| Commit message (Collapse) | Author | Age | Files |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This solves an issue where an attacker would strip the STARTTLS keyword
from the EHLO response, thereby preventing connection upgrade; or spoof
DNS responses to route outgoing messages to an attacker-controlled
SMTPd, thereby allowing message MiTM'ing. With key material pinning in
place, smtp(8postfix) immediately aborts the connection (before the MAIL
command) and places the message into the deferred queue instead:
postfix-out/smtp[NNN]: … dsn=4.7.5, status=undeliverable (Server certificate not verified)
This applies to the smarthost as well as for verification probes on the
Mail Submission Agent. Placing message into the deferred queue might
yield denial of service, but we argue that it's better than a privacy
leak.
This only covers *internal messages* (from Fripost to Fripost) though:
only messages with ‘fripost.org’ (or a subdomain of such) as recipient
domain. Other domains, even those using mx[12].fripost.org as MX, are
not covered. A scalable solution for arbitrary domains would involve
either DANE and TLSA records, or MTA-STS [RFC8461]. Regardless, there
is some merit in hardcoding our internal policy (when the client and
server are both under our control) in the configuration. It for
instance enables us to harden TLS ciphers and protocols, and makes the
verification logic independent of DNS.
|
|
|
|
|
|
|
|
| |
For `ssl_cipher_list` we pick the suggested value from
https://ssl-config.mozilla.org/#server=postfix&version=3.4.10&config=intermediate&openssl=1.1.1d
At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’
to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
|
|
|
|
|
|
|
| |
This adds the following two ciphers:
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
|
| |
|
|
|
|
|
|
| |
Our internal IPs don't have a reverse PTR record, and skipping the
resolution speeds up mail delivery.
http://www.postfix.org/postconf.5.html#smtpd_peername_lookup
|
|
|
|
| |
See RFC 8314 sec. 3.3 "Cleartext Considered Obsolete".
|
|
|
|
| |
Cf. http://www.openspf.org/Best_Practices/Outbound .
|
|
|
|
|
|
| |
And use ‘noreply.fripost.org’ as HELO name rather than $myhostname
(i.e., ‘smtp.fripost.org’), so the same SPF policy can be used for ehlo
and envelope sender identities.
|
|
|
|
|
|
| |
Unlike what we wrote in 2014 (cf. 4fb4be4d279dd94cab33fc778cfa318b93d6926f)
the postscreen(8) server can run chrooted, meaning we can also chroot
the smtpd(8), tlsproxy(8), dnsblog(8) and cleanup(8) daemons.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We're relaying messages to our LMTP daemons (Dovecot, Amavisd) and some
downstream SMTP servers, not all of which are under our control.
Forwarding messages with UTF-8 envelope addresses or RFC 5322 headers
yields undeliverable messages, and the bounces make us a potential
backscatter source. So it's better to disable SMTPUTF8 at this point.
Cf. also http://www.postfix.org/SMTPUTF8_README.html and
https://unix.stackexchange.com/questions/320091/configure-postfix-and-dovecot-lmtp-to-receive-mail-via-smtputf8 .
See also upstream's comment at https://marc.info/?l=postfix-users&m=149183235529042&w=2 :
“Perhaps SMTPUTF8 autodetection could be more granular: UTF8 in the
envelope is definitely problematic for a receiver that does not
support SMTPUTF8, while UTF8 in a message header is less so.”
|
|
|
|
| |
Cf. lmdb_table(5).
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following policy is now implemented:
* users can use their SASL login name as sender address;
* alias and/or list owners can use the address as envelope sender;
* domain postmasters can use arbitrary sender addresses under their
domains;
* domain owners can use arbitrary sender addresses under their domains,
unless it is also an existing account name;
* for known domains without owner or postmasters, other sender addresses
are not allowed; and
* arbitrary sender addresses under unknown domains are allowed.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Following Viktor Dukhovni's 2015-08-06 recommendation
http://article.gmane.org/gmane.mail.postfix.user/251935
(We're using stronger ciphers and protocols in our own infrastructure.)
|
|
|
|
| |
That is, on the MSA and in our local infrastructure.
|
|
|
|
| |
cert itself.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
For some reason giraff doesn't like IPSec. App-level TLS sessions are
less efficient, but thanks to ansible it still scales well.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In fact we want to only rewrite the envelope sender:
:/etc/postfix/main.cf
# Overwrite local FQDN envelope sender addresses
sender_canonical_classes = envelope_sender
propagate_unmatched_extensions =
sender_canonical_maps = cdb:$config_directory/sender_canonical
:/etc/postfix/sender_canonical
@elefant.fripost.org admin@fripost.org
However, when canonical(5) processes a mail sent vias sendmail(1), it
rewrites the envelope sender which seems to *later* be use as From:
header.
|
|
|
|
|
|
| |
E.g., ldap.fripost.org, ntp.fripost.org, etc. (Ideally the DNS zone
would be provisioned by ansible, too.) It's a bit unclear how to index
the subdomains (mx{1,2,3}, etc), though.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
And use main.cf's 'master_service_disable' setting to deactivate each
service that's useless for a given instance. (Hence solve conflict when
trying to listen twice on the same port, for instance.)
|
|
|
|
|
|
|
| |
It's unfortunate that samhain cannot use the sendmail binary, and wants
to use a inet socket instead. We use a custom port to avoid
conflicts with the usual SMTP port the MX:es need to listen on.
See also: /usr/share/doc/samhain/TODO.Debian
|
|
We use a dedicated instance for each role: MDA, MTA out, MX, etc.
|