName. If no dNSNames are specified, the
|
||||
CommonName is checked. Verification may be turned off with the
|
||||
smtp_tls_enforce_peername option which is discussed below.
|
||||
|
||||
This option is useful only if you know that you will only connect to servers
|
||||
that support RFC 2487 _and_ that present server certificates that meet the
|
||||
above requirements. An example would be a client only sends email to one
|
||||
Enforcing the use of TLS is useful if you know that you will only connect to
|
||||
servers that support RFC 2487 _and_ that present server certificates that meet
|
||||
the above requirements. An example would be a client only sends email to one
|
||||
specific mailhub that offers the necessary STARTTLS support.
|
||||
|
||||
Example:
|
||||
|
||||
/etc/postfix/main.cf:
|
||||
smtp_enforce_tls = no
|
||||
smtp_enforce_tls = yes
|
||||
|
||||
DDiissaabblliinngg sseerrvveerr cceerrttiiffiiccaattee vveerriiffiiccaattiioonn
|
||||
|
||||
As of RFC 2487 the requirements for hostname checking for MTA clients are not
|
||||
set. When TLS is required (smtp_enforce_tls = yes), the option
|
||||
|
@ -674,79 +689,140 @@ smtp_tls_enforce_peername can be set to "no" to disable strict remote SMTP
|
|||
server hostname checking. In this case, the mail delivery will proceed
|
||||
regardless of the CommonName etc. listed in the certificate.
|
||||
|
||||
Note: the smtp_tls_enforce_peername setting has no effect on sessions that are
|
||||
controlled via the smtp_tls_per_site table.
|
||||
|
||||
Disabling the remote SMTP server hostname verification can make sense in closed
|
||||
environment where special CAs are created. If not used carefully, this option
|
||||
opens the danger of a "man-in-the-middle" attack (the CommonName of this
|
||||
possible attacker is logged).
|
||||
Despite the potential for eliminating "man-in-the-middle" and other attacks,
|
||||
mandatory certificate/peername verification is not viable as a default Internet
|
||||
mail delivery policy at this time. A significant fraction of TLS enabled MTAs
|
||||
uses self-signed certificates, or certificates that are signed by a private
|
||||
certificate authority. On a machine that delivers mail to the Internet, if you
|
||||
set smtp_enforce_tls = yes, you should probably also set
|
||||
smtp_tls_enforce_peername = no. You can use the per-site TLS policies (see
|
||||
below) to enable full peer verification for specific destinations that are
|
||||
known to have verifiable TLS server certificates.
|
||||
|
||||
Example:
|
||||
|
||||
/etc/postfix/main.cf:
|
||||
smtp_tls_enforce_peername = yes
|
||||
smtp_enforce_tls = yes
|
||||
smtp_tls_enforce_peername = no
|
||||
|
||||
Generally, trying TLS can be a bad idea, as some servers offer STARTTLS but the
|
||||
negotiation will fail leading to unexplainable failures. Instead, it may be a
|
||||
good idea to choose the TLS usage policy based on the recipient or the mailhub
|
||||
to which you are connecting.
|
||||
PPeerr--ssiittee TTLLSS ppoolliicciieess
|
||||
|
||||
Deciding the TLS usage policy per recipient may be difficult, since a single
|
||||
email delivery attempt can involve several recipients. Instead, use of TLS is
|
||||
controlled by the Postfix next-hop destination domain name and by the remote
|
||||
SMTP server hostname. If either of these matches an entry in the
|
||||
smtp_tls_per_site table, appropriate action is taken.
|
||||
A small fraction of servers offer STARTTLS but the negotiation consistently
|
||||
fails, leading to mail aging out of the queue and bouncing back to the sender.
|
||||
In such cases, you can use the per-site policies to disable TLS for the problem
|
||||
sites. Alternatively, you can enable TLS for just a few specific sites and not
|
||||
enable it for all sites.
|
||||
|
||||
The remote SMTP server hostname is simply the DNS name of the server that the
|
||||
Postfix SMTP client connects to. The next-hop destination is Postfix specific.
|
||||
By default, this is the domain name in the recipient address, but this
|
||||
information can be overruled by the transport(5) table or by the relayhost
|
||||
parameter setting. In these cases the relayhost etc. must be listed in the
|
||||
smtp_tls_per_site table, instead of the recipient domain name.
|
||||
The smtp_tls_per_site table is searched for a policy that matches the following
|
||||
information:
|
||||
|
||||
Format of the table: domain or host names are specified on the left-hand side;
|
||||
no wildcards are allowed. On the right hand side specify one of the following
|
||||
keywords:
|
||||
remote SMTP server hostname
|
||||
This is simply the DNS name of the server that the Postfix SMTP client
|
||||
connects to; this name may be obtained from other DNS lookups, such as
|
||||
MX lookups or CNAME lookups.
|
||||
next-hop destination
|
||||
This is normally the domain portion of the recipient address, but it
|
||||
may be overruled by information from the transport(5) table, from the
|
||||
relayhost parameter setting, or from the relay_transport setting. When
|
||||
it's not the recipient domain, the next-hop destination can have the
|
||||
Postfix-specific form "[name]", [name]:port", "name" or "name:port".
|
||||
|
||||
When both the hostname lookup and the next-hop lookup succeed, the host policy
|
||||
does not automatically override the next-hop policy. Instead, precedence is
|
||||
given to either the more specific or the more secure per-site policy as
|
||||
described below.
|
||||
|
||||
The smtp_tls_per_site table uses a simple "name whitespace value" format.
|
||||
Specify host names or next-hop destinations on the left-hand side; no wildcards
|
||||
are allowed. On the right hand side specify one of the following keywords:
|
||||
|
||||
NONE
|
||||
Don't use TLS at all.
|
||||
Don't use TLS at all. This overrides a less specific MMAAYY lookup result
|
||||
from the alternate host or next-hop lookup key, and overrides the
|
||||
global smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername
|
||||
settings.
|
||||
MAY
|
||||
Try to use STARTTLS if offered, otherwise use the unencrypted
|
||||
connection.
|
||||
Try to use TLS if the server announces support, otherwise use the
|
||||
unencrypted connection. This has less precedence than a more specific
|
||||
result (including NNOONNEE) from the alternate host or next-hop lookup key,
|
||||
and has less precedence than the more specific global "smtp_enforce_tls
|
||||
= yes" or "smtp_tls_enforce_peername = yes".
|
||||
MUST_NOPEERMATCH
|
||||
Require TLS encryption, but do not require that the remote SMTP server
|
||||
hostname matches the information in the remote SMTP server certificate,
|
||||
or that the server certificate was issued by a trusted CA. This
|
||||
overrides a less secure NNOONNEE or a less specific MMAAYY lookup result from
|
||||
the alternate host or next-hop lookup key, and overrides the global
|
||||
smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername settings.
|
||||
MUST
|
||||
Require usage of STARTTLS, require that the remote SMTP server hostname
|
||||
Require TLS encryption, require that the remote SMTP server hostname
|
||||
matches the information in the remote SMTP server certificate, and
|
||||
require that the remote SMTP server certificate was issued by a trusted
|
||||
CA.
|
||||
MUST_NOPEERMATCH
|
||||
Require usage of STARTTLS, but do not require that the remote SMTP
|
||||
server hostname matches the information in the remote SMTP server
|
||||
certificate, or that the server certificate was issued by a trusted CA.
|
||||
CA. This overrides a less secure NNOONNEE and MMUUSSTT__NNOOPPEEEERRMMAATTCCHH or a less
|
||||
specific MMAAYY lookup result from the alternate host or next-hop lookup
|
||||
key, and overrides the global smtp_use_tls, smtp_enforce_tls and
|
||||
smtp_tls_enforce_peername settings.
|
||||
|
||||
The actual TLS usage policy depends not only on whether the next-hop
|
||||
destination or remote SMTP server hostname are found in the smtp_tls_per_site
|
||||
table, but also on the smtp_enforce_tls setting:
|
||||
The precedences between global (main.cf) and per-site TLS policies can be
|
||||
summarized as follows:
|
||||
|
||||
* If no match was found, the policy is applied as specified with
|
||||
smtp_enforce_tls.
|
||||
* When neither the remote SMTP server hostname nor the next-hop destination
|
||||
are found in the smtp_tls_per_site table, the policy is based on
|
||||
smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername. Note:
|
||||
"smtp_enforce_tls = yes" and "smtp_tls_enforce_peername = yes" imply
|
||||
"smtp_use_tls = yes".
|
||||
|
||||
* If a match was found, and the smtp_enforce_tls policy is "enforce", NONE
|
||||
explicitly switches it off; otherwise the "enforce" mode is used even for
|
||||
entries that specify MAY.
|
||||
* When both hostname and next-hop destination lookups produce a result, the
|
||||
more specific per-site policy (NONE, MUST, etc) overrides the less specific
|
||||
one (MAY), and the more secure per-site policy (MUST, etc) overrides the
|
||||
less secure one (NONE).
|
||||
|
||||
Special hint for TLS enforcement mode: since no secure DNS lookup mechanism is
|
||||
available, mail can be delivered to the wrong remote SMTP server. This is not
|
||||
prevented by specifying MUST for the next-hop domain name. The recommended
|
||||
setup is: specify local transport(5) table entries for sensitive domains with
|
||||
explicit smtp:[mailhost] destinations (since you can assure security of this
|
||||
table unlike DNS), then specify MUST for these mail hosts in the
|
||||
smtp_tls_per_site table.
|
||||
* After the per-site policy lookups are combined, the result generally
|
||||
overrides the global policy. The exception is the less specific MMAAYY per-
|
||||
site policy, which is overruled by the more specific global
|
||||
"smtp_enforce_tls = yes" with server certificate verification as specified
|
||||
with the smtp_tls_enforce_peername parameter.
|
||||
|
||||
CClloossiinngg aa DDNNSS lloooopphhoollee wwiitthh ppeerr--ssiittee TTLLSS ppoolliicciieess
|
||||
|
||||
As long as no secure DNS lookup mechanism is available, false hostnames in MX
|
||||
or CNAME responses can change the server hostname that Postfix uses for TLS
|
||||
policy lookup and server certificate verification. Even with a perfect match
|
||||
between the server hostname and the server certificate, there is no guarantee
|
||||
that Postfix is connected to the right server. To avoid this loophole take the
|
||||
following steps:
|
||||
|
||||
* Eliminate MX lookups. Specify local transport(5) table entries for
|
||||
sensitive domains with explicit smtp:[mailhost] or smtp:[mailhost]:port
|
||||
destinations (you can assure security of this table unlike DNS); in the
|
||||
smtp_tls_per_site table specify the value MMUUSSTT for the key [mailhost] or
|
||||
smtp:[mailhost]:port. This prevents false hostname information in DNS MX
|
||||
records from changing the server hostname that Postfix uses for TLS policy
|
||||
lookup and server certificate verification.
|
||||
|
||||
* Disallow CNAME hostname overrides. In main.cf specify
|
||||
"smtp_cname_overrides_servername = no". This prevents false hostname
|
||||
information in DNS CNAME records from changing the server hostname that
|
||||
Postfix uses for TLS policy lookup and server certificate verification.
|
||||
This feature requires Postfix 2.2.9 or later.
|
||||
|
||||
Example:
|
||||
|
||||
/etc/postfix/main.cf:
|
||||
smtp_tls_per_site = hash:/etc/postfix/tls_per_site
|
||||
relayhost = [msa.example.net]:587
|
||||
|
||||
/etc/postfix/tls_per_site:
|
||||
# relayhost exact nexthop match
|
||||
[msa.example.net]:587 MUST
|
||||
|
||||
# TLS should not be used with the example.org MX hosts.
|
||||
example.org NONE
|
||||
|
||||
# TLS should not be used with the host smtp.example.com.
|
||||
smtp.example.com NONE
|
||||
|
||||
DDiissccoovveerriinngg sseerrvveerrss tthhaatt ssuuppppoorrtt TTLLSS
|
||||
|
||||
As we decide on a "per site" basis whether or not to use TLS, it would be good
|
||||
to have a list of sites that offered "STARTTLS". We can collect it ourselves
|
||||
|
@ -763,7 +839,7 @@ Example:
|
|||
/etc/postfix/main.cf:
|
||||
smtp_tls_note_starttls_offer = yes
|
||||
|
||||
SSeerrvveerr cceerrttiiffiiccaattee vveerriiffiiccaattiioonn
|
||||
SSeerrvveerr cceerrttiiffiiccaattee vveerriiffiiccaattiioonn ddeepptthh
|
||||
|
||||
When verifying a remote SMTP server certificate, a verification depth of 1 is
|
||||
sufficient if the certificate is directly issued by a CA specified with
|
||||
|
@ -1012,10 +1088,25 @@ J
|
|||
and in order to access the TLS session cache databases. Such a protocol
|
||||
cannot be run across fifos.
|
||||
|
||||
* smtp_tls_per_site: the MUST_NOPEERMATCH per-site policy cannot override the
|
||||
global "smtp_tls_enforce_peername = yes" setting.
|
||||
|
||||
* smtp_tls_per_site: a combined (NONE + MAY) lookup result for (hostname and
|
||||
next-hop destination) produces counter-intuitive results for different
|
||||
main.cf settings. TLS is enabled with "smtp_tls_enforce_peername = no", but
|
||||
it is disabled when both "smtp_enforce_tls = yes" and
|
||||
"smtp_tls_enforce_peername = yes".
|
||||
|
||||
The smtp_tls_per_site limitations were removed by the end of the Postfix 2.2
|
||||
support cycle.
|
||||
|
||||
CCrreeddiittss
|
||||
|
||||
* TLS support for Postfix was originally developed by Lutz Jänicke at Cottbus
|
||||
Technical University.
|
||||
* Wietse Venema adopted the code, did some restructuring, and compiled this
|
||||
part of the documentation from Lutz's documents.
|
||||
* Victor Duchovni was instrumental with the re-implementation of the
|
||||
smtp_tls_per_site code in terms of enforcement levels, which simplified the
|
||||
implementation greatly.
|
||||
|
||||
|
|
|
@ -68,7 +68,7 @@ available. You already know that <a href="qmgr.8.html">oqmgr(8)</a> uses round-
|
|||
while <a href="qmgr.8.html">qmgr(8)</a> uses simple FIFO, except for some preemptive magic.
|
||||
The <a href="postconf.5.html">postconf(5)</a> manual documents all the knobs the user
|
||||
can use to control this preemptive magic - there is nothing else
|
||||
to the preemption than the quite simple conditions described below.
|
||||
to the preemption than the quite simple conditions described in there.
