Re: smtp_tls_security_level = may combined wit smtp_tls_policy_maps

[JL Hill]

I have a very similar issue, although my goal is not to negotiate TLS with specific domains. I have:

main.cf

smtp_tls_security_level = may
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

/etc/postfix/tls_policy

example.com          none
.example.com          none

From the documentation I read, I thought postfix would not try negotiating TLS with the example.com mail server, but it does.

(I posted this question Mar. 5, but received no response).

Best regards,

J.L. Hill

Am 15.03.2013 13:11, schrieb Wietse Venema:
> Robert Schetterer:
>> Hi,
>>
>> if i use
>>
>> smtp_tls_security_level = may
>>
>> is
>>
>> smtp_tls_policy_maps honored ?
> 
> As a general rule, per-destination SMTP/TLS policy lookup results
> override main.cf (and master.cf) settings.
> 
> You enable smtp_tls_policy_maps lookups by specifying a non-empty
> value (there appears to be no other way to turn this off).
> 
> Wietse
> 

Hi Wietse, i set

smtp_tls_security_level = may

and

smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

with

/etc/postfix/tls_policy

example.com encrypt

so it should goal

encrypt ,if possible ,with fallback to plain, for all destination

but for example.com encrypt only ( no plain fallback )



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstra

[Viktor Dukhovni]

On Fri, Mar 15, 2013 at 10:09:17AM -0400, JL Hill wrote:

> /etc/postfix/tls_policy
>
> example.com none
> .example.com none
>
> From the documentation I read, I thought postfix would not try negotiating
> TLS with the example.com mail server, but it does.
>
> (I posted this question Mar. 5, but received no response).
>
> Best regards,

The policy table applies policy to destination domains, not MX
hosts. So what do you mean when you say "with the example.com"
mailserver? If it has a stable IP address, you can use

smtp_discard_ehlo_keyword_address_maps

suppress a given host's "STARTTLS" announcement.

--
Viktor.

[JL Hill]

Thank you for your response. I assume I have something wrong, or I misunderstood the documentation. 

I have tested sending mail to example.com. A "dig example.com MX" gives:

example.com. 2546 IN MX 10 smtp1.example.com.

example.com. 2546 IN MX 20 smtp2.example.com.

example.com. 2546 IN MX 30 smtp3.example.com.

I had assumed that having

     

   .example.com none

in my tls_policy would keep postfix from negotiating TLS with these servers.

I will try with smtp_discard_ehlo_keyword_address_maps.

Thank you again,

JL Hill

p.s. in case it is of value, my tls config:

smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

smtpd_tls_auth_only = no

smtpd_tls_security_level = may

smtp_tls_security_level = may

tls_random_source = dev:/dev/urandom

smtpd_tls_received_header = yes

smtp_tls_note_starttls_offer = yes

smtpd_tls_key_file = /etc/postfix/ssl/host.mydom.com.key

smtpd_tls_cert_file = /etc/postfix/ssl/host.mydom.com.crt

smtpd_tls_CAfile = /etc/postfix/ssl/gd_bundle.crt

smtp_tls_CAfile = /etc/postfix/ssl/gd_bundle.crt

smtpd_tls_CApath = /etc/ssl/certs

smtp_tls_CApath = /etc/ssl/certs

smtp_tls_loglevel = 2

smtpd_tls_loglevel = 2

[Viktor Dukhovni]

On Fri, Mar 15, 2013 at 04:09:47PM -0400, JL Hill wrote:

> Thank you for your response. I assume I have something wrong, or I
> misunderstood the documentation.
>
> I have tested sending mail to example.com. A "dig example.com MX" gives:
>
> example.com. 2546 IN MX 10 smtp1.example.com.
> example.com. 2546 IN MX 20 smtp2.example.com.
> example.com. 2546 IN MX 30 smtp3.example.com.
>
> I had assumed that having
>
> .example.com none
>
> in my tls_policy would keep postfix from negotiating TLS with these servers.

No, when sending mail example.com you set TLS policy for "example.com"

example.com none.

TLS policy is by destination (domain), not by MX host. The setting you
have disables TLS for email addressed to "mumble.example.com", assuming
there is a valid "mumble.example.com" email domain.

--
Viktor.

