As for programmer-level documentation, this will have to be --- 68,74 ---- while qmgr(8) uses simple FIFO, except for some preemptive magic. The postconf(5) manual documents all the knobs the user can use to control this preemptive magic - there is nothing else ! to the preemption than the quite simple conditions described in there.
As for programmer-level documentation, this will have to be diff -cr /var/tmp/postfix-2.2.8/html/TLS_README.html ./html/TLS_README.html *** /var/tmp/postfix-2.2.8/html/TLS_README.html Sat Oct 29 18:34:25 2005 --- ./html/TLS_README.html Fri Feb 17 15:11:48 2006 *************** *** 129,134 **** --- 129,139 ---- done by invoking the command "make makefiles" in the Postfix top-level directory and with arguments as shown next.
+NOTE: Do not use Gnu TLS. It will spontaneously terminate + a Postfix daemon process with exit status code 2, instead of allowing + Postfix to 1) report the error to the maillog file, and to 2) provide + plaintext service where this is appropriate.
+If the OpenSSL include files (such as ssl.h) are *************** *** 553,559 **** kbytes and that supports the sequence operator. DBM databases are not suitable because they can only store small objects. The cache is maintained by the tlsmgr(8) process, so there is no problem with ! concurrent access.
Example:
--- 558,565 ---- kbytes and that supports the sequence operator. DBM databases are not suitable because they can only store small objects. The cache is maintained by the tlsmgr(8) process, so there is no problem with ! concurrent access. Session caching is highly recommended, because ! the cost of repeatedly negotiating TLS session keys is high.Example:
*************** *** 632,638 ****The Postfix list manipulation routines give special treatment to whitespace and some other characters, making the use of certificate ! names unpractical. Instead we use the certificate fingerprints as they are difficult to fake but easy to use for lookup. Postfix lookup tables are in the form of (key, value) pairs. Since we only need the key, the value can be chosen freely, e.g. the name of --- 638,644 ----
The Postfix list manipulation routines give special treatment to whitespace and some other characters, making the use of certificate ! names impractical. Instead we use the certificate fingerprints as they are difficult to fake but easy to use for lookup. Postfix lookup tables are in the form of (key, value) pairs. Since we only need the key, the value