|
||||
</p>
|
||||
|
||||
<p> As for programmer-level documentation, this will have to be
|
||||
|
|
|
@ -129,6 +129,11 @@ the <tt>make(1)</tt> files with the necessary definitions. This is
|
|||
done by invoking the command "<tt>make makefiles</tt>" in the Postfix
|
||||
top-level directory and with arguments as shown next. </p>
|
||||
|
||||
<p> <b> NOTE: Do not use Gnu TLS. It will spontaneously terminate
|
||||
a Postfix daemon process with exit status code 2, instead of allowing
|
||||
Postfix to 1) report the error to the maillog file, and to 2) provide
|
||||
plaintext service where this is appropriate. </b> </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> If the OpenSSL include files (such as <tt>ssl.h</tt>) are
|
||||
|
@ -553,7 +558,8 @@ can specify any database type that can store objects of several
|
|||
kbytes and that supports the sequence operator. DBM databases are
|
||||
not suitable because they can only store small objects. The cache
|
||||
is maintained by the <a href="tlsmgr.8.html">tlsmgr(8)</a> process, so there is no problem with
|
||||
concurrent access. </p>
|
||||
concurrent access. Session caching is highly recommended, because
|
||||
the cost of repeatedly negotiating TLS session keys is high.</p>
|
||||
|
||||
<p> Example: </p>
|
||||
|
||||
|
@ -632,7 +638,7 @@ certificate must no longer be used (e.g. an employee leaving). </p>
|
|||
|
||||
<p> The Postfix list manipulation routines give special treatment
|
||||
to whitespace and some other characters, making the use of certificate
|
||||
names unpractical. Instead we use the certificate fingerprints as
|
||||
names impractical. Instead we use the certificate fingerprints as
|
||||
they are difficult to fake but easy to use for lookup. Postfix
|
||||
lookup tables are in the form of (key, value) pairs. Since we only
|
||||
need the key, the value can be chosen freely, e.g. the name of
|
||||
|
@ -725,9 +731,23 @@ key configuration </a>
|
|||
|
||||
<li><a href="#client_tls_cache">Client-side TLS session cache</a>
|
||||
|
||||
<li><a href="#client_tls"> Enabling TLS in the Postfix SMTP client </a>
|
||||
<li><a href="#client_tls_enable"> Enabling TLS in the Postfix SMTP client </a>
|
||||
|
||||
<li><a href="#client_vrfy_server">Server certificate verification</a>
|
||||
<li><a href="#client_tls_require"> Requiring TLS encryption </a>
|
||||
|
||||
<li><a href="#client_tls_nopeer"> Disabling server certificate verification </a>
|
||||
|
||||
<li><a href="#client_tls_per_site"> Per-site TLS policies </a>
|
||||
|
||||
<!--
|
||||
<li><a href="#client_tls_obs"> Obsolete per-site TLS policy support </a>
|
||||
-->
|
||||
|
||||
<li><a href="#client_tls_harden"> Closing a DNS loophole with <!-- legacy --> per-site TLS policies </a>
|
||||
|
||||
<li><a href="#client_tls_discover"> Discovering servers that support TLS </a>
|
||||
|
||||
<li><a href="#client_vrfy_server">Server certificate verification depth</a>
|
||||
|
||||
<li> <a href="#client_cipher">Client-side cipher controls </a>
|
||||
|
||||
|
@ -787,7 +807,7 @@ the overhead of the TLS exchange. </p>
|
|||
certificates issued by these CAs, append the root certificate to
|
||||
$<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> or install it in the $<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> directory. When
|
||||
you configure trust in a root CA, it is not necessary to explicitly trust
|
||||
intermediary CAs signed by the root CA, unless $smtp_tls_verify_depth
|
||||
intermediary CAs signed by the root CA, unless $<a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a>
|
||||
is less than the number of CAs in the certificate chain for the servers
|
||||
of interest. With a verify depth of 1 you can only verify certificates
|
||||
directly signed by a trusted CA, and all trusted intermediary CAs need to
|
||||
|
@ -904,7 +924,10 @@ can specify any database type that can store objects of several
|
|||
kbytes and that supports the sequence operator. DBM databases are
|
||||
not suitable because they can only store small objects. The cache
|
||||
is maintained by the <a href="tlsmgr.8.html">tlsmgr(8)</a> process, so there is no problem with
|
||||
concurrent access. </p>
|
||||
concurrent access. Session caching is highly recommended, because
|
||||
the cost of repeatedly negotiating TLS session keys is high. Future
|
||||
Postfix SMTP servers may limit the number of sessions that a client
|
||||
is allowed to negotiate per unit time.</p>
|
||||
|
||||
|
||||
<p> Example: </p>
|
||||
|
@ -930,24 +953,19 @@ recommends a maximum of 24 hours. </p>
|
|||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<h3><a name="client_tls"> Enabling TLS in the Postfix SMTP client </a>
|
||||
</h3>
|
||||
<h3><a name="client_tls_enable"> Enabling TLS in the Postfix SMTP
|
||||
client </a> </h3>
|
||||
|
||||
<p> By default, TLS is disabled in the Postfix SMTP client, so no
|
||||
difference to plain Postfix is visible. If you enable TLS, the
|
||||
Postfix SMTP client will send STARTTLS when TLS support is announced
|
||||
by the remote SMTP server. </p>
|
||||
|
||||
<p> WARNING: MS Exchange servers will announce STARTTLS support
|
||||
even when the service is not configured, so that the TLS handshake
|
||||
will fail. It may be wise to not use this option on your central
|
||||
mail hub, as you don't know in advance whether you are going to
|
||||
connect to such a host. Instead, use the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>
|
||||
recipient/site specific options that are described below. </p>
|
||||
|
||||
<p> When the TLS handshake fails and no other server is available,
|
||||
the Postfix SMTP client defers the delivery attempt, and the mail
|
||||
stays in the queue. </p>
|
||||
<p> When the server accepts the STARTTLS command, but the subsequent
|
||||
TLS handshake fails, and no other server is available, the Postfix SMTP
|
||||
client defers the delivery attempt, and the mail stays in the queue. After
|
||||
a handshake failure, the communications channel is in an indeterminate
|
||||
state and cannot be used for non-TLS deliveries. </p>
|
||||
|
||||
<p> Example: </p>
|
||||
|
||||
|
@ -958,6 +976,9 @@ stays in the queue. </p>
|
|||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<h3><a name="client_tls_require"> Requiring TLS encryption </a>
|
||||
</h3>
|
||||
|
||||
<p> You can ENFORCE the use of TLS, so that the Postfix SMTP client
|
||||
will not deliver mail over unencrypted connections. In this mode,
|
||||
the remote SMTP server hostname must match the information in the
|
||||
|
@ -967,14 +988,14 @@ server certificate doesn't verify or the remote SMTP server hostname
|
|||
doesn't match, and no other server is available, the delivery
|
||||
attempt is deferred and the mail stays in the queue. </p>
|
||||
|
||||
<p> The remote SMTP server hostname used in the check is beyond
|
||||
question, as it must be the principal hostname (no CNAME allowed
|
||||
here). Checks are performed against all names provided as dNSNames
|
||||
<p> The remote SMTP server hostname is verified against all names
|
||||
provided as dNSNames
|
||||
in the SubjectAlternativeName. If no dNSNames are specified, the
|
||||
CommonName is checked. The behavior may be changed with the
|
||||
CommonName is checked. Verification may be turned off with the
|
||||
<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> option which is discussed below. </p>
|
||||
|
||||
<p> This option is useful only if you know that you will only
|
||||
<p> Enforcing the use of TLS is useful if you know that you will
|
||||
only
|
||||
connect to servers that support <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a> _and_ that present server
|
||||
certificates that meet the above requirements. An example would
|
||||
be a client only sends email to one specific mailhub that offers
|
||||
|
@ -985,10 +1006,13 @@ the necessary STARTTLS support. </p>
|
|||
<blockquote>
|
||||
<pre>
|
||||
/etc/postfix/main.cf:
|
||||
<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = no
|
||||
<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<h3> <a name="client_tls_nopeer"> Disabling server certificate
|
||||
verification </a> </h3>
|
||||
|
||||
<p> As of <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a> the requirements for hostname checking for MTA
|
||||
clients are not set. When TLS is required (<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes),
|
||||
the option <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> can be set to "no" to disable
|
||||
|
@ -996,106 +1020,200 @@ strict remote SMTP server hostname checking. In this case, the mail
|
|||
delivery will proceed regardless of the CommonName etc. listed in
|
||||
the certificate. </p>
|
||||
|
||||
<p> Note: the <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> setting has no effect on
|
||||
sessions that are controlled via the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table. </p>
|
||||
|
||||
<p> Disabling the remote SMTP server hostname verification can
|
||||
make sense in closed environment where special CAs are created.
|
||||
If not used carefully, this option opens the danger of a
|
||||
"man-in-the-middle" attack (the CommonName of this possible attacker
|
||||
is logged). </p>
|
||||
<p> Despite the potential for eliminating "man-in-the-middle" and
|
||||
other attacks, mandatory certificate/peername verification is not
|
||||
viable as a default Internet mail delivery policy at this time. A
|
||||
significant fraction of TLS enabled MTAs uses self-signed certificates,
|
||||
or certificates that are signed by a private certificate authority.
|
||||
On a machine that delivers mail to the Internet, if you set
|
||||
<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes, you should probably also set
|
||||
<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = no. You can use the per-site TLS
|
||||
policies (see below) to enable full peer verification for specific
|
||||
destinations that are known to have verifiable TLS server certificates.
|
||||
</p>
|
||||
|
||||
<p> Example: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
/etc/postfix/main.cf:
|
||||
<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes
|
||||
<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes
|
||||
<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = no
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> Generally, trying TLS can be a bad idea, as some servers offer
|
||||
STARTTLS but the negotiation will fail leading to unexplainable
|
||||
failures. Instead, it may be a good idea to choose the TLS usage
|
||||
policy based on the recipient or the mailhub to which you are
|
||||
connecting. </p>
|
||||
<h3> <a name="client_tls_per_site"> Per-site TLS policies </a> </h3>
|
||||
|
||||
<p> Deciding the TLS usage policy per recipient may be difficult,
|
||||
since a single email delivery attempt can involve several recipients.
|
||||
Instead, use of TLS is controlled by the Postfix next-hop destination
|
||||
domain name and by the remote SMTP server hostname. If either of these
|
||||
matches an entry in the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table, appropriate action
|
||||
is taken. </p>
|
||||
<p> A small fraction of servers offer STARTTLS but the negotiation
|
||||
consistently fails, leading to mail aging out of the queue and
|
||||
bouncing back to the sender. In such cases, you can use the per-site
|
||||
policies to disable TLS for the problem sites. Alternatively, you
|
||||
can enable TLS for just a few specific sites and not enable it for
|
||||
all sites. </p>
|
||||
|
||||
<p> The remote SMTP server hostname is simply the DNS name of the
|
||||
server that the Postfix SMTP client connects to. The next-hop
|
||||
destination is Postfix specific. By default, this is the domain
|
||||
name in the recipient address, but this information can be overruled
|
||||
by the <a href="transport.5.html">transport(5)</a> table or by the <a href="postconf.5.html#relayhost">relayhost</a> parameter setting.
|
||||
In these cases the <a href="postconf.5.html#relayhost">relayhost</a> etc. must be listed in the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>
|
||||
table, instead of the recipient domain name. </p>
|
||||
<!-- insert new-style TLS policy mechanism here
|
||||
|
||||
<p> Format of the table: domain or host names are specified on the
|
||||
left-hand side; no wildcards are allowed. On the right hand side
|
||||
specify one of the following keywords: </p>
|
||||
<h3> <a name="client_tls_obs"> Obsolete per-site TLS policy support
|
||||
</a> </h3>
|
||||
|
||||
<p> This section describes an obsolete per-site TLS policy mechanism.
|
||||
Unlike the newer mechanism it supports TLS policy lookup by server
|
||||
hostname, and lacks control over what names can appear in server
|
||||
certificates. Because of this, the obsolete mechanism is vulnerable
|
||||
to false DNS hostname information in MX or CNAME records. These
|
||||
attacks can be eliminated only with great difficulty. </p>
|
||||
|
||||
-->
|
||||
|
||||
<p> The <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table is searched for a policy that matches
|
||||
the following information: </p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<dl>
|
||||
|
||||
<dt> NONE </dt> <dd> Don't use TLS at all. </dd>
|
||||
<dt> remote SMTP server hostname </dt> <dd> This is simply the DNS
|
||||
name of the server that the Postfix SMTP client connects to; this
|
||||
name may be obtained from other DNS lookups, such as MX lookups or
|
||||
CNAME lookups. </dd>
|
||||
|
||||
<dt> MAY </dt> <dd> Try to use STARTTLS if offered, otherwise use
|
||||
the unencrypted connection. </dd>
|
||||
|
||||
<dt> MUST </dt> <dd> Require usage of STARTTLS, require that the
|
||||
remote SMTP server hostname matches the information in the remote
|
||||
SMTP server certificate, and require that the remote SMTP server
|
||||
certificate was issued by a trusted CA. </dd>
|
||||
|
||||
<dt> MUST_NOPEERMATCH </dt> <dd> Require usage of STARTTLS, but do
|
||||
not require that the remote SMTP server hostname matches the
|
||||
information in the remote SMTP server certificate, or that the
|
||||
server certificate was issued by a trusted CA. </dd>
|
||||
<dt> next-hop destination </dt> <dd> This is normally the domain
|
||||
portion of the recipient address, but it may be overruled by
|
||||
information from the <a href="transport.5.html">transport(5)</a> table, from the <a href="postconf.5.html#relayhost">relayhost</a> parameter
|
||||
setting, or from the <a href="postconf.5.html#relay_transport">relay_transport</a> setting. When it's not the
|
||||
recipient domain, the next-hop destination can have the Postfix-specific
|
||||
form "<tt>[name]</tt>", <tt>[name]:port</tt>", "<tt>name</tt>" or
|
||||
"<tt>name:port</tt>". </dd>
|
||||
|
||||
</dl>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<p> The actual TLS usage policy depends not only on whether the
|
||||
next-hop destination or remote SMTP server hostname are found in
|
||||
the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table, but also on the <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>
|
||||
setting: </p>
|
||||
<p> When both the hostname lookup and the next-hop lookup succeed,
|
||||
the host policy does not automatically override the next-hop policy.
|
||||
Instead, precedence is given to either the more specific or the
|
||||
more secure per-site policy as described below. </p>
|
||||
|
||||
<p> The <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table uses a simple "<i>name whitespace
|
||||
value</i>" format. Specify host names or next-hop destinations on
|
||||
the left-hand side; no wildcards are allowed. On the right hand
|
||||
side specify one of the following keywords: </p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<dl>
|
||||
|
||||
<dt> NONE </dt> <dd> Don't use TLS at all. This overrides a less
|
||||
specific <b>MAY</b> lookup result from the alternate host or next-hop
|
||||
lookup key, and overrides the global <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>,
|
||||
and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> settings. </dd>
|
||||
|
||||
<dt> MAY </dt> <dd> Try to use TLS if the server announces support,
|
||||
otherwise use the unencrypted connection. This has less precedence
|
||||
than a more specific result (including <b>NONE</b>) from the alternate
|
||||
host or next-hop lookup key, and has less precedence than the more
|
||||
specific global "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" or "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
|
||||
= yes". </dd>
|
||||
|
||||
<dt> MUST_NOPEERMATCH </dt> <dd> Require TLS encryption, but do not
|
||||
require that the remote SMTP server hostname matches the information
|
||||
in the remote SMTP server certificate, or that the server certificate
|
||||
was issued by a trusted CA. This overrides a less secure <b>NONE</b>
|
||||
or a less specific <b>MAY</b> lookup result from the alternate host
|
||||
or next-hop lookup key, and overrides the global <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>,
|
||||
<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> settings. </dd>
|
||||
|
||||
<dt> MUST </dt> <dd> Require TLS encryption, require that the remote
|
||||
SMTP server hostname matches the information in the remote SMTP
|
||||
server certificate, and require that the remote SMTP server certificate
|
||||
was issued by a trusted CA. This overrides a less secure <b>NONE</b>
|
||||
and <b>MUST_NOPEERMATCH</b> or a less specific <b>MAY</b> lookup
|
||||
result from the alternate host or next-hop lookup key, and overrides
|
||||
the global <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
|
||||
settings. </dd>
|
||||
|
||||
</dl>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<p> The precedences between global (main.cf) and per-site TLS
|
||||
policies can be summarized as follows: </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> If no match was found, the policy is applied as specified
|
||||
with <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>. </p>
|
||||
<li> <p> When neither the remote SMTP server hostname nor the
|
||||
next-hop destination are found in the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table, the
|
||||
policy is based on <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> and
|
||||
<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>. Note: "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" and
|
||||
"<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes" imply "<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> = yes". </p>
|
||||
|
||||
<li> <p> If a match was found, and the <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> policy is
|
||||
"enforce", NONE explicitly switches it off; otherwise the "enforce"
|
||||
mode is used even for entries that specify MAY. </p>
|
||||
<li> <p> When both hostname and next-hop destination lookups produce
|
||||
a result, the more specific per-site policy (NONE, MUST, etc)
|
||||
overrides the less specific one (MAY), and the more secure per-site
|
||||
policy (MUST, etc) overrides the less secure one (NONE). </p>
|
||||
|
||||
<li> <p> After the per-site policy lookups are combined, the result
|
||||
generally overrides the global policy. The exception is the less
|
||||
specific <b>MAY</b> per-site policy, which is overruled by the more
|
||||
specific global "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" with server certificate
|
||||
verification as specified with the <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
|
||||
parameter. </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<p> Special hint for TLS enforcement mode: since no secure DNS
|
||||
lookup mechanism is available, mail can be delivered to the wrong
|
||||
remote SMTP server. This is not prevented by specifying MUST for
|
||||
the next-hop domain name. The recommended setup is: specify local
|
||||
<a href="transport.5.html">transport(5)</a> table entries for sensitive domains with explicit
|
||||
<a href="smtp.8.html">smtp</a>:[mailhost] destinations (since you can assure security of this
|
||||
table unlike DNS), then specify MUST for these mail hosts in the
|
||||
<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table. </p>
|
||||
<h3> <a name="client_tls_harden"> Closing a DNS loophole with
|
||||
<!-- legacy --> per-site TLS policies </a> </h3>
|
||||
|
||||
<p> As long as no secure DNS lookup mechanism is available, false
|
||||
hostnames in MX or CNAME responses can change the server hostname
|
||||
that Postfix uses for TLS policy lookup and server certificate
|
||||
verification. Even with a perfect match between the server hostname
|
||||
and the server certificate, there is no guarantee that Postfix is
|
||||
connected to the right server. To avoid this loophole take the
|
||||
following steps: </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> Eliminate MX lookups. Specify local <a href="transport.5.html">transport(5)</a> table
|
||||
entries for sensitive domains with explicit <a href="smtp.8.html">smtp</a>:[<i>mailhost</i>]
|
||||
or <a href="smtp.8.html">smtp</a>:[<i>mailhost</i>]:<i>port</i> destinations (you can assure
|
||||
security of this table unlike DNS); in the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table
|
||||
specify the value <b>MUST</b> for the key [<i>mailhost</i>] or
|
||||
<a href="smtp.8.html">smtp</a>:[<i>mailhost</i>]:<i>port</i>. This prevents false hostname
|
||||
information in DNS MX records from changing the server hostname
|
||||
that Postfix uses for TLS policy lookup and server certificate
|
||||
verification. </p>
|
||||
|
||||
<li> <p> Disallow CNAME hostname overrides. In main.cf specify
|
||||
"<a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> = no". This prevents false hostname
|
||||
information in DNS CNAME records from changing the server hostname
|
||||
that Postfix uses for TLS policy lookup and server certificate
|
||||
verification. This feature requires Postfix 2.2.9 or later. </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<p> Example: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
|
||||
<blockquote> <pre>
|
||||
/etc/postfix/main.cf:
|
||||
<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> = hash:/etc/postfix/tls_per_site
|
||||
<a href="postconf.5.html#relayhost">relayhost</a> = [msa.example.net]:587
|
||||
|
||||
/etc/postfix/tls_per_site:
|
||||
# <a href="postconf.5.html#relayhost">relayhost</a> exact nexthop match
|
||||
[msa.example.net]:587 MUST
|
||||
|
||||
# TLS should not be used with the <i>example.org</i> MX hosts.
|
||||
example.org NONE
|
||||
|
||||
# TLS should not be used with the host <i>smtp.example.com</i>.
|
||||
smtp.example.com NONE
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<h3> <a name="client_tls_discover"> Discovering servers that support
|
||||
TLS </a> </h3>
|
||||
|
||||
<p> As we decide on a "per site" basis whether or not to use TLS,
|
||||
it would be good to have a list of sites that offered "STARTTLS".