[JL Hill]

I feel more confused. I had originally tested

    example.com   none

and it failed. I searched the documentation, and found .example.com to use for subdomains, so I thought that would fit my case as the negotiation is with smtp2.example.com, even though I am emailing john...@example.com

When I tested without the dot, sending to john...@example.com my log shows "Host offered STARTTLS: [smtp2.example.com]" 

I will test carefully again using just "example.com none" -- I guess I could have made a typo or other error; I thought not.

Thank you again,

JL Hill

[Viktor Dukhovni]

On Fri, Mar 15, 2013 at 05:19:30PM -0400, JL Hill wrote:

> I feel more confused. I had originally tested
>
> example.com none
>
> and it failed. I searched the documentation, and found .example.com to use
> for subdomains, so I thought that would fit my case as the negotiation is
> with smtp2.example.com, even though I am emailing john...@example.com
>
> When I tested without the dot, sending to john...@example.com my log shows
> "Host offered STARTTLS: [smtp2.example.com]"

This means that TLS was NOT used. This is a helpful log message that
tells you could use TLS, but you're not. Your configuration turns
on this non-default helpful log message.

# default:
smtp_tls_note_starttls_offer = no

--
Viktor.

[JL Hill]

My apologies, I grabbed the wrong snippet of log file (same host, different server). Here is the entire connection log (I changed only the domain name and xxx'd the ip address):

Mar  3 06:36:10 host postfix/smtp[22224]: initializing the client-side TLS engine

Mar  3 06:36:11 host postfix/smtp[22224]: setting up TLS connection to smtp1.example.com[70.186.xxx.xxx]:25

Mar  3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH"

Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:before/connect initialization

Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:unknown state

Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 read server hello A

Mar  3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: certificate verification depth=2 verify=0 subject=/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority

Mar  3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: certificate verification depth=2 verify=0 subject=/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority

Mar  3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: certificate verification depth=1 verify=1 subject=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287

Mar  3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: certificate verification depth=0 verify=1 subject=/O=smtp1.example.com/OU=Domain Control Validated/CN=smtp1.example.com

Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 read server certificate A

Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 read server done A

Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 write client key exchange A

Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 write change cipher spec A

Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 write finished A

Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 flush data

Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 read finished A

Mar  3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: subject_CN=smtp1.example.com, issuer_CN=Go Daddy Secure Certification Authority, fingerprint 93:28:E6:D5:F1:6F:FD:34:09:8B:BF:52:35:BB:94:6C, pkey_fingerprint=E4:A4:55:48:AF:85:C5:A0:51:25:94:B8:57:54:D5:50

Mar  3 06:36:11 host postfix/smtp[22224]: Untrusted TLS connection established to smtp1.example.com[70.186.xxx.xxx]:25: TLSv1 with cipher DES-CBC3-SHA (168/168 bits)

Mar  3 06:36:11 host postfix/smtp[22224]: SSL3 alert write:fatal:protocol version

Mar  3 06:36:11 host postfix/smtp[22224]: warning: TLS library problem: 22224:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:340:

Mar  3 06:36:11 host postfix/smtp[22224]: ACFBAD746C: to=<br...@example.com>, relay=smtp1.example.com[70.186.xxx.xxx]:25, delay=222575, delays=222574/0.01/1/0, dsn=4.4.2, status=deferred (lost connection with smtp1.example.com[70.186.xxx.xxx] while sending MAIL FROM)

As I said, I was trying to understand what was supposed to work in turning off TLS for a specific domain. I understand that I should be able to do it by specifying "example.com none" in tls_policy. I will test using  smtp_tls_policy_maps, as well as testing using smtpd_discard_ehlo_keyword_address_maps

Thank you again, and again my apologies for grabbing the wrong snippet of log file.

JL Hill

[Viktor Dukhovni]

On Fri, Mar 15, 2013 at 07:20:24PM -0400, JL Hill wrote:

> My apologies, I grabbed the wrong snippet of log file (same host, different
> server). Here is the entire connection log (I changed only the domain name
> and xxx'd the ip address):

No, don't apologize, in fact you grabbed exactly the right logs then,
and the wrong logs now. With TLS for "example.com" disabled the logs
with the "STARTTLS offer" are exactly how Postfix behaves with TLS
disabled and:

smtp_tls_note_starttls_offer = yes

For peace of mind, set that parameter to no, and if you for some
reason want TLS off for some domain, place:

example.com none

in the policy table, you've already seen it work.

--
Viktor.