From 44100bab38d32596392a3bc7199b4daa202b4032 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Tue, 26 Jan 2021 12:39:10 +0100
Subject: Postfix: pin key material to our MX:es for fripost.org and its
 subdomains.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This solves an issue where an attacker would strip the STARTTLS keyword
from the EHLO response, thereby preventing connection upgrade; or spoof
DNS responses to route outgoing messages to an attacker-controlled
SMTPd, thereby allowing message MiTM'ing.  With key material pinning in
place, smtp(8postfix) immediately aborts the connection (before the MAIL
command) and places the message into the deferred queue instead:

    postfix-out/smtp[NNN]: … dsn=4.7.5, status=undeliverable (Server certificate not verified)

This applies to the smarthost as well as for verification probes on the
Mail Submission Agent.  Placing message into the deferred queue might
yield denial of service, but we argue that it's better than a privacy
leak.

This only covers *internal messages* (from Fripost to Fripost) though:
only messages with ‘fripost.org’ (or a subdomain of such) as recipient
domain.  Other domains, even those using mx[12].fripost.org as MX, are
not covered.  A scalable solution for arbitrary domains would involve
either DANE and TLSA records, or MTA-STS [RFC8461].  Regardless, there
is some merit in hardcoding our internal policy (when the client and
server are both under our control) in the configuration.  It for
instance enables us to harden TLS ciphers and protocols, and makes the
verification logic independent of DNS.
---
 roles/MSA/tasks/main.yml                           | 13 +++++++++++++
 roles/MSA/templates/etc/postfix/smtp_tls_policy.j2 |  1 +
 2 files changed, 14 insertions(+)
 create mode 120000 roles/MSA/templates/etc/postfix/smtp_tls_policy.j2

(limited to 'roles/MSA')

diff --git a/roles/MSA/tasks/main.yml b/roles/MSA/tasks/main.yml
index 4b38974..bf17702 100644
--- a/roles/MSA/tasks/main.yml
+++ b/roles/MSA/tasks/main.yml
@@ -40,6 +40,19 @@
   notify:
     - systemctl daemon-reload
 
+- name: Copy the SMTP TLS policy maps
+  template: src=etc/postfix/smtp_tls_policy.j2
+            dest=/etc/postfix-{{ postfix_instance[inst].name }}/smtp_tls_policy
+            owner=root group=root
+            mode=0644
+
+- name: Compile the SMTP TLS policy maps
+  postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/smtp_tls_policy db=lmdb
+           owner=root group=root
+           mode=0644
+  notify:
+    - Reload Postfix
+
 - meta: flush_handlers
 
 - name: Enable Postfix sender login socketmap
diff --git a/roles/MSA/templates/etc/postfix/smtp_tls_policy.j2 b/roles/MSA/templates/etc/postfix/smtp_tls_policy.j2
new file mode 120000
index 0000000..b40876f
--- /dev/null
+++ b/roles/MSA/templates/etc/postfix/smtp_tls_policy.j2
@@ -0,0 +1 @@
+../../../../out/templates/etc/postfix/smtp_tls_policy.j2
\ No newline at end of file
-- 
cgit v1.2.3