|
||||
We can collect it ourselves with this option. </p>
|
||||
|
@ -1119,7 +1237,7 @@ postfix/smtp[pid]: Host offered STARTTLS: [hostname.example.com]
|
|||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<h3><a name="client_vrfy_server">Server certificate verification</a> </h3>
|
||||
<h3><a name="client_vrfy_server">Server certificate verification depth</a> </h3>
|
||||
|
||||
<p> When verifying a remote SMTP server certificate, a verification
|
||||
depth of 1 is sufficient if the certificate is directly issued by
|
||||
|
@ -1376,7 +1494,7 @@ super-user privileges. </p>
|
|||
</blockquote>
|
||||
|
||||
<li> <p> Configure Postfix, by adding the following to
|
||||
<tt>/etc/postfix/main.cf</tt>. </p>
|
||||
<tt>/etc/postfix/main.cf </tt>. </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
|
@ -1443,8 +1561,22 @@ protocol in order to access the <a href="tlsmgr.8.html">tlsmgr(8)</a> pseudo-ran
|
|||
generation (PRNG) pool, and in order to access the TLS session
|
||||
cache databases. Such a protocol cannot be run across fifos. </p>
|
||||
|
||||
<li> <p> <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>: the MUST_NOPEERMATCH per-site policy
|
||||
cannot override the global "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes" setting.
|
||||
</p>
|
||||
|
||||
<li> <p> <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>: a combined (NONE + MAY) lookup result
|
||||
for (hostname and next-hop destination) produces counter-intuitive
|
||||
results for different main.cf settings. TLS is enabled with
|
||||
"<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = no", but it is disabled when both
|
||||
"<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" and "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes".
|
||||
</p>
|
||||
|
||||
</ul>
|
||||
|
||||
<p> The <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> limitations were removed by the end of
|
||||
the Postfix 2.2 support cycle. </p>
|
||||
|
||||
<h2><a name="credits">Credits </a> </h2>
|
||||
|
||||
<ul>
|
||||
|
@ -1455,6 +1587,10 @@ Jänicke at Cottbus Technical University.
|
|||
<li> Wietse Venema adopted the code, did some restructuring, and
|
||||
compiled this part of the documentation from Lutz's documents.
|
||||
|
||||
<li> Victor Duchovni was instrumental with the re-implementation
|
||||
of the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> code in terms of enforcement levels, which
|
||||
simplified the implementation greatly.
|
||||
|
||||
</ul>
|
||||
|
||||
</body>
|
||||
|
|
|
@ -3352,7 +3352,7 @@ is suitable for, e.g., pop-before-smtp lookup tables. </dd>
|
|||
|
||||
<p> Examples: </p>
|
||||
|
||||
<p> The Postfix < 2.2 backwards compatible setting: always rewrite
|
||||
<p> The Postfix < 2.2 backwards compatible setting: always rewrite
|
||||
message headers, and always append my own domain to incomplete
|
||||
header addresses. </p>
|
||||
|
||||
|
@ -5765,6 +5765,21 @@ IP hosting, but can be a problem on multi-homed firewalls. See the
|
|||
but this form is not recommended here. </p>
|
||||
|
||||
|
||||
</DD>
|
||||
|
||||
<DT><b><a name="smtp_cname_overrides_servername">smtp_cname_overrides_servername</a>
|
||||
(default: yes)</b></DT><DD>
|
||||
|
||||
<p> Allow DNS CNAME records to override the servername that the
|
||||
Postfix SMTP client uses for logging, SASL password lookup, TLS
|
||||
policy decisions, or TLS certificate verification. The default value
|
||||
(yes) is backwards compatible. Specify "no" to harden Postfix 2.2
|
||||
<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> hostname-based policies against false hostname
|
||||
information in DNS CNAME records. </p>
|
||||
|
||||
<p> This feature is available in Postfix 2.2.9 and later. </p>
|
||||
|
||||
|
||||
</DD>
|
||||
|
||||
<DT><b><a name="smtp_connect_timeout">smtp_connect_timeout</a>
|
||||
|
@ -6736,38 +6751,79 @@ postfix/smtp[pid]: Host offered STARTTLS: [name.of.host]
|
|||
(default: empty)</b></DT><DD>
|
||||
|
||||
<p> Optional lookup tables with the Postfix SMTP client TLS usage
|
||||
policy by next-hop domain name and by remote SMTP server hostname.
|
||||
</p>
|
||||
policy by next-hop destination and by remote SMTP server hostname.
|
||||
When both lookups succeed, the more specific per-site policy (NONE,
|
||||
MUST, etc) overrides the less specific one (MAY), and the more
|
||||
secure per-site policy (MUST, etc) overrides the less secure one
|
||||
(NONE). </p>
|
||||
|
||||
<p> Table format: domain names or server hostnames are specified
|
||||
on the left-hand side; no wildcards are allowed. On the right hand
|
||||
side specify one of the following keywords: </p>
|
||||
<p> Specify a next-hop destination or server hostname on the left-hand
|
||||
side; no wildcards are allowed. The next-hop destination is either
|
||||
the recipient domain, or the destination specified with a <a href="transport.5.html">transport(5)</a>
|
||||
table, the <a href="postconf.5.html#relayhost">relayhost</a> parameter, or the <a href="postconf.5.html#relay_transport">relay_transport</a> parameter.
|
||||
On the right hand side specify one of the following keywords: </p>
|
||||
|
||||
<dl>
|
||||
|
||||
<dt> NONE </dt> <dd>Don't use TLS at all. </dd>
|
||||
<dt> NONE </dt> <dd> Don't use TLS at all. This overrides a less
|
||||
specific <b>MAY</b> lookup result from the alternate host or next-hop
|
||||
lookup key, and overrides the global <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>,
|
||||
and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> settings. </dd>
|
||||
|
||||
<dt> MAY </dt> <dd>Try to use STARTTLS if offered, otherwise use
|
||||
the unencrypted connection. </dd>
|
||||
<dt> MAY </dt> <dd> Try to use TLS if the server announces support,
|
||||
otherwise use the unencrypted connection. This has less precedence
|
||||
than a more specific result (including <b>NONE</b>) from the alternate
|
||||
host or next-hop lookup key, and has less precedence than the more
|
||||
specific global "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" or "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
|
||||
= yes". </dd>
|
||||
|
||||
<dt> MUST </dt> <dd>Require usage of STARTTLS, require that the
|
||||
remote SMTP server hostname matches the information in the remote
|
||||
SMTP server certificate, and require that the remote SMTP server
|
||||
certificate was issued by a trusted CA. </dd>
|
||||
<dt> MUST_NOPEERMATCH </dt> <dd> Require TLS encryption, but do not
|
||||
require that the remote SMTP server hostname matches the information
|
||||
in the remote SMTP server certificate, or that the server certificate
|
||||
was issued by a trusted CA. This overrides a less secure <b>NONE</b>
|
||||
or a less specific <b>MAY</b> lookup result from the alternate host
|
||||
or next-hop lookup key, and overrides the global <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>,
|
||||
<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> settings. </dd>
|
||||
|
||||
<dt> MUST_NOPEERMATCH </dt> <dd>Require usage of STARTTLS, but do
|
||||
not require that the remote SMTP server hostname matches the
|
||||
information in the remote SMTP server certificate, or that the
|
||||
server certificate was issued by a trusted CA. </dd>
|
||||
<dt> MUST </dt> <dd> Require TLS encryption, require that the remote
|
||||
SMTP server hostname matches the information in the remote SMTP
|
||||
server certificate, and require that the remote SMTP server certificate
|
||||
was issued by a trusted CA. This overrides a less secure <b>NONE</b>
|
||||
and <b>MUST_NOPEERMATCH</b> or a less specific <b>MAY</b> lookup
|
||||
result from the alternate host or next-hop lookup key, and overrides
|
||||
the global <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
|
||||
settings. </dd>
|
||||
|
||||
</dl>
|
||||
|
||||
<p> Special hint for enforcement mode: since no secure DNS lookup
|
||||
mechanism is available, the recommended setup is: specify local
|
||||
<a href="transport.5.html">transport(5)</a> table entries for sensitive domains with explicit
|
||||
<a href="smtp.8.html">smtp</a>:[mailhost] destinations (since you can assure security of this
|
||||
table unlike DNS), then specify MUST for these mail hosts in the
|
||||
<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table. </p>
|
||||
<p> As long as no secure DNS lookup mechanism is available, false
|
||||
hostnames in MX or CNAME responses can change the server hostname
|
||||
that Postfix uses for TLS policy lookup and server certificate
|
||||
verification. Even with a perfect match between the server hostname
|
||||
and the server certificate, there is no guarantee that Postfix is
|
||||
connected to the right server. To avoid this loophole take the
|
||||
following steps: </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> Disallow CNAME hostname overrides. In main.cf specify
|
||||
"<a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> = no". This prevents false hostname
|
||||
information in DNS CNAME records from changing the server hostname
|
||||
that Postfix uses for TLS policy lookup and server certificate
|
||||
verification. This feature requires Postfix 2.2.9 or later.
|
||||
|
||||
<li> Eliminate MX lookups. Specify local <a href="transport.5.html">transport(5)</a> table entries
|
||||
for sensitive domains with explicit <a href="smtp.8.html">smtp</a>:[mailhost] or <a href="smtp.8.html">smtp</a>:[mailhost]:port
|
||||
destinations. This prevents false hostname information in DNS MX
|
||||
records from changing the server hostname that Postfix uses for TLS
|
||||
policy lookup and server certificate verification.
|
||||
|
||||
<li> Specify MUST for these mail hosts (including [ ] and port) in
|
||||
the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table.
|
||||
|
||||
</ul>
|
||||
|
||||
<p> </p>
|
||||
|
||||
|
||||
</DD>
|
||||
|
|
|
@ -99,8 +99,14 @@ SMTP(8) SMTP(8)
|
|||
<b><a href="postconf.5.html#smtp_never_send_ehlo">smtp_never_send_ehlo</a> (no)</b>
|
||||
Never send EHLO at the start of an SMTP session.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> (yes)</b>
|
||||
Allow DNS CNAME records to override the servername
|
||||
that the Postfix SMTP client uses for logging, SASL
|
||||
password lookup, TLS policy decisions, or TLS cer-
|
||||
tificate verification.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_defer_if_no_mx_address_found">smtp_defer_if_no_mx_address_found</a> (no)</b>
|
||||
Defer mail delivery when no MX record resolves to
|
||||
Defer mail delivery when no MX record resolves to
|
||||
an IP address.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_line_length_limit">smtp_line_length_limit</a> (990)</b>
|
||||
|
@ -108,17 +114,17 @@ SMTP(8) SMTP(8)
|
|||
that Postfix will send via SMTP.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_pix_workaround_delay_time">smtp_pix_workaround_delay_time</a> (10s)</b>
|
||||
How long the Postfix SMTP client pauses before
|
||||
How long the Postfix SMTP client pauses before
|
||||
sending ".<CR><LF>" in order to work around the PIX
|
||||
firewall "<CR><LF>.<CR><LF>" bug.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_pix_workaround_threshold_time">smtp_pix_workaround_threshold_time</a> (500s)</b>
|
||||
How long a message must be queued before the PIX
|
||||
firewall "<CR><LF>.<CR><LF>" bug workaround is
|
||||
How long a message must be queued before the PIX
|
||||
firewall "<CR><LF>.<CR><LF>" bug workaround is
|
||||
turned on.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_quote_rfc821_envelope">smtp_quote_rfc821_envelope</a> (yes)</b>
|
||||
Quote addresses in SMTP MAIL FROM and RCPT TO com-
|
||||
Quote addresses in SMTP MAIL FROM and RCPT TO com-
|
||||
mands as required by <a href="http://www.faqs.org/rfcs/rfc821.html">RFC 821</a>.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_skip_5xx_greeting">smtp_skip_5xx_greeting</a> (yes)</b>
|
||||
|
@ -126,7 +132,7 @@ SMTP(8) SMTP(8)
|
|||
(go away, do not try again later).
|
||||
|
||||
<b><a href="postconf.5.html#smtp_skip_quit_response">smtp_skip_quit_response</a> (yes)</b>
|
||||
Do not wait for the response to the SMTP QUIT com-
|
||||
Do not wait for the response to the SMTP QUIT com-
|
||||
mand.
|
||||
|
||||
Available in Postfix version 2.0 and earlier:
|
||||
|
@ -138,21 +144,21 @@ SMTP(8) SMTP(8)
|
|||
Available in Postfix version 2.2 and later:
|
||||
|
||||
<b><a href="postconf.5.html#smtp_discard_ehlo_keyword_address_maps">smtp_discard_ehlo_keyword_address_maps</a> (empty)</b>
|
||||
Lookup tables, indexed by the remote SMTP server
|
||||
address, with case insensitive lists of EHLO key-
|
||||
words (pipelining, starttls, auth, etc.) that the
|
||||
Lookup tables, indexed by the remote SMTP server
|
||||
address, with case insensitive lists of EHLO key-
|
||||
words (pipelining, starttls, auth, etc.) that the
|
||||
SMTP client will ignore in the EHLO response from a
|
||||
remote SMTP server.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_discard_ehlo_keywords">smtp_discard_ehlo_keywords</a> (empty)</b>
|
||||
A case insensitive list of EHLO keywords (pipelin-
|
||||
ing, starttls, auth, etc.) that the SMTP client
|
||||
A case insensitive list of EHLO keywords (pipelin-
|
||||
ing, starttls, auth, etc.) that the SMTP client
|
||||
will ignore in the EHLO response from a remote SMTP
|
||||
server.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a> (empty)</b>
|
||||
Optional lookup tables that perform address rewrit-
|
||||
ing in the SMTP client, typically to transform a
|
||||
ing in the SMTP client, typically to transform a
|
||||
locally valid address into a globally valid address
|
||||
when sending mail across the Internet.
|
||||
|
||||
|
@ -160,7 +166,7 @@ SMTP(8) SMTP(8)
|
|||
Available in Postfix version 2.0 and later:
|
||||
|
||||
<b><a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a> (no)</b>
|
||||
Disable the conversion of 8BITMIME format to 7BIT
|
||||
Disable the conversion of 8BITMIME format to 7BIT
|
||||
format.
