TLS Parameter Confusion
Carlos Mennens
'smtpd_tls_auth_only' & 'smtpd_tls_security_level' & would appreciate
if someone could please help me understand this. TLS configuration is
new to me so I appologise for my ignorance and I did bother to review:
http://www.postfix.org/postconf.5.html#smtpd_tls_security_level
In my Postfix main.cf, I have the following TLS parameters:
smtpd_use_tls = yes #announce STARTTLS support to SMTP clients, but do
not require that clients use TLS encryption.
smtpd_tls_loglevel = 1 #loglevel
smtpd_tls_cert_file = /etc/ssl/certs/mail.crt # Cert file
smtpd_tls_key_file = /etc/ssl/private/mail.key # Key file
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtpd_tls_security_level = may # ?
smtpd_tls_auth_only = yes # ?
My confusion is the bottom two parameters. I know that if I change
'may' to 'encrypt' in 'smtpd_tls_security_level', I then am forcing
all clients to require TLS connection to Postfix. This is understood
but then I see 'smtpd_tls_auth_only', I get confused because it seems
redundant to me with 'smtpd_use_tls'.
According below to the definition of 'smtpd_tls_auth_only = yes', I
thought 'smtpd_use_tls' announces STARTTLS to SMTP clients...and I
have 'smtpd_tls_auth_only = yes' and clients can still send SMTP email
with out mandatory TLS. I don't understand why unless I am confused
about it's function.
"Mandatory TLS: announce STARTTLS support to SMTP clients, and require
that clients use TLS encryption. According to RFC 2487 this MUST NOT
be applied in case of a publicly-referenced SMTP server. This option
is off by default and should be used only on dedicated servers."
So when I have 'smtpd_tls_auth_only = yes', I am still able to send
SMTP mail w/o TLS configured on my client. Is this expected behavior
or am I missing something here? Does anyone mind please clarifying
this for me?
Victor Duchovni
> In my Postfix main.cf, I have the following TLS parameters:
>
> smtpd_use_tls = yes #announce STARTTLS support to SMTP clients, but do
This is the Postfix 2.2 syntax. With 2.3 and later, use:
smtpd_tls_security_level = may
Note, Postfix does not support comments and configuration settings on
the same line.
Good:
# Comment
param = value
param =
# comment
value1
# comment
value2
Bad:
param = value # comment
> smtpd_tls_loglevel = 1 #loglevel
> smtpd_tls_cert_file = /etc/ssl/certs/mail.crt # Cert file
> smtpd_tls_key_file = /etc/ssl/private/mail.key # Key file
See above
> smtpd_tls_security_level = may # ?
Use this instead of "smtpd_use_tls".
> smtpd_tls_auth_only = yes # ?
Disable SASL authentication for un-encrypted connections.
> My confusion is the bottom two parameters. I know that if I change
> 'may' to 'encrypt' in 'smtpd_tls_security_level', I then am forcing
> all clients to require TLS connection to Postfix. This is understood
> but then I see 'smtpd_tls_auth_only', I get confused because it seems
> redundant to me with 'smtpd_use_tls'.
Don't confuse SASL authentication (username/password typicall to verify
submission access rights) with session encryption (prevent passive
wiretap of session).
SASL and SSL are not the same thing.
--
Viktor.
P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.
Carlos Mennens
<Victor....@morganstanley.com> wrote:
> On Tue, Mar 23, 2010 at 02:23:30PM -0400, Carlos Mennens wrote:
>
>> In my Postfix main.cf, I have the following TLS parameters:
>>
>> smtpd_use_tls = yes #announce STARTTLS support to SMTP clients, but do
>
> This is the Postfix 2.2 syntax. With 2.3 and later, use:
>
> smtpd_tls_security_level = may
I updated my main.cf. Thanks!
> Note, Postfix does not support comments and configuration settings on
> the same line.
I only did the comments as I did to show my understanding of the
parameters (right or wrong) but I didn't have my main.cf actually
commented so. I did however learn the proper syntax by your example!
Thanks!
>> smtpd_tls_loglevel = 1 #loglevel
>> smtpd_tls_cert_file = /etc/ssl/certs/mail.crt # Cert file
>> smtpd_tls_key_file = /etc/ssl/private/mail.key # Key file
>> smtpd_tls_security_level = may # ?
>
> Use this instead of "smtpd_use_tls".
Noted.
>> smtpd_tls_auth_only = yes # ?