|
||||
|
||||
<b><a href="postconf.5.html#mime_boundary_length_limit">mime_boundary_length_limit</a> (2048)</b>
|
||||
|
@ -175,110 +181,110 @@ SMTP(8) SMTP(8)
|
|||
Available in Postfix version 2.1 and later:
|
||||
|
||||
<b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b>
|
||||
Send the non-standard XFORWARD command when the
|
||||
Postfix SMTP server EHLO response announces XFOR-
|
||||
Send the non-standard XFORWARD command when the
|
||||
Postfix SMTP server EHLO response announces XFOR-
|
||||
WARD support.
|
||||
|
||||
<b>SASL AUTHENTICATION CONTROLS</b>
|
||||
<b><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> (no)</b>
|
||||
Enable SASL authentication in the Postfix SMTP
|
||||
Enable SASL authentication in the Postfix SMTP
|
||||
client.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b>
|
||||
Optional SMTP client lookup tables with one user-
|
||||
name:password entry per remote hostname or domain.
|
||||
Optional SMTP client lookup tables with one user-
|
||||
name:password entry per remote hostname or domain.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b>
|
||||
What authentication mechanisms the Postfix SMTP
|
||||
What authentication mechanisms the Postfix SMTP
|
||||
client is allowed to use.
|
||||
|
||||
Available in Postfix version 2.2 and later:
|
||||
|
||||
<b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b>
|
||||
If non-empty, a Postfix SMTP client filter for the
|
||||
remote SMTP server's list of offered SASL mecha-
|
||||
If non-empty, a Postfix SMTP client filter for the
|
||||
remote SMTP server's list of offered SASL mecha-
|
||||
nisms.
|
||||
|
||||
<b>STARTTLS SUPPORT CONTROLS</b>
|
||||
Detailed information about STARTTLS configuration may be
|
||||
Detailed information about STARTTLS configuration may be
|
||||
found in the <a href="TLS_README.html">TLS_README</a> document.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
|
||||
Opportunistic mode: use TLS when a remote SMTP
|
||||
server announces STARTTLS support, otherwise send
|
||||
Opportunistic mode: use TLS when a remote SMTP
|
||||
server announces STARTTLS support, otherwise send
|
||||
the mail in the clear.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
|
||||
Enforcement mode: require that remote SMTP servers
|
||||
use TLS encryption, and never send mail in the
|
||||
Enforcement mode: require that remote SMTP servers
|
||||
use TLS encryption, and never send mail in the
|
||||
clear.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_secu</a>-</b>
|
||||
<b><a href="postconf.5.html#smtp_sasl_security_options">rity_options</a>)</b>
|
||||
The SASL authentication security options that the
|
||||
Postfix SMTP client uses for TLS encrypted SMTP
|
||||
The SASL authentication security options that the
|
||||
Postfix SMTP client uses for TLS encrypted SMTP
|
||||
sessions.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b>
|
||||
Time limit for Postfix SMTP client write and read
|
||||
operations during TLS startup and shutdown hand-
|
||||
Time limit for Postfix SMTP client write and read
|
||||
operations during TLS startup and shutdown hand-
|
||||
shake procedures.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b>
|
||||
The file with the certificate of the certification
|
||||
authority (CA) that issued the Postfix SMTP client
|
||||
The file with the certificate of the certification
|
||||
authority (CA) that issued the Postfix SMTP client
|
||||
certificate.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b>
|
||||
Directory with PEM format certificate authority
|
||||
certificates that the Postfix SMTP client uses to
|
||||
Directory with PEM format certificate authority
|
||||
certificates that the Postfix SMTP client uses to
|
||||
verify a remote SMTP server certificate.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> (empty)</b>
|
||||
File with the Postfix SMTP client RSA certificate
|
||||
File with the Postfix SMTP client RSA certificate
|
||||
in PEM format.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
|
||||
Controls the Postfix SMTP client TLS cipher selec-
|
||||
Controls the Postfix SMTP client TLS cipher selec-
|
||||
tion scheme.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b>
|
||||
File with the Postfix SMTP client DSA certificate
|
||||
File with the Postfix SMTP client DSA certificate
|
||||
in PEM format.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b>
|
||||
File with the Postfix SMTP client DSA private key
|
||||
File with the Postfix SMTP client DSA private key
|
||||
in PEM format.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
|
||||
When TLS encryption is enforced, require that the
|
||||
When TLS encryption is enforced, require that the
|
||||
remote SMTP server hostname matches the information
|
||||
in the remote SMTP server certificate.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b>
|
||||
File with the Postfix SMTP client RSA private key
|
||||
File with the Postfix SMTP client RSA private key
|
||||
in PEM format.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b>
|
||||
Enable additional Postfix SMTP client logging of
|
||||
Enable additional Postfix SMTP client logging of
|
||||
TLS activity.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b>
|
||||
Log the hostname of a remote SMTP server that
|
||||
offers STARTTLS, when TLS is not already enabled
|
||||
Log the hostname of a remote SMTP server that
|
||||
offers STARTTLS, when TLS is not already enabled
|
||||
for that server.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
|
||||
Optional lookup tables with the Postfix SMTP client
|
||||
TLS usage policy by next-hop domain name and by
|
||||
TLS usage policy by next-hop domain name and by
|
||||
remote SMTP server hostname.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (5)</b>
|
||||
The verification depth for remote SMTP server cer-
|
||||
The verification depth for remote SMTP server cer-
|
||||
tificates.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
|
||||
Name of the file containing the optional Postfix
|
||||
Name of the file containing the optional Postfix
|
||||
SMTP client TLS session cache.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b>
|
||||
|
@ -286,31 +292,31 @@ SMTP(8) SMTP(8)
|
|||
sion cache information.
|
||||
|
||||
<b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
|
||||
The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a>
|
||||
or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
|
||||
server in order to seed its internal pseudo random
|
||||
The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a>
|
||||
or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
|
||||
server in order to seed its internal pseudo random
|
||||
number generator (PRNG).
|
||||
|
||||
<b>RESOURCE AND RATE CONTROLS</b>
|
||||
<b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destina</a>-</b>
|
||||
<b><a href="postconf.5.html#default_destination_concurrency_limit">tion_concurrency_limit</a>)</b>
|
||||
The maximal number of parallel deliveries to the
|
||||
same destination via the smtp message delivery
|
||||
The maximal number of parallel deliveries to the
|
||||
same destination via the smtp message delivery
|
||||
transport.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destina</a>-</b>
|
||||
<b><a href="postconf.5.html#default_destination_recipient_limit">tion_recipient_limit</a>)</b>
|
||||
The maximal number of recipients per delivery via
|
||||
The maximal number of recipients per delivery via
|
||||
the smtp message delivery transport.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
|
||||
The SMTP client time limit for completing a TCP
|
||||
The SMTP client time limit for completing a TCP
|
||||
connection, or zero (use the operating system
|
||||
built-in time limit).
|
||||
|
||||
<b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
|
||||
The SMTP client time limit for sending the HELO or
|
||||
EHLO command, and for receiving the initial server
|
||||
The SMTP client time limit for sending the HELO or
|
||||
EHLO command, and for receiving the initial server
|
||||
response.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_xforward_timeout">smtp_xforward_timeout</a> (300s)</b>
|
||||
|
@ -318,30 +324,30 @@ SMTP(8) SMTP(8)
|
|||
command, and for receiving the server response.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
|
||||
The SMTP client time limit for sending the MAIL
|
||||
FROM command, and for receiving the server
|
||||
The SMTP client time limit for sending the MAIL
|
||||
FROM command, and for receiving the server
|
||||
response.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
|
||||
The SMTP client time limit for sending the SMTP
|
||||
RCPT TO command, and for receiving the server
|
||||
The SMTP client time limit for sending the SMTP
|
||||
RCPT TO command, and for receiving the server
|
||||
response.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
|
||||
The SMTP client time limit for sending the SMTP
|
||||
DATA command, and for receiving the server
|
||||
The SMTP client time limit for sending the SMTP
|
||||
DATA command, and for receiving the server
|
||||
response.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
|
||||
The SMTP client time limit for sending the SMTP
|
||||
The SMTP client time limit for sending the SMTP
|
||||
message content.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
|
||||
The SMTP client time limit for sending the SMTP
|
||||
The SMTP client time limit for sending the SMTP
|
||||
".", and for receiving the server response.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_quit_timeout">smtp_quit_timeout</a> (300s)</b>
|
||||
The SMTP client time limit for sending the QUIT
|
||||
The SMTP client time limit for sending the QUIT
|
||||
command, and for receiving the server response.
|
||||
|
||||
Available in Postfix version 2.1 and later:
|
||||
|
@ -352,77 +358,77 @@ SMTP(8) SMTP(8)
|
|||
lookups, or zero (no limit).
|
||||
|
||||
<b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
|
||||
The maximal number of SMTP sessions per delivery
|
||||
request before giving up or delivering to a fall-
|
||||
The maximal number of SMTP sessions per delivery
|
||||
request before giving up or delivering to a fall-
|
||||
back relay host, or zero (no limit).
|
||||
|
||||
<b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
|
||||
The SMTP client time limit for sending the RSET
|
||||
The SMTP client time limit for sending the RSET
|
||||
command, and for receiving the server response.
|
||||
|
||||
Available in Postfix version 2.2 and later:
|
||||
|
||||
<b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
|
||||
Permanently enable SMTP connection caching for the
|
||||
Permanently enable SMTP connection caching for the
|
||||
specified destinations.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
|
||||
Temporarily enable SMTP connection caching while a
|
||||
Temporarily enable SMTP connection caching while a
|
||||
destination has a high volume of mail in the active
|
||||
queue.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_connection_cache_reuse_limit">smtp_connection_cache_reuse_limit</a> (10)</b>
|
||||
When SMTP connection caching is enabled, the number
|
||||
of times that an SMTP session is reused before it
|
||||
of times that an SMTP session is reused before it
|
||||
is closed.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> (2s)</b>
|
||||
When SMTP connection caching is enabled, the amount
|
||||
of time that an unused SMTP client socket is kept
|
||||
of time that an unused SMTP client socket is kept
|
||||
open before it is closed.
|
||||
|
||||
<b>TROUBLE SHOOTING CONTROLS</b>
|
||||
<b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
|
||||
The increment in verbose logging level when a
|
||||
remote client or server matches a pattern in the
|
||||
The increment in verbose logging level when a
|
||||
remote client or server matches a pattern in the
|
||||
<a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
|
||||
|
||||
<b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
|
||||
Optional list of remote client or server hostname
|
||||
or network address patterns that cause the verbose
|
||||
logging level to increase by the amount specified
|
||||
Optional list of remote client or server hostname
|
||||
or network address patterns that cause the verbose
|
||||
logging level to increase by the amount specified
|
||||
in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
|
||||
|
||||
<b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
|
||||
The recipient of postmaster notifications about
|
||||
mail delivery problems that are caused by policy,
|
||||
The recipient of postmaster notifications about
|
||||
mail delivery problems that are caused by policy,
|
||||
resource, software or protocol errors.
|
||||
|
||||
<b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
|
||||
The list of error classes that are reported to the
|
||||
The list of error classes that are reported to the
|
||||
postmaster.
|
||||
|
||||
<b>MISCELLANEOUS CONTROLS</b>
|
||||
<b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
|
||||
Where the Postfix SMTP client should deliver mail
|
||||
Where the Postfix SMTP client should deliver mail
|
||||
when it detects a "mail loops back to myself" error
|
||||
condition.
|
||||
|
||||
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
|
||||
The default location of the Postfix main.cf and
|
||||
The default location of the Postfix main.cf and
|
||||
master.cf configuration files.
|
||||
|
||||
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
|
||||
How much time a Postfix daemon process may take to
|
||||
handle a request before it is terminated by a
|
||||
How much time a Postfix daemon process may take to
|
||||
handle a request before it is terminated by a
|
||||
built-in watchdog timer.
|
||||
|
||||
<b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
|
||||
Disable DNS lookups in the Postfix SMTP and LMTP
|
||||
Disable DNS lookups in the Postfix SMTP and LMTP
|
||||
clients.
|
||||
|
||||
<b><a href="postconf.5.html#fallback_relay">fallback_relay</a> (empty)</b>
|
||||
Optional list of relay hosts for SMTP destinations
|
||||
Optional list of relay hosts for SMTP destinations
|
||||
that can't be found or that are unreachable.
|
||||
|
||||
<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
|
||||
|
@ -430,7 +436,7 @@ SMTP(8) SMTP(8)
|
|||
tem receives mail on.
|
||||
|
||||
<b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b>
|
||||
The Internet protocols Postfix will attempt to use
|
||||
The Internet protocols Postfix will attempt to use
|
||||
when making or accepting connections.
|
||||
|
||||
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
|
||||
|
@ -438,55 +444,55 @@ SMTP(8) SMTP(8)
|
|||
over an internal communication channel.
|
||||
|
||||
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
|
||||
The maximum amount of time that an idle Postfix
|
||||
daemon process waits for the next service request
|
||||
The maximum amount of time that an idle Postfix
|
||||
daemon process waits for the next service request
|
||||
before exiting.
|
||||
|
||||
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
|
||||
The maximal number of connection requests before a
|
||||
The maximal number of connection requests before a
|
||||
Postfix daemon process terminates.
|
||||
|
||||
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
|
||||
The process ID of a Postfix command or daemon
|
||||
The process ID of a Postfix command or daemon
|
||||
process.
|
||||
|
||||
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
|
||||
The process name of a Postfix command or daemon
|
||||
The process name of a Postfix command or daemon
|
||||
process.
|
||||
|
||||
<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
|
||||
The network interface addresses that this mail sys-
|
||||
tem receives mail on by way of a proxy or network
|
||||
tem receives mail on by way of a proxy or network
|
||||
address translation unit.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
|
||||
An optional numerical network address that the SMTP
|
||||
client should bind to when making an IPv4 connec-
|
||||
client should bind to when making an IPv4 connec-
|
||||
tion.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
|
||||
An optional numerical network address that the SMTP
|
||||
client should bind to when making an IPv6 connec-
|
||||
client should bind to when making an IPv6 connec-
|
||||
tion.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
|
||||
The hostname to send in the SMTP EHLO or HELO com-
|
||||
The hostname to send in the SMTP EHLO or HELO com-
|
||||
mand.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b>
|
||||
What mechanisms when the SMTP client uses to look
|
||||
What mechanisms when the SMTP client uses to look
|
||||
up a host's IP address.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b>
|
||||
Randomize the order of equal-preference MX host
|
||||
Randomize the order of equal-preference MX host
|
||||
addresses.
|
||||
|
||||
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
|
||||
The syslog facility of Postfix logging.
|
||||
|
||||
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
|
||||
The mail system name that is prepended to the
|
||||
process name in syslog records, so that "smtpd"
|
||||
The mail system name that is prepended to the
|
||||
process name in syslog records, so that "smtpd"
|
||||
becomes, for example, "postfix/smtpd".
|
||||
|
||||
<b>SEE ALSO</b>
|
||||
|
@ -504,7 +510,7 @@ SMTP(8) SMTP(8)
|
|||
<a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto
|
||||
|
||||
<b>LICENSE</b>
|
||||
The Secure Mailer license must be distributed with this
|
||||
The Secure Mailer license must be distributed with this
|
||||
software.
|
||||
|
||||
<b>AUTHOR(S)</b>
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: smtp.8,v 1.1.1.9 2005/08/18 21:04:23 rpaulo Exp $
|
||||
.\" $NetBSD: smtp.8,v 1.1.1.10 2006/02/25 22:06:48 rpaulo Exp $
|
||||
.\"
|
||||
.TH SMTP 8
|
||||
.ad
|
||||
|
@ -105,6 +105,10 @@ Ignore DNS MX lookups that produce no response.
|
|||
Always send EHLO at the start of an SMTP session.
|
||||
.IP "\fBsmtp_never_send_ehlo (no)\fR"
|
||||
Never send EHLO at the start of an SMTP session.
|
||||
.IP "\fBsmtp_cname_overrides_servername (yes)\fR"
|
||||
Allow DNS CNAME records to override the servername that the
|
||||
Postfix SMTP client uses for logging, SASL password lookup, TLS
|
||||
policy decisions, or TLS certificate verification.
|
||||
.IP "\fBsmtp_defer_if_no_mx_address_found (no)\fR"
|
||||
Defer mail delivery when no MX record resolves to an IP address.
|
||||
.IP "\fBsmtp_line_length_limit (990)\fR"
|
||||
|
|
|
@ -313,6 +313,7 @@ while (<>) {
|
|||
s;\bsmtp_always_send_ehlo\b;<a href="postconf.5.html#smtp_always_send_ehlo">$&</a>;g;
|
||||
s;\bsmtp_bind_address\b;<a href="postconf.5.html#smtp_bind_address">$&</a>;g;
|
||||
s;\bsmtp_bind_address6\b;<a href="postconf.5.html#smtp_bind_address6">$&</a>;g;
|
||||
s;\bsmtp_cname_overrides_servername\b;<a href="postconf.5.html#smtp_cname_overrides_servername">$&</a>;g;
|
||||
s;\bsmtp_connect_timeout\b;<a href="postconf.5.html#smtp_connect_timeout">$&</a>;g;
|
||||
|
||||
s;\bsmtp_connection_cache_on_demand\b;<a href="postconf.5.html#smtp_connection_cache_on_demand">$&</a>;g;
|
||||
|
|
|
@ -68,7 +68,7 @@ available. You already know that oqmgr(8) uses round-robin by destination
|
|||
while qmgr(8) uses simple FIFO, except for some preemptive magic.
|
||||
The postconf(5) manual documents all the knobs the user
|
||||
can use to control this preemptive magic - there is nothing else
|
||||
to the preemption than the quite simple conditions described below.
|
||||
to the preemption than the quite simple conditions described in there.
|
||||
</p>
|
||||
|
||||
<p> As for programmer-level documentation, this will have to be
|
||||
|
|
|
@ -129,6 +129,11 @@ the <tt>make(1)</tt> files with the necessary definitions. This is
|
|||
done by invoking the command "<tt>make makefiles</tt>" in the Postfix
|
||||
top-level directory and with arguments as shown next. </p>
|
||||
|
||||
<p> <b> NOTE: Do not use Gnu TLS. It will spontaneously terminate
|
||||
a Postfix daemon process with exit status code 2, instead of allowing
|
||||
Postfix to 1) report the error to the maillog file, and to 2) provide
|
||||
plaintext service where this is appropriate. </b> </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> If the OpenSSL include files (such as <tt>ssl.h</tt>) are
|
||||
|
@ -553,7 +558,8 @@ can specify any database type that can store objects of several
|
|||
kbytes and that supports the sequence operator. DBM databases are
|
||||
not suitable because they can only store small objects. The cache
|
||||
is maintained by the tlsmgr(8) process, so there is no problem with
|
||||
concurrent access. </p>
|
||||
concurrent access. Session caching is highly recommended, because
|
||||
the cost of repeatedly negotiating TLS session keys is high.</p>
|
||||
|
||||
<p> Example: </p>
|
||||
|
||||
|
@ -632,7 +638,7 @@ certificate must no longer be used (e.g. an employee leaving). </p>
|
|||
|
||||
<p> The Postfix list manipulation routines give special treatment
|
||||
to whitespace and some other characters, making the use of certificate
|
||||
names unpractical. Instead we use the certificate fingerprints as
|
||||
names impractical. Instead we use the certificate fingerprints as
|
||||
they are difficult to fake but easy to use for lookup. Postfix
|
||||
lookup tables are in the form of (key, value) pairs. Since we only
|
||||
need the key, the value can be chosen freely, e.g. the name of
|
||||
|
@ -725,9 +731,23 @@ key configuration </a>
|
|||
|
||||
<li><a href="#client_tls_cache">Client-side TLS session cache</a>
|
||||
|
||||
<li><a href="#client_tls"> Enabling TLS in the Postfix SMTP client </a>
|
||||
<li><a href="#client_tls_enable"> Enabling TLS in the Postfix SMTP client </a>
|
||||
|
||||
<li><a href="#client_vrfy_server">Server certificate verification</a>
|
||||
<li><a href="#client_tls_require"> Requiring TLS encryption </a>
|
||||
|
||||
<li><a href="#client_tls_nopeer"> Disabling server certificate verification </a>
|
||||
|
||||
<li><a href="#client_tls_per_site"> Per-site TLS policies </a>
|
||||
|
||||
<!--
|
||||
<li><a href="#client_tls_obs"> Obsolete per-site TLS policy support </a>
|
||||
-->
|
||||
|
||||
<li><a href="#client_tls_harden"> Closing a DNS loophole with <!-- legacy --> per-site TLS policies </a>
|
||||
|
||||
<li><a href="#client_tls_discover"> Discovering servers that support TLS </a>
|
||||
|
||||
<li><a href="#client_vrfy_server">Server certificate verification depth</a>
|
||||
|
||||
<li> <a href="#client_cipher">Client-side cipher controls </a>
|
||||
|
||||
|
@ -787,7 +807,7 @@ the overhead of the TLS exchange. </p>
|
|||
certificates issued by these CAs, append the root certificate to
|
||||
$smtp_tls_CAfile or install it in the $smtp_tls_CApath directory. When
|
||||
you configure trust in a root CA, it is not necessary to explicitly trust
|
||||
intermediary CAs signed by the root CA, unless $smtp_tls_verify_depth
|
||||
intermediary CAs signed by the root CA, unless $smtp_tls_scert_verifydepth
|
||||
is less than the number of CAs in the certificate chain for the servers
|
||||
of interest. With a verify depth of 1 you can only verify certificates
|
||||
directly signed by a trusted CA, and all trusted intermediary CAs need to
|
||||
|
@ -904,7 +924,10 @@ can specify any database type that can store objects of several
|
|||
kbytes and that supports the sequence operator. DBM databases are
|
||||
not suitable because they can only store small objects. The cache
|
||||
is maintained by the tlsmgr(8) process, so there is no problem with
|
||||
concurrent access. </p>
|
||||
concurrent access. Session caching is highly recommended, because
|
||||
the cost of repeatedly negotiating TLS session keys is high. Future
|
||||
Postfix SMTP servers may limit the number of sessions that a client
|
||||
is allowed to negotiate per unit time.</p>
|
||||
|
||||
|
||||
<p> Example: </p>
|
||||
|
@ -930,24 +953,19 @@ recommends a maximum of 24 hours. </p>
|
|||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<h3><a name="client_tls"> Enabling TLS in the Postfix SMTP client </a>
|
||||
</h3>
|
||||
<h3><a name="client_tls_enable"> Enabling TLS in the Postfix SMTP
|
||||
client </a> </h3>
|
||||
|
||||
<p> By default, TLS is disabled in the Postfix SMTP client, so no
|
||||
difference to plain Postfix is visible. If you enable TLS, the
|
||||
Postfix SMTP client will send STARTTLS when TLS support is announced
|
||||
by the remote SMTP server. </p>
|
||||
|
||||
<p> WARNING: MS Exchange servers will announce STARTTLS support
|
||||
even when the service is not configured, so that the TLS handshake
|
||||
will fail. It may be wise to not use this option on your central
|
||||
mail hub, as you don't know in advance whether you are going to
|
||||
connect to such a host. Instead, use the smtp_tls_per_site
|
||||
recipient/site specific options that are described below. </p>
|
||||
|
||||
<p> When the TLS handshake fails and no other server is available,
|
||||
the Postfix SMTP client defers the delivery attempt, and the mail
|
||||
stays in the queue. </p>
|
||||
<p> When the server accepts the STARTTLS command, but the subsequent
|
||||
TLS handshake fails, and no other server is available, the Postfix SMTP
|
||||
client defers the delivery attempt, and the mail stays in the queue. After
|
||||
a handshake failure, the communications channel is in an indeterminate
|
||||
state and cannot be used for non-TLS deliveries. </p>
|
||||
|
||||
<p> Example: </p>
|
||||
|
||||
|
@ -958,6 +976,9 @@ stays in the queue. </p>
|
|||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<h3><a name="client_tls_require"> Requiring TLS encryption </a>
|
||||
</h3>
|
||||
|
||||
<p> You can ENFORCE the use of TLS, so that the Postfix SMTP client
|
||||
will not deliver mail over unencrypted connections. In this mode,
|
||||
the remote SMTP server hostname must match the information in the
|
||||
|
@ -967,14 +988,14 @@ server certificate doesn't verify or the remote SMTP server hostname
|
|||
doesn't match, and no other server is available, the delivery
|
||||
attempt is deferred and the mail stays in the queue. </p>
|
||||
|
||||
<p> The remote SMTP server hostname used in the check is beyond
|
||||
question, as it must be the principal hostname (no CNAME allowed
|
||||
here). Checks are performed against all names provided as dNSNames
|
||||
<p> The remote SMTP server hostname is verified against all names
|
||||
provided as dNSNames
|
||||
in the SubjectAlternativeName. If no dNSNames are specified, the
|
||||
CommonName is checked. The behavior may be changed with the
|
||||
CommonName is checked. Verification may be turned off with the
|
||||
smtp_tls_enforce_peername option which is discussed below. </p>
|
||||
|
||||
<p> This option is useful only if you know that you will only
|
||||
<p> Enforcing the use of TLS is useful if you know that you will
|
||||
only
|
||||
connect to servers that support RFC 2487 _and_ that present server
|
||||
certificates that meet the above requirements. An example would
|
||||
be a client only sends email to one specific mailhub that offers
|
||||
|
@ -985,10 +1006,13 @@ the necessary STARTTLS support. </p>
|
|||
<blockquote>
|
||||
<pre>
|
||||
/etc/postfix/main.cf:
|
||||
smtp_enforce_tls = no
|
||||
smtp_enforce_tls = yes
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<h3> <a name="client_tls_nopeer"> Disabling server certificate
|
||||
verification </a> </h3>
|
||||
|
||||
<p> As of RFC 2487 the requirements for hostname checking for MTA
|
||||
clients are not set. When TLS is required (smtp_enforce_tls = yes),
|
||||
the option smtp_tls_enforce_peername can be set to "no" to disable
|
||||
|
@ -996,106 +1020,200 @@ strict remote SMTP server hostname checking. In this case, the mail
|
|||
delivery will proceed regardless of the CommonName etc. listed in
|
||||
the certificate. </p>
|
||||
|
||||
<p> Note: the smtp_tls_enforce_peername setting has no effect on
|
||||
sessions that are controlled via the smtp_tls_per_site table. </p>
|
||||
|
||||
<p> Disabling the remote SMTP server hostname verification can
|
||||
make sense in closed environment where special CAs are created.
|
||||
If not used carefully, this option opens the danger of a
|
||||
"man-in-the-middle" attack (the CommonName of this possible attacker
|
||||
is logged). </p>
|
||||
<p> Despite the potential for eliminating "man-in-the-middle" and
|
||||
other attacks, mandatory certificate/peername verification is not
|
||||
viable as a default Internet mail delivery policy at this time. A
|
||||
significant fraction of TLS enabled MTAs uses self-signed certificates,
|
||||
or certificates that are signed by a private certificate authority.
|
||||
On a machine that delivers mail to the Internet, if you set
|
||||
smtp_enforce_tls = yes, you should probably also set
|
||||
smtp_tls_enforce_peername = no. You can use the per-site TLS
|
||||
policies (see below) to enable full peer verification for specific
|
||||
destinations that are known to have verifiable TLS server certificates.
|
||||
</p>
|
||||
|
||||
<p> Example: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
/etc/postfix/main.cf:
|
||||
smtp_tls_enforce_peername = yes
|
||||
smtp_enforce_tls = yes
|
||||
smtp_tls_enforce_peername = no
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> Generally, trying TLS can be a bad idea, as some servers offer
|
||||
STARTTLS but the negotiation will fail leading to unexplainable
|
||||
failures. Instead, it may be a good idea to choose the TLS usage
|
||||
policy based on the recipient or the mailhub to which you are
|
||||
connecting. </p>
|
||||
<h3> <a name="client_tls_per_site"> Per-site TLS policies </a> </h3>
|
||||
|
||||
<p> Deciding the TLS usage policy per recipient may be difficult,
|
||||
since a single email delivery attempt can involve several recipients.
|
||||
Instead, use of TLS is controlled by the Postfix next-hop destination
|
||||
domain name and by the remote SMTP server hostname. If either of these
|
||||
matches an entry in the smtp_tls_per_site table, appropriate action
|
||||
is taken. </p>
|
||||
<p> A small fraction of servers offer STARTTLS but the negotiation
|
||||
consistently fails, leading to mail aging out of the queue and
|
||||
bouncing back to the sender. In such cases, you can use the per-site
|
||||
policies to disable TLS for the problem sites. Alternatively, you
|
||||
can enable TLS for just a few specific sites and not enable it for
|
||||
all sites. </p>
|
||||
|
||||
<p> The remote SMTP server hostname is simply the DNS name of the
|
||||
server that the Postfix SMTP client connects to. The next-hop
|
||||
destination is Postfix specific. By default, this is the domain
|
||||
name in the recipient address, but this information can be overruled
|
||||
by the transport(5) table or by the relayhost parameter setting.
|
||||
In these cases the relayhost etc. must be listed in the smtp_tls_per_site
|
||||
table, instead of the recipient domain name. </p>
|
||||
<!-- insert new-style TLS policy mechanism here
|
||||
|
||||
<p> Format of the table: domain or host names are specified on the
|
||||
left-hand side; no wildcards are allowed. On the right hand side
|
||||
specify one of the following keywords: </p>
|
||||
<h3> <a name="client_tls_obs"> Obsolete per-site TLS policy support
|
||||
</a> </h3>
|
||||
|
||||
<p> This section describes an obsolete per-site TLS policy mechanism.
|
||||
Unlike the newer mechanism it supports TLS policy lookup by server
|
||||
hostname, and lacks control over what names can appear in server
|
||||
certificates. Because of this, the obsolete mechanism is vulnerable
|
||||
to false DNS hostname information in MX or CNAME records. These
|
||||
attacks can be eliminated only with great difficulty. </p>
|
||||
|
||||
-->
|
||||
|
||||
<p> The smtp_tls_per_site table is searched for a policy that matches
|
||||
the following information: </p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<dl>
|
||||
|
||||
<dt> NONE </dt> <dd> Don't use TLS at all. </dd>
|
||||
<dt> remote SMTP server hostname </dt> <dd> This is simply the DNS
|
||||
name of the server that the Postfix SMTP client connects to; this
|
||||
name may be obtained from other DNS lookups, such as MX lookups or
|
||||
CNAME lookups. </dd>
|
||||
|
||||
<dt> MAY </dt> <dd> Try to use STARTTLS if offered, otherwise use
|
||||
the unencrypted connection. </dd>
|
||||
|
||||
<dt> MUST </dt> <dd> Require usage of STARTTLS, require that the
|
||||
remote SMTP server hostname matches the information in the remote
|
||||
SMTP server certificate, and require that the remote SMTP server
|
||||
certificate was issued by a trusted CA. </dd>
|
||||
|
||||
<dt> MUST_NOPEERMATCH </dt> <dd> Require usage of STARTTLS, but do
|
||||
not require that the remote SMTP server hostname matches the
|
||||
information in the remote SMTP server certificate, or that the
|
||||
server certificate was issued by a trusted CA. </dd>
|
||||
<dt> next-hop destination </dt> <dd> This is normally the domain
|
||||
portion of the recipient address, but it may be overruled by
|
||||
information from the transport(5) table, from the relayhost parameter
|
||||
setting, or from the relay_transport setting. When it's not the
|
||||
recipient domain, the next-hop destination can have the Postfix-specific
|
||||
form "<tt>[name]</tt>", <tt>[name]:port</tt>", "<tt>name</tt>" or
|
||||
"<tt>name:port</tt>". </dd>
|
||||
|
||||
</dl>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<p> The actual TLS usage policy depends not only on whether the
|
||||
next-hop destination or remote SMTP server hostname are found in
|
||||
the smtp_tls_per_site table, but also on the smtp_enforce_tls
|
||||
setting: </p>
|
||||
<p> When both the hostname lookup and the next-hop lookup succeed,
|
||||
the host policy does not automatically override the next-hop policy.