>
> Disable SASL authentication for un-encrypted connections.
I am guessing I only have the above since 'smtpd_tls_security_level =
may' is set and not mandatory, correct? If I configured that 'may' to
'encrypt', then there is no reason to 'disable SASL authenticaion for
un-encrypted connections' as you noted, right?
So would this look correct to you in main.cf:
# SASL settings
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
# TLS settings
smtpd_tls_security_level = encrypt
smtpd_tls_key_file = /etc/ssl/mail.key
smtpd_tls_cert_file = /etc/ssl/mail.crt
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
tls_random_source = dev:/dev/urandom
#?? smtpd_tls_auth_only = yes ??
Do I enable the last parameter for SASL authentication if I changed
'may' to 'enrypt'? Do you see me missing anything?
Victor Duchovni
> > > smtpd_tls_security_level = may
> >
> > Use this instead of "smtpd_use_tls".
>
> Noted.
>
> >> smtpd_tls_auth_only = yes # ?
> >
> > Disable SASL authentication for un-encrypted connections.
>
> I am guessing I only have the above since 'smtpd_tls_security_level =
> may' is set and not mandatory, correct? If I configured that 'may' to
> 'encrypt', then there is no reason to 'disable SASL authenticaion for
> un-encrypted connections' as you noted, right?
Sure, if your host is a submission-only host (not an MX host for an
internet-connected domain) and requiring TLS outright is an option,
then indeed you don't need to explicitly restrict SASL to encrypted
connections, because Postfix automatically does that when encryption
is mandatory.
> So would this look correct to you in main.cf:
>
> # SASL settings
> smtpd_sasl_auth_enable = yes
> broken_sasl_auth_clients = yes
> smtpd_sasl_type = dovecot
> smtpd_sasl_path = private/auth
> smtpd_sasl_security_options = noanonymous
>
> # TLS settings
> smtpd_tls_security_level = encrypt
> smtpd_tls_key_file = /etc/ssl/mail.key
> smtpd_tls_cert_file = /etc/ssl/mail.crt
> smtpd_tls_loglevel = 1
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
> tls_random_source = dev:/dev/urandom
> # smtpd_tls_auth_only = yes
If "encrypt" is a viable TLS policy (because this is not a public MX host),
then yes, this is fine.
> Do I enable the last parameter for SASL authentication if I changed
> 'may' to 'enrypt'? Do you see me missing anything?
There is no harm in the "redundant" setting, if you don't want plaintext
SASL, regardless of the TLS security level, then say so, even if the
security level for now happens to make this a noop.
Voytek Eymont
On Wed, March 24, 2010 5:32 am, Victor Duchovni wrote:
> Disable SASL authentication for un-encrypted connections.
> Don't confuse SASL authentication (username/password typicall to verify
> submission access rights) with session encryption (prevent passive wiretap
> of session).
> SASL and SSL are not the same thing.
Viktor,
I'm trying to review my own SMTP AUTH setup that I've been using since a
while back, could you pls have a look if I missing something important:
postfix 2.4.5
# postconf -n | grep sasl
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, check_client_access hash:/etc/postfix/pop-before-smtp,
reject_unauth_destination, check_recipient_access
hash:/etc/postfix/recipient_no_checks, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_invalid_hostname,
reject_non_fqdn_hostname, reject_unknown_sender_domain,
reject_unknown_reverse_client_hostname, reject_unlisted_recipient,
check_sender_access hash:/etc/postfix/freemail_access,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_client_access
hash:/etc/postfix/client_checks, check_client_access
pcre:/etc/postfix/client_checks.pcre, reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net, reject_rhsbl_client dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org, reject_rhsbl_sender
dsn.rfc-ignorant.org, reject_rbl_client psbl.surriel.com,
check_policy_service inet:127.0.0.1:10031, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
# postconf -n | grep tls
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database =
btree:/var/spool/postfix/smtp_tls_session_cache
smtp_tls_session_cache_timeout = 3600s
smtpd_tls_CAfile = /etc/postfix/tls/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/tls/smtpd.crt
smtpd_tls_key_file = /etc/postfix/tls/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:/var/spool/postfix/smtpd_tls_session_cache
smtpd_tls_session_cache_timeout = 36000s
tls_random_source = dev:/dev/urandom
in master.cf
submission inet n - n - - smtpd
-o smtpd_tls_security_levels=encrypt -o smtpd_sasl_auth_enable=yes
thanks
--
Voytek