|
||||
Instead, precedence is given to either the more specific or the
|
||||
more secure per-site policy as described below. </p>
|
||||
|
||||
<p> The smtp_tls_per_site table uses a simple "<i>name whitespace
|
||||
value</i>" format. Specify host names or next-hop destinations on
|
||||
the left-hand side; no wildcards are allowed. On the right hand
|
||||
side specify one of the following keywords: </p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<dl>
|
||||
|
||||
<dt> NONE </dt> <dd> Don't use TLS at all. This overrides a less
|
||||
specific <b>MAY</b> lookup result from the alternate host or next-hop
|
||||
lookup key, and overrides the global smtp_use_tls, smtp_enforce_tls,
|
||||
and smtp_tls_enforce_peername settings. </dd>
|
||||
|
||||
<dt> MAY </dt> <dd> Try to use TLS if the server announces support,
|
||||
otherwise use the unencrypted connection. This has less precedence
|
||||
than a more specific result (including <b>NONE</b>) from the alternate
|
||||
host or next-hop lookup key, and has less precedence than the more
|
||||
specific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername
|
||||
= yes". </dd>
|
||||
|
||||
<dt> MUST_NOPEERMATCH </dt> <dd> Require TLS encryption, but do not
|
||||
require that the remote SMTP server hostname matches the information
|
||||
in the remote SMTP server certificate, or that the server certificate
|
||||
was issued by a trusted CA. This overrides a less secure <b>NONE</b>
|
||||
or a less specific <b>MAY</b> lookup result from the alternate host
|
||||
or next-hop lookup key, and overrides the global smtp_use_tls,
|
||||
smtp_enforce_tls and smtp_tls_enforce_peername settings. </dd>
|
||||
|
||||
<dt> MUST </dt> <dd> Require TLS encryption, require that the remote
|
||||
SMTP server hostname matches the information in the remote SMTP
|
||||
server certificate, and require that the remote SMTP server certificate
|
||||
was issued by a trusted CA. This overrides a less secure <b>NONE</b>
|
||||
and <b>MUST_NOPEERMATCH</b> or a less specific <b>MAY</b> lookup
|
||||
result from the alternate host or next-hop lookup key, and overrides
|
||||
the global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername
|
||||
settings. </dd>
|
||||
|
||||
</dl>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<p> The precedences between global (main.cf) and per-site TLS
|
||||
policies can be summarized as follows: </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> If no match was found, the policy is applied as specified
|
||||
with smtp_enforce_tls. </p>
|
||||
<li> <p> When neither the remote SMTP server hostname nor the
|
||||
next-hop destination are found in the smtp_tls_per_site table, the
|
||||
policy is based on smtp_use_tls, smtp_enforce_tls and
|
||||
smtp_tls_enforce_peername. Note: "smtp_enforce_tls = yes" and
|
||||
"smtp_tls_enforce_peername = yes" imply "smtp_use_tls = yes". </p>
|
||||
|
||||
<li> <p> If a match was found, and the smtp_enforce_tls policy is
|
||||
"enforce", NONE explicitly switches it off; otherwise the "enforce"
|
||||
mode is used even for entries that specify MAY. </p>
|
||||
<li> <p> When both hostname and next-hop destination lookups produce
|
||||
a result, the more specific per-site policy (NONE, MUST, etc)
|
||||
overrides the less specific one (MAY), and the more secure per-site
|
||||
policy (MUST, etc) overrides the less secure one (NONE). </p>
|
||||
|
||||
<li> <p> After the per-site policy lookups are combined, the result
|
||||
generally overrides the global policy. The exception is the less
|
||||
specific <b>MAY</b> per-site policy, which is overruled by the more
|
||||
specific global "smtp_enforce_tls = yes" with server certificate
|
||||
verification as specified with the smtp_tls_enforce_peername
|
||||
parameter. </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<p> Special hint for TLS enforcement mode: since no secure DNS
|
||||
lookup mechanism is available, mail can be delivered to the wrong
|
||||
remote SMTP server. This is not prevented by specifying MUST for
|
||||
the next-hop domain name. The recommended setup is: specify local
|
||||
transport(5) table entries for sensitive domains with explicit
|
||||
smtp:[mailhost] destinations (since you can assure security of this
|
||||
table unlike DNS), then specify MUST for these mail hosts in the
|
||||
smtp_tls_per_site table. </p>
|
||||
<h3> <a name="client_tls_harden"> Closing a DNS loophole with
|
||||
<!-- legacy --> per-site TLS policies </a> </h3>
|
||||
|
||||
<p> As long as no secure DNS lookup mechanism is available, false
|
||||
hostnames in MX or CNAME responses can change the server hostname
|
||||
that Postfix uses for TLS policy lookup and server certificate
|
||||
verification. Even with a perfect match between the server hostname
|
||||
and the server certificate, there is no guarantee that Postfix is
|
||||
connected to the right server. To avoid this loophole take the
|
||||
following steps: </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> Eliminate MX lookups. Specify local transport(5) table
|
||||
entries for sensitive domains with explicit smtp:[<i>mailhost</i>]
|
||||
or smtp:[<i>mailhost</i>]:<i>port</i> destinations (you can assure
|
||||
security of this table unlike DNS); in the smtp_tls_per_site table
|
||||
specify the value <b>MUST</b> for the key [<i>mailhost</i>] or
|
||||
smtp:[<i>mailhost</i>]:<i>port</i>. This prevents false hostname
|
||||
information in DNS MX records from changing the server hostname
|
||||
that Postfix uses for TLS policy lookup and server certificate
|
||||
verification. </p>
|
||||
|
||||
<li> <p> Disallow CNAME hostname overrides. In main.cf specify
|
||||
"smtp_cname_overrides_servername = no". This prevents false hostname
|
||||
information in DNS CNAME records from changing the server hostname
|
||||
that Postfix uses for TLS policy lookup and server certificate
|
||||
verification. This feature requires Postfix 2.2.9 or later. </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<p> Example: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
|
||||
<blockquote> <pre>
|
||||
/etc/postfix/main.cf:
|
||||
smtp_tls_per_site = hash:/etc/postfix/tls_per_site
|
||||
relayhost = [msa.example.net]:587
|
||||
|
||||
/etc/postfix/tls_per_site:
|
||||
# relayhost exact nexthop match
|
||||
[msa.example.net]:587 MUST
|
||||
|
||||
# TLS should not be used with the <i>example.org</i> MX hosts.
|
||||
example.org NONE
|
||||
|
||||
# TLS should not be used with the host <i>smtp.example.com</i>.
|
||||
smtp.example.com NONE
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<h3> <a name="client_tls_discover"> Discovering servers that support
|
||||
TLS </a> </h3>
|
||||
|
||||
<p> As we decide on a "per site" basis whether or not to use TLS,
|
||||
it would be good to have a list of sites that offered "STARTTLS".
|
||||
We can collect it ourselves with this option. </p>
|
||||
|
@ -1119,7 +1237,7 @@ postfix/smtp[pid]: Host offered STARTTLS: [hostname.example.com]
|
|||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<h3><a name="client_vrfy_server">Server certificate verification</a> </h3>
|
||||
<h3><a name="client_vrfy_server">Server certificate verification depth</a> </h3>
|
||||
|
||||
<p> When verifying a remote SMTP server certificate, a verification
|
||||
depth of 1 is sufficient if the certificate is directly issued by
|
||||
|
@ -1376,7 +1494,7 @@ super-user privileges. </p>
|
|||
</blockquote>
|
||||
|
||||
<li> <p> Configure Postfix, by adding the following to
|
||||
<tt>/etc/postfix/main.cf</tt>. </p>
|
||||
<tt>/etc/postfix/main.cf </tt>. </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
|
@ -1443,8 +1561,22 @@ protocol in order to access the tlsmgr(8) pseudo-random number
|
|||
generation (PRNG) pool, and in order to access the TLS session
|
||||
cache databases. Such a protocol cannot be run across fifos. </p>
|
||||
|
||||
<li> <p> smtp_tls_per_site: the MUST_NOPEERMATCH per-site policy
|
||||
cannot override the global "smtp_tls_enforce_peername = yes" setting.
|
||||
</p>
|
||||
|
||||
<li> <p> smtp_tls_per_site: a combined (NONE + MAY) lookup result
|
||||
for (hostname and next-hop destination) produces counter-intuitive
|
||||
results for different main.cf settings. TLS is enabled with
|
||||
"smtp_tls_enforce_peername = no", but it is disabled when both
|
||||
"smtp_enforce_tls = yes" and "smtp_tls_enforce_peername = yes".
|
||||
</p>
|
||||
|
||||
</ul>
|
||||
|
||||
<p> The smtp_tls_per_site limitations were removed by the end of
|
||||
the Postfix 2.2 support cycle. </p>
|
||||
|
||||
<h2><a name="credits">Credits </a> </h2>
|
||||
|
||||
<ul>
|
||||
|
@ -1455,6 +1587,10 @@ Jänicke at Cottbus Technical University.
|
|||
<li> Wietse Venema adopted the code, did some restructuring, and
|
||||
compiled this part of the documentation from Lutz's documents.
|
||||
|
||||
<li> Victor Duchovni was instrumental with the re-implementation
|
||||
of the smtp_tls_per_site code in terms of enforcement levels, which
|
||||
simplified the implementation greatly.
|
||||
|
||||
</ul>
|
||||
|
||||
</body>
|
||||
|
|
|
@ -7750,7 +7750,7 @@ is suitable for, e.g., pop-before-smtp lookup tables. </dd>
|
|||
|
||||
<p> Examples: </p>
|
||||
|
||||
<p> The Postfix < 2.2 backwards compatible setting: always rewrite
|
||||
<p> The Postfix < 2.2 backwards compatible setting: always rewrite
|
||||
message headers, and always append my own domain to incomplete
|
||||
header addresses. </p>
|
||||
|
||||
|
@ -8251,38 +8251,79 @@ CommonName of this attacker will be logged). </p>
|
|||
%PARAM smtp_tls_per_site
|
||||
|
||||
<p> Optional lookup tables with the Postfix SMTP client TLS usage
|
||||
policy by next-hop domain name and by remote SMTP server hostname.
|
||||
</p>
|
||||
policy by next-hop destination and by remote SMTP server hostname.
|
||||
When both lookups succeed, the more specific per-site policy (NONE,
|
||||
MUST, etc) overrides the less specific one (MAY), and the more
|
||||
secure per-site policy (MUST, etc) overrides the less secure one
|
||||
(NONE). </p>
|
||||
|
||||
<p> Table format: domain names or server hostnames are specified
|
||||
on the left-hand side; no wildcards are allowed. On the right hand
|
||||
side specify one of the following keywords: </p>
|
||||
<p> Specify a next-hop destination or server hostname on the left-hand
|
||||
side; no wildcards are allowed. The next-hop destination is either
|
||||
the recipient domain, or the destination specified with a transport(5)
|
||||
table, the relayhost parameter, or the relay_transport parameter.
|
||||
On the right hand side specify one of the following keywords: </p>
|
||||
|
||||
<dl>
|
||||
|
||||
<dt> NONE </dt> <dd>Don't use TLS at all. </dd>
|
||||
<dt> NONE </dt> <dd> Don't use TLS at all. This overrides a less
|
||||
specific <b>MAY</b> lookup result from the alternate host or next-hop
|
||||
lookup key, and overrides the global smtp_use_tls, smtp_enforce_tls,
|
||||
and smtp_tls_enforce_peername settings. </dd>
|
||||
|
||||
<dt> MAY </dt> <dd>Try to use STARTTLS if offered, otherwise use
|
||||
the unencrypted connection. </dd>
|
||||
<dt> MAY </dt> <dd> Try to use TLS if the server announces support,
|
||||
otherwise use the unencrypted connection. This has less precedence
|
||||
than a more specific result (including <b>NONE</b>) from the alternate
|
||||
host or next-hop lookup key, and has less precedence than the more
|
||||
specific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername
|
||||
= yes". </dd>
|
||||
|
||||
<dt> MUST </dt> <dd>Require usage of STARTTLS, require that the
|
||||
remote SMTP server hostname matches the information in the remote
|
||||
SMTP server certificate, and require that the remote SMTP server
|
||||
certificate was issued by a trusted CA. </dd>
|
||||
<dt> MUST_NOPEERMATCH </dt> <dd> Require TLS encryption, but do not
|
||||
require that the remote SMTP server hostname matches the information
|
||||
in the remote SMTP server certificate, or that the server certificate
|
||||
was issued by a trusted CA. This overrides a less secure <b>NONE</b>
|
||||
or a less specific <b>MAY</b> lookup result from the alternate host
|
||||
or next-hop lookup key, and overrides the global smtp_use_tls,
|
||||
smtp_enforce_tls and smtp_tls_enforce_peername settings. </dd>
|
||||
|
||||
<dt> MUST_NOPEERMATCH </dt> <dd>Require usage of STARTTLS, but do
|
||||
not require that the remote SMTP server hostname matches the
|
||||
information in the remote SMTP server certificate, or that the
|
||||
server certificate was issued by a trusted CA. </dd>
|
||||
<dt> MUST </dt> <dd> Require TLS encryption, require that the remote
|
||||
SMTP server hostname matches the information in the remote SMTP
|
||||
server certificate, and require that the remote SMTP server certificate
|
||||
was issued by a trusted CA. This overrides a less secure <b>NONE</b>
|
||||
and <b>MUST_NOPEERMATCH</b> or a less specific <b>MAY</b> lookup
|
||||
result from the alternate host or next-hop lookup key, and overrides
|
||||
the global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername
|
||||
settings. </dd>
|
||||
|
||||
</dl>
|
||||
|
||||
<p> Special hint for enforcement mode: since no secure DNS lookup
|
||||
mechanism is available, the recommended setup is: specify local
|
||||
transport(5) table entries for sensitive domains with explicit
|
||||
smtp:[mailhost] destinations (since you can assure security of this
|
||||
table unlike DNS), then specify MUST for these mail hosts in the
|
||||
smtp_tls_per_site table. </p>
|
||||
<p> As long as no secure DNS lookup mechanism is available, false
|
||||
hostnames in MX or CNAME responses can change the server hostname
|
||||
that Postfix uses for TLS policy lookup and server certificate
|
||||
verification. Even with a perfect match between the server hostname
|
||||
and the server certificate, there is no guarantee that Postfix is
|
||||
connected to the right server. To avoid this loophole take the
|
||||
following steps: </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> Disallow CNAME hostname overrides. In main.cf specify
|
||||
"smtp_cname_overrides_servername = no". This prevents false hostname
|
||||
information in DNS CNAME records from changing the server hostname
|
||||
that Postfix uses for TLS policy lookup and server certificate
|
||||
verification. This feature requires Postfix 2.2.9 or later.
|
||||
|
||||
<li> Eliminate MX lookups. Specify local transport(5) table entries
|
||||
for sensitive domains with explicit smtp:[mailhost] or smtp:[mailhost]:port
|
||||
destinations. This prevents false hostname information in DNS MX
|
||||
records from changing the server hostname that Postfix uses for TLS
|
||||
policy lookup and server certificate verification.
|
||||
|
||||
<li> Specify MUST for these mail hosts (including [ ] and port) in
|
||||
the smtp_tls_per_site table.
|
||||
|
||||
</ul>
|
||||
|
||||
<p> </p>
|
||||
|
||||
%PARAM smtp_tls_scert_verifydepth 5
|
||||
|
||||
|
@ -8412,3 +8453,14 @@ examples are shown in the ADDRESS_REWRITING_README and
|
|||
STANDARD_CONFIGURATION_README documents. </p>
|
||||
|
||||
<p> This feature is available in Postfix 2.2 and later. </p>
|
||||
|
||||
%PARAM smtp_cname_overrides_servername yes
|
||||
|
||||
<p> Allow DNS CNAME records to override the servername that the
|
||||
Postfix SMTP client uses for logging, SASL password lookup, TLS
|
||||
policy decisions, or TLS certificate verification. The default value
|
||||
(yes) is backwards compatible. Specify "no" to harden Postfix 2.2
|
||||
smtp_tls_per_site hostname-based policies against false hostname
|
||||
information in DNS CNAME records. </p>
|
||||
|
||||
<p> This feature is available in Postfix 2.2.9 and later. </p>
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: cleanup_api.c,v 1.1.1.6 2004/05/31 00:24:27 heas Exp $ */
|
||||
/* $NetBSD: cleanup_api.c,v 1.1.1.7 2006/02/25 22:08:15 rpaulo Exp $ */
|
||||
|
||||
/*++
|
||||
/* NAME
|
||||
|
@ -226,6 +226,14 @@ int cleanup_flush(CLEANUP_STATE *state)
|
|||
vstream_control(state->handle->stream,
|
||||
VSTREAM_CTL_PATH, cleanup_path,
|
||||
VSTREAM_CTL_END);
|
||||
|
||||
/*
|
||||
* XXX: When delivering to a non-incoming queue, do not consume
|
||||
* in_flow tokens. Unfortunately we can't move the code that
|
||||
* consumes tokens until after the mail is received, because that
|
||||
* would increase the risk of duplicate deliveries (RFC 1047).
|
||||
*/
|
||||
(void) mail_flow_put(1);
|
||||
}
|
||||
state->errs = mail_stream_finish(state->handle, (VSTRING *) 0);
|
||||
} else {
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: dns.h,v 1.1.1.5 2005/12/01 21:42:42 rpaulo Exp $ */
|
||||
/* $NetBSD: dns.h,v 1.1.1.6 2006/02/25 22:08:22 rpaulo Exp $ */
|
||||
|
||||
#ifndef _DNS_H_INCLUDED_
|
||||
#define _DNS_H_INCLUDED_
|
||||
|
@ -82,7 +82,8 @@ typedef struct DNS_FIXED {
|
|||
* named after the things one can expect to find in a DNS resource record.
|
||||
*/
|
||||
typedef struct DNS_RR {
|
||||
char *name; /* name, mystrdup()ed */
|
||||
char *qname; /* query name, mystrdup()ed */
|
||||
char *rname; /* reply name, mystrdup()ed */
|
||||
unsigned short type; /* T_A, T_CNAME, etc. */
|
||||
unsigned short class; /* C_IN, etc. */
|
||||
unsigned int ttl; /* always */
|
||||
|
@ -106,7 +107,8 @@ extern unsigned dns_type(const char *);
|
|||
/*
|
||||
* dns_rr.c
|
||||
*/
|
||||
extern DNS_RR *dns_rr_create(const char *, ushort, ushort,
|
||||
extern DNS_RR *dns_rr_create(const char *, const char *,
|
||||
ushort, ushort,
|
||||
unsigned, unsigned,
|
||||
const char *, unsigned);
|
||||
extern void dns_rr_free(DNS_RR *);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: dns_rr.c,v 1.1.1.4 2005/08/18 21:05:58 rpaulo Exp $ */
|
||||
/* $NetBSD: dns_rr.c,v 1.1.1.5 2006/02/25 22:08:23 rpaulo Exp $ */
|
||||
|
||||
/*++
|
||||
/* NAME
|
||||
|
@ -8,9 +8,10 @@
|
|||
/* SYNOPSIS
|
||||
/* #include <dns.h>
|
||||
/*
|
||||
/* DNS_RR *dns_rr_create(name, type, class, ttl, preference,
|
||||
/* DNS_RR *dns_rr_create(qname, rname, type, class, ttl, preference,
|
||||
/* data, data_len)
|
||||
/* const char *name;
|
||||
/* const char *qname;
|
||||
/* const char *rname;
|
||||
/* unsigned short type;
|
||||
/* unsigned short class;
|
||||
/* unsigned int ttl;
|
||||
|
@ -43,7 +44,8 @@
|
|||
/* information, and maintain lists of DNS resource records.
|
||||
/*
|
||||
/* dns_rr_create() creates and initializes one resource record.
|
||||
/* The \fIname\fR record specifies the record name.
|
||||
/* The \fIqname\fR field specifies the query name.
|
||||
/* The \fIrname\fR field specifies the reply name.
|
||||
/* \fIpreference\fR is used for MX records; \fIdata\fR is a null
|
||||
/* pointer or specifies optional resource-specific data;
|
||||
/* \fIdata_len\fR is the amount of resource-specific data.
|
||||
|
@ -93,14 +95,16 @@
|
|||
|
||||
/* dns_rr_create - fill in resource record structure */
|
||||
|
||||
DNS_RR *dns_rr_create(const char *name, ushort type, ushort class,
|
||||
DNS_RR *dns_rr_create(const char *qname, const char *rname,
|
||||
ushort type, ushort class,
|
||||
unsigned int ttl, unsigned pref,
|
||||
const char *data, unsigned data_len)
|
||||
{
|
||||
DNS_RR *rr;
|
||||
|
||||
rr = (DNS_RR *) mymalloc(sizeof(*rr) + data_len - 1);
|
||||
rr->name = mystrdup(name);
|
||||
rr->qname = mystrdup(qname);
|
||||
rr->rname = mystrdup(rname);
|
||||
rr->type = type;
|
||||
rr->class = class;
|
||||
rr->ttl = ttl;
|
||||
|
@ -119,7 +123,8 @@ void dns_rr_free(DNS_RR *rr)
|
|||
if (rr) {
|
||||
if (rr->next)
|
||||
dns_rr_free(rr->next);
|
||||
myfree(rr->name);
|
||||
myfree(rr->qname);
|
||||
myfree(rr->rname);
|
||||
myfree((char *) rr);
|
||||
}
|
||||
}
|
||||
|
@ -136,7 +141,8 @@ DNS_RR *dns_rr_copy(DNS_RR *src)
|
|||
*/
|
||||
dst = (DNS_RR *) mymalloc(len);
|
||||
memcpy((char *) dst, (char *) src, len);
|
||||
dst->name = mystrdup(src->name);
|
||||
dst->qname = mystrdup(src->qname);
|
||||
dst->rname = mystrdup(src->rname);
|
||||
dst->next = 0;
|
||||
return (dst);
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: dns_sa_to_rr.c,v 1.1.1.1 2005/08/18 21:05:59 rpaulo Exp $ */
|
||||
/* $NetBSD: dns_sa_to_rr.c,v 1.1.1.2 2006/02/25 22:08:24 rpaulo Exp $ */
|
||||
|
||||
/*++
|
||||
/* NAME
|
||||
|
@ -56,12 +56,12 @@ DNS_RR *dns_sa_to_rr(const char *hostname, unsigned pref, struct sockaddr * sa)
|
|||
#define DUMMY_TTL 0
|
||||
|
||||
if (sa->sa_family == AF_INET) {
|
||||
return (dns_rr_create(hostname, T_A, C_IN, DUMMY_TTL, pref,
|
||||
return (dns_rr_create(hostname, hostname, T_A, C_IN, DUMMY_TTL, pref,
|
||||
(char *) &SOCK_ADDR_IN_ADDR(sa),
|
||||
sizeof(SOCK_ADDR_IN_ADDR(sa))));
|
||||
#ifdef HAS_IPV6
|
||||
} else if (sa->sa_family == AF_INET6) {
|
||||
return (dns_rr_create(hostname, T_AAAA, C_IN, DUMMY_TTL, pref,
|
||||
return (dns_rr_create(hostname, hostname, T_AAAA, C_IN, DUMMY_TTL, pref,
|
||||
(char *) &SOCK_ADDR_IN6_ADDR(sa),
|
||||
sizeof(SOCK_ADDR_IN6_ADDR(sa))));
|
||||
#endif
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: test_dns_lookup.c,v 1.1.1.3 2005/08/18 21:05:59 rpaulo Exp $ */
|
||||
/* $NetBSD: test_dns_lookup.c,v 1.1.1.4 2006/02/25 22:08:24 rpaulo Exp $ */
|
||||
|
||||
/*++
|
||||
/* NAME
|
||||
|
@ -47,7 +47,7 @@ static void print_rr(DNS_RR *rr)
|
|||
MAI_HOSTADDR_STR host;
|
||||
|
||||
while (rr) {
|
||||
printf("%s: ttl: %9d ", rr->name, rr->ttl);
|
||||
printf("%s: ttl: %9d ", rr->rname, rr->ttl);
|
||||
switch (rr->type) {
|
||||
case T_A:
|
||||
#ifdef T_AAAA
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
starttls, 8bitmime, verp, etrn, etrn -> 0x51 -> 8BITMIME ETRN VERP
|
||||
starttls, 8bitmime, verp, etrn, etrn -> 0xd1 -> 8BITMIME ETRN VERP STARTTLS
|
||||
foobar, auth, pipelining, size, vrfy -> 0x2e -> AUTH PIPELINING SIZE VRFY
|
||||
xclient, xforward -> 0x180 -> XCLIENT XFORWARD
|
||||
xclient, xforward -> 0x300 -> XCLIENT XFORWARD
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: input_transp.c,v 1.1.1.3 2005/08/18 21:06:20 rpaulo Exp $ */
|
||||
/* $NetBSD: input_transp.c,v 1.1.1.4 2006/02/25 22:08:49 rpaulo Exp $ */
|
||||
|
||||
/*++
|
||||
/* NAME
|
||||
|
@ -28,7 +28,7 @@
|
|||
/* given in parentheses:
|
||||
/* .IP "no_unknown_recipient_checks (INPUT_TRANSP_UNKNOWN_RCPT)"
|
||||
/* Do not try to reject unknown recipients.
|
||||
/* .IP "no_address_mapping (INPUT_TRANSP_ADDRESS_MAPPING)
|
||||
/* .IP "no_address_mappings (INPUT_TRANSP_ADDRESS_MAPPING)
|
||||
/* Disable canonical address mapping, virtual alias map expansion,
|
||||
/* address masquerading, and automatic BCC recipients.
|
||||
/* .IP "no_header_body_checkss (INPUT_TRANSP_HEADER_BODY)
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: mail_addr_find.c,v 1.1.1.4 2004/05/31 00:24:31 heas Exp $ */
|
||||
/* $NetBSD: mail_addr_find.c,v 1.1.1.5 2006/02/25 22:08:49 rpaulo Exp $ */
|
||||
|
||||
/*++
|
||||
/* NAME
|
||||
|
@ -109,7 +109,10 @@ const char *mail_addr_find(MAPS *path, const char *address, char **extp)
|
|||
if (*var_rcpt_delim == 0) {
|
||||
bare_key = saved_ext = 0;
|
||||
} else {
|
||||
bare_key = strip_addr(full_key, &saved_ext, *var_rcpt_delim);
|
||||
/* Preserve case of extension. */
|
||||
bare_key = strip_addr(address, &saved_ext, *var_rcpt_delim);
|
||||
if (bare_key != 0)
|
||||
lowercase(bare_key);
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: mail_version.h,v 1.1.1.20 2006/01/05 02:11:43 rpaulo Exp $ */
|
||||
/* $NetBSD: mail_version.h,v 1.1.1.21 2006/02/25 22:08:59 rpaulo Exp $ */
|
||||
|
||||
#ifndef _MAIL_VERSION_H_INCLUDED_
|
||||
#define _MAIL_VERSION_H_INCLUDED_
|
||||
|
@ -22,8 +22,8 @@
|
|||
* Patches change the patchlevel and the release date. Snapshots change the
|
||||
* release date only.
|
||||
*/
|
||||
#define MAIL_RELEASE_DATE "20060103"
|
||||
#define MAIL_VERSION_NUMBER "2.2.8"
|
||||
#define MAIL_RELEASE_DATE "20060221"
|
||||
#define MAIL_VERSION_NUMBER "2.2.9"
|
||||
|
||||
#define VAR_MAIL_VERSION "mail_version"
|
||||
#ifdef SNAPSHOT
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: lmtp_addr.c,v 1.1.1.3 2005/08/18 21:07:17 rpaulo Exp $ */
|
||||
/* $NetBSD: lmtp_addr.c,v 1.1.1.4 2006/02/25 22:09:20 rpaulo Exp $ */
|
||||
|
||||
/*++
|
||||
/* NAME
|
||||
|
@ -107,7 +107,7 @@ static void lmtp_print_addr(char *what, DNS_RR *addr_list)
|
|||
msg_warn("skipping record type %s: %m", dns_strtype(addr->type));
|
||||
} else {
|
||||
msg_info("pref %4d host %s/%s",
|
||||
addr->pref, addr->name,
|
||||
addr->pref, addr->rname,
|
||||
hostaddr.buf);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: lmtp_connect.c,v 1.1.1.6 2005/08/18 21:07:18 rpaulo Exp $ */
|
||||
/* $NetBSD: lmtp_connect.c,v 1.1.1.7 2006/02/25 22:09:21 rpaulo Exp $ */
|
||||
|
||||
/*++
|
||||
/* NAME
|
||||
|
@ -202,10 +202,10 @@ static LMTP_SESSION *lmtp_connect_addr(DNS_RR *addr, unsigned port,
|
|||
SOCKADDR_TO_HOSTADDR(sa, salen, &hostaddr, (MAI_SERVPORT_STR *) 0, 0);
|
||||
if (msg_verbose)
|
||||
msg_info("%s: trying: %s[%s] port %d...",
|
||||
myname, addr->name, hostaddr.buf, ntohs(port));
|
||||
myname, addr->rname, hostaddr.buf, ntohs(port));
|
||||
|
||||
return (lmtp_connect_sock(sock, sa, salen,
|
||||
addr->name, hostaddr.buf, destination, why));
|
||||
addr->rname, hostaddr.buf, destination, why));
|
||||
}
|
||||
|
||||
/* lmtp_connect_sock - connect a socket over some transport */
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: local.c,v 1.1.1.7 2005/08/18 21:07:29 rpaulo Exp $ */
|
||||
/* $NetBSD: local.c,v 1.1.1.8 2006/02/25 22:09:27 rpaulo Exp $ */
|
||||
|
||||
/*++
|
||||
/* NAME
|
||||
|
@ -831,6 +831,7 @@ int main(int argc, char **argv)
|
|||
VAR_PROP_EXTENSION, DEF_PROP_EXTENSION, &var_prop_extension, 0, 0,
|
||||
VAR_DELIVER_HDR, DEF_DELIVER_HDR, &var_deliver_hdr, 0, 0,
|
||||
VAR_MAILBOX_LOCK, DEF_MAILBOX_LOCK, &var_mailbox_lock, 1, 0,
|
||||
VAR_MAILBOX_CMD_MAPS, DEF_MAILBOX_CMD_MAPS, &var_mailbox_cmd_maps, 0, 0,
|
||||
0,
|
||||
};
|
||||
static CONFIG_BOOL_TABLE bool_table[] = {
|
||||
|
@ -846,7 +847,6 @@ int main(int argc, char **argv)
|
|||
VAR_EXEC_DIRECTORY, DEF_EXEC_DIRECTORY, &var_exec_directory, 0, 0,
|
||||
VAR_FORWARD_PATH, DEF_FORWARD_PATH, &var_forward_path, 0, 0,
|
||||
VAR_MAILBOX_COMMAND, DEF_MAILBOX_COMMAND, &var_mailbox_command, 0, 0,
|
||||
VAR_MAILBOX_CMD_MAPS, DEF_MAILBOX_CMD_MAPS, &var_mailbox_cmd_maps, 0, 0,
|
||||
VAR_LUSER_RELAY, DEF_LUSER_RELAY, &var_luser_relay, 0, 0,
|
||||
0,
|
||||
};
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: qmgr_message.c,v 1.1.1.4 2005/08/18 21:07:58 rpaulo Exp $ */
|
||||
/* $NetBSD: qmgr_message.c,v 1.1.1.5 2006/02/25 22:09:39 rpaulo Exp $ */
|
||||
|
||||
/*++
|
||||
/* NAME
|
||||
|
@ -843,8 +843,14 @@ static void qmgr_message_resolve(QMGR_MESSAGE *message)
|
|||
|
||||
/*
|
||||
* Content filtering overrides the address resolver.
|
||||
*
|
||||
* XXX Bypass content_filter inspection for user-generated probes
|
||||
* (sendmail -bv). MTA-generated probes never have the "please filter
|
||||
* me" bits turned on, but we handle them here anyway for the sake of
|
||||
* future proofing.
|
||||
*/
|
||||
else if (message->filter_xport) {
|
||||
else if (message->filter_xport
|
||||
&& (message->tflags & DEL_REQ_TRACE_ONLY_MASK) == 0) {
|
||||
vstring_strcpy(reply.transport, message->filter_xport);
|
||||
if ((nexthop = split_at(STR(reply.transport), ':')) == 0
|
||||
|| *nexthop == 0)
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: smtp.c,v 1.1.1.8 2005/08/18 21:08:49 rpaulo Exp $ */
|
||||
/* $NetBSD: smtp.c,v 1.1.1.9 2006/02/25 22:10:02 rpaulo Exp $ */
|
||||
|
||||
/*++
|
||||
/* NAME
|
||||
|
@ -87,6 +87,10 @@
|
|||
/* Always send EHLO at the start of an SMTP session.
|
||||
/* .IP "\fBsmtp_never_send_ehlo (no)\fR"
|
||||
/* Never send EHLO at the start of an SMTP session.
|
||||
/* .IP "\fBsmtp_cname_overrides_servername (yes)\fR"
|
||||
/* Allow DNS CNAME records to override the servername that the
|
||||
/* Postfix SMTP client uses for logging, SASL password lookup, TLS
|
||||
/* policy decisions, or TLS certificate verification.
|
||||
/* .IP "\fBsmtp_defer_if_no_mx_address_found (no)\fR"
|
||||
/* Defer mail delivery when no MX record resolves to an IP address.
|
||||
/* .IP "\fBsmtp_line_length_limit (990)\fR"
|
||||
|
@ -499,6 +503,7 @@ bool var_smtp_tls_note_starttls_offer;
|
|||
|
||||
char *var_smtp_generic_maps;
|
||||
char *var_prop_extension;
|
||||
bool var_smtp_cname_overr;
|
||||
|
||||
/*
|
||||
* Global variables. smtp_errno is set by the address lookup routines and by
|
||||
|
@ -792,6 +797,7 @@ int main(int argc, char **argv)
|
|||
VAR_SMTP_TLS_ENFORCE_PN, DEF_SMTP_TLS_ENFORCE_PN, &var_smtp_tls_enforce_peername,
|
||||
VAR_SMTP_TLS_NOTEOFFER, DEF_SMTP_TLS_NOTEOFFER, &var_smtp_tls_note_starttls_offer,
|
||||
#endif
|
||||
VAR_SMTP_CNAME_OVERR, DEF_SMTP_CNAME_OVERR, &var_smtp_cname_overr,
|
||||
|
||||
0,
|
||||
};
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: smtp.h,v 1.1.1.6 2005/08/18 21:08:50 rpaulo Exp $ */
|
||||
/* $NetBSD: smtp.h,v 1.1.1.7 2006/02/25 22:10:03 rpaulo Exp $ */
|
||||
|
||||
/*++
|
||||
/* NAME
|
||||
|
@ -166,6 +166,12 @@ extern SSL_CTX *smtp_tls_ctx; /* client-side TLS engine */
|
|||
|
||||
#endif
|
||||
|
||||
|
||||
/*
|
||||
* What's in a name?
|
||||
*/
|
||||
#define SMTP_HNAME(rr) (var_smtp_cname_overr ? (rr)->rname : (rr)->qname)
|
||||
|
||||
/*
|
||||
* smtp_session.c
|
||||
*/
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: smtp_session.c,v 1.1.1.3 2005/08/18 21:08:58 rpaulo Exp $ */
|
||||
/* $NetBSD: smtp_session.c,v 1.1.1.4 2006/02/25 22:10:08 rpaulo Exp $ */
|
||||
|
||||
/*++
|
||||
/* NAME
|
||||
|
@ -130,14 +130,20 @@
|
|||
#ifdef USE_TLS
|
||||
|
||||
/*
|
||||
* Per-site policies can override main.cf settings.
|
||||
* TLS enforcement level. Actual TLS policies will be NONE or higher.
|
||||
*
|
||||
* There are two pseudo levels: NOTFOUND is a sentinel value for the ease of
|
||||
* implementation; MAY is a wild-card that indicates "anything goes".
|
||||
*
|
||||
* Non pseudo levels can also be used to indicate the actual security level of
|
||||
* a session.
|
||||
*/
|
||||
typedef struct {
|
||||
int dont_use; /* don't use TLS */
|
||||
int use; /* useless, see above */
|
||||
int enforce; /* must always use TLS */
|
||||
int enforce_peername; /* must verify certificate name */
|
||||
} SMTP_TLS_SITE_POLICY;
|
||||
#define SMTP_TLS_LEV_NOTFOUND (-1) /* sentinel */
|
||||
#define SMTP_TLS_LEV_NONE 0 /* plain-text only */
|
||||
#define SMTP_TLS_LEV_MAY 1 /* wildcard */
|
||||
#define SMTP_TLS_LEV_ENCRYPT 2 /* encrypted connection */
|
||||
#define SMTP_TLS_LEV_VERIFY 3 /* certificate verified */
|
||||
#define SMTP_TLS_LEV_STRICT 4 /* "secure" verification */
|
||||
|
||||
static MAPS *tls_per_site; /* lookup table(s) */
|
||||
|
||||
|
@ -149,9 +155,21 @@ void smtp_tls_list_init(void)
|
|||
DICT_FLAG_LOCK);
|
||||
}
|
||||
|
||||
/* smtp_tls_policy_print - print policy level */
|
||||
|
||||
static void smtp_tls_policy_print(const char *name, int level)
|
||||
{
|
||||
msg_info("%s TLS level: %s", name,
|
||||
level == SMTP_TLS_LEV_VERIFY ? "verify" :
|
||||
level == SMTP_TLS_LEV_ENCRYPT ? "encrypt" :
|
||||
level == SMTP_TLS_LEV_MAY ? "may" :
|
||||
level == SMTP_TLS_LEV_NONE ? "none" :
|
||||
"unknown");
|
||||
}
|
||||
|
||||
/* smtp_tls_site_policy - look up per-site TLS policy */
|
||||
|
||||
static void smtp_tls_site_policy(SMTP_TLS_SITE_POLICY *policy,
|
||||
static void smtp_tls_site_policy(int *site_level,
|
||||
const char *site_name,
|
||||
const char *site_class)
|
||||
{
|
||||
|
@ -159,33 +177,101 @@ static void smtp_tls_site_policy(SMTP_TLS_SITE_POLICY *policy,
|
|||
char *lookup_key;
|
||||
|
||||
/*
|
||||
* Initialize the default policy.
|
||||
*/
|
||||
policy->dont_use = 0;
|
||||
policy->use = 0;
|
||||
policy->enforce = 0;
|
||||
policy->enforce_peername = 0;
|
||||
|
||||
/*
|
||||
* Look up a non-default policy.
|
||||
* Look up a non-default policy. In case of multiple lookup results, the
|
||||
* precedence order is a permutation of the TLS enforcement level order:
|
||||
* VERIFY, ENCRYPT, NONE, MAY, NOTFOUND. I.e. we override MAY with a more
|
||||
* specific policy including NONE, otherwise we choose the stronger
|
||||
* enforcement level.
|
||||
*/
|
||||
lookup_key = lowercase(mystrdup(site_name));
|
||||
if ((lookup = maps_find(tls_per_site, lookup_key, 0)) != 0) {
|
||||
if (!strcasecmp(lookup, "NONE"))
|
||||
policy->dont_use = 1;
|
||||
else if (!strcasecmp(lookup, "MAY"))
|
||||
policy->use = 1;
|
||||
else if (!strcasecmp(lookup, "MUST"))
|
||||
policy->enforce = policy->enforce_peername = 1;
|
||||
else if (!strcasecmp(lookup, "MUST_NOPEERMATCH"))
|
||||
policy->enforce = 1;
|
||||
else
|
||||
if (!strcasecmp(lookup, "NONE")) {
|
||||
/* NONE overrides MAY or NOTFOUND. */
|
||||
if (*site_level <= SMTP_TLS_LEV_MAY)
|
||||
*site_level = SMTP_TLS_LEV_NONE;
|
||||
} else if (!strcasecmp(lookup, "MAY")) {
|
||||
/* MAY overrides NOTFOUND but not NONE. */
|
||||
if (*site_level < SMTP_TLS_LEV_NONE)
|
||||
*site_level = SMTP_TLS_LEV_MAY;
|
||||
} else if (!strcasecmp(lookup, "MUST_NOPEERMATCH")) {
|
||||
if (*site_level < SMTP_TLS_LEV_ENCRYPT)
|
||||
*site_level = SMTP_TLS_LEV_ENCRYPT;
|
||||
} else if (!strcasecmp(lookup, "MUST")) {
|
||||
if (*site_level < SMTP_TLS_LEV_VERIFY)
|
||||
*site_level = SMTP_TLS_LEV_VERIFY;
|
||||
} else {
|
||||
msg_warn("Table %s: ignoring unknown TLS policy '%s' for %s %s",
|
||||
var_smtp_tls_per_site, lookup, site_class, site_name);
|
||||
}
|
||||
}
|
||||
myfree(lookup_key);
|
||||
}
|
||||
|
||||
/* smtp_tls_level_init - configure session TLS enforcement level */
|
||||
|
||||
static int smtp_tls_level_init(const char *dest, const char *host)
|
||||
{
|
||||
int global_level;
|
||||
int site_level;
|
||||
int tls_level;
|
||||
|
||||
/*
|
||||
* Compute the global TLS policy. This is the default policy level when
|
||||
* no per-site policy exists. It also is used to override a wild-card
|
||||
* per-site policy.
|
||||
*/
|
||||
if (var_smtp_enforce_tls)
|
||||
global_level = var_smtp_tls_enforce_peername ?
|
||||
SMTP_TLS_LEV_VERIFY : SMTP_TLS_LEV_ENCRYPT;
|
||||
else
|
||||
global_level = var_smtp_use_tls ?
|
||||
SMTP_TLS_LEV_MAY : SMTP_TLS_LEV_NONE;
|
||||
if (msg_verbose)
|
||||
smtp_tls_policy_print("global", global_level);
|
||||
|
||||
/*
|
||||
* Compute the per-site TLS enforcement level. For compatibility with the
|
||||
* original TLS patch, this algorithm is gives equal precedence to host
|
||||
* and next-hop policies.
|
||||
*/
|
||||
site_level = SMTP_TLS_LEV_NOTFOUND;
|
||||
|
||||
if (tls_per_site) {
|
||||
smtp_tls_site_policy(&site_level, dest, "next-hop destination");
|
||||
if (strcasecmp(dest, host) != 0)
|
||||
smtp_tls_site_policy(&site_level, host, "server hostname");
|
||||
if (msg_verbose)
|
||||
smtp_tls_policy_print("site", site_level);
|
||||
}
|
||||
|
||||
/*
|
||||
* Override a wild-card per-site policy with a more specific global
|
||||
* policy.
|
||||
*
|
||||
* With the original TLS patch, 1) a per-site ENCRYPT could not override a
|
||||
* global VERIFY, and 2) a combined per-site (NONE+MAY) policy produced
|
||||
* inconsistent results: it changed a global VERIFY into NONE, while
|
||||
* producing MAY with all weaker global policy settings.
|
||||
*
|
||||
* With the current implementation, a combined per-site (NONE+MAY)
|
||||
* consistently overrides global policy with NONE, and global policy can
|
||||
* override only a per-site MAY wildcard. That is, specific policies
|
||||
* consistently override wildcard policies, and (non-wildcard) per-site
|
||||
* policies consistently override global policies.
|
||||
*/
|
||||
if (site_level == SMTP_TLS_LEV_NOTFOUND
|
||||
|| (site_level == SMTP_TLS_LEV_MAY
|
||||
&& global_level > SMTP_TLS_LEV_MAY))
|
||||
tls_level = global_level;
|
||||
else
|
||||
tls_level = site_level;
|
||||
|
||||
if (msg_verbose && tls_per_site)
|
||||
smtp_tls_policy_print("effective", tls_level);
|
||||
|
||||
return (tls_level);
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
/* smtp_session_alloc - allocate and initialize SMTP_SESSION structure */
|
||||
|
@ -196,12 +282,6 @@ SMTP_SESSION *smtp_session_alloc(VSTREAM *stream, const char *dest,
|
|||
{
|
||||
SMTP_SESSION *session;
|
||||
|
||||
#ifdef USE_TLS
|
||||
SMTP_TLS_SITE_POLICY host_policy;
|
||||
SMTP_TLS_SITE_POLICY rcpt_policy;
|
||||
|
||||
#endif
|
||||
|
||||
session = (SMTP_SESSION *) mymalloc(sizeof(*session));
|
||||
session->stream = stream;
|
||||
session->dest = mystrdup(dest);
|
||||
|
@ -238,39 +318,14 @@ SMTP_SESSION *smtp_session_alloc(VSTREAM *stream, const char *dest,
|
|||
session->tls_enforce_peername = 0;
|
||||
session->tls_context = 0;
|
||||
session->tls_info = tls_info_zero;
|
||||
|
||||
/*
|
||||
* Override the main.cf TLS policy with an optional per-site policy.
|
||||
*/
|
||||
if (smtp_tls_ctx != 0) {
|
||||
smtp_tls_site_policy(&host_policy, host, "receiving host");
|
||||
smtp_tls_site_policy(&rcpt_policy, dest, "recipient domain");
|
||||
|
||||
/*
|
||||
* Set up TLS enforcement for this session.
|
||||
*/
|
||||
if ((var_smtp_enforce_tls && !host_policy.dont_use && !rcpt_policy.dont_use)
|
||||
|| host_policy.enforce || rcpt_policy.enforce)
|
||||
session->tls_enforce_tls = session->tls_use_tls = 1;
|
||||
|
||||
/*
|
||||
* Set up peername checking for this session.
|
||||
*
|
||||
* We want to make sure that a MUST* entry in the tls_per_site table
|
||||
* always has precedence. MUST always must lead to a peername check,
|
||||
* MUST_NOPEERMATCH must always disable it. Only when no explicit
|
||||
* setting has been found, the default will be used. There is the
|
||||
* case left, that both "host" and "recipient" settings conflict. In
|
||||
* this case, the "host" setting wins.
|
||||
*/
|
||||
if (host_policy.enforce && host_policy.enforce_peername)
|
||||
session->tls_enforce_peername = 1;
|
||||
else if (rcpt_policy.enforce && rcpt_policy.enforce_peername)
|
||||
session->tls_enforce_peername = 1;
|
||||
else if (var_smtp_enforce_tls && var_smtp_tls_enforce_peername)
|
||||
session->tls_enforce_peername = 1;
|
||||
else if ((var_smtp_use_tls && !host_policy.dont_use && !rcpt_policy.dont_use) || host_policy.use || rcpt_policy.use)
|
||||
session->tls_use_tls = 1;
|
||||
switch (smtp_tls_level_init(dest, host)) {
|
||||
case SMTP_TLS_LEV_VERIFY:
|
||||
session->tls_enforce_peername = 1;
|
||||
case SMTP_TLS_LEV_ENCRYPT:
|
||||
session->tls_enforce_tls = 1;
|
||||
case SMTP_TLS_LEV_MAY:
|
||||
session->tls_use_tls = 1;
|
||||
break;
|
||||
}
|
||||
#endif
|
||||
debug_peer_check(host, addr);
|
||||
|
|
|
@ -107,8 +107,8 @@ OK
|
|||
>>> mail sname@sdomain
|
||||
OK
|
||||
>>> rcpt rname@rdomain
|
||||
./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 Service unavailable; Helo command [example.tld] blocked using abuse.rfc-ignorant.org; Not supporting abuse@domain; from=<sname@sdomain> to=<rname@rdomain> proto=SMTP helo=<example.tld>
|
||||
554 Service unavailable; Helo command [example.tld] blocked using abuse.rfc-ignorant.org; Not supporting abuse@domain
|
||||
./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 Service unavailable; Helo command [example.tld] blocked using abuse.rfc-ignorant.org; Not supporting abuse@example.tld; from=<sname@sdomain> to=<rname@rdomain> proto=SMTP helo=<example.tld>
|
||||
554 Service unavailable; Helo command [example.tld] blocked using abuse.rfc-ignorant.org; Not supporting abuse@example.tld
|
||||
>>> #
|
||||
>>> # Check MX access
|
||||
>>> #
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: rewrite.c,v 1.1.1.7 2005/08/18 21:09:45 rpaulo Exp $ */
|
||||
/* $NetBSD: rewrite.c,v 1.1.1.8 2006/02/25 22:10:35 rpaulo Exp $ */
|
||||
|
||||
/*++
|
||||
/* NAME
|
||||
|
@ -175,7 +175,8 @@ void rewrite_tree(RWR_CONTEXT *context, TOK822 *tree)
|
|||
/*
|
||||
* Append missing @origin
|
||||
*/
|
||||
else if (var_append_at_myorigin != 0) {
|
||||
else if (var_append_at_myorigin != 0
|
||||
&& context->origin[0][0] != 0) {
|
||||
domain = tok822_sub_append(tree, tok822_alloc('@', (char *) 0));
|
||||
tok822_sub_append(tree, tok822_scan(REW_PARAM_VALUE(context->origin),
|
||||
(TOK822 **) 0));
|
||||
|
@ -188,6 +189,7 @@ void rewrite_tree(RWR_CONTEXT *context, TOK822 *tree)
|
|||
* alone.
|
||||
*/
|
||||
if (var_append_dot_mydomain != 0
|
||||
&& context->domain[0][0] != 0
|
||||
&& (domain = tok822_rfind_type(tree->tail, '@')) != 0
|
||||
&& domain != tree->tail
|
||||
&& tok822_find_type(domain, TOK822_DOMLIT) == 0
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: inet_util.c,v 1.1.1.5 2006/01/05 02:17:36 rpaulo Exp $ */
|
||||
/* $NetBSD: inet_util.c,v 1.1.1.6 2006/02/25 22:10:55 rpaulo Exp $ */
|
||||
|
||||
/*++
|
||||
/* NAME
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: inet_util.h,v 1.1.1.5 2006/01/05 02:17:39 rpaulo Exp $ */
|
||||
/* $NetBSD: inet_util.h,v 1.1.1.6 2006/02/25 22:10:55 rpaulo Exp $ */
|
||||
|
||||
#ifndef _INET_UTIL_H_INCLUDED_
|
||||
#define _INET_UTIL_H_INCLUDED_
|
||||
|
|
Loading…
Reference in New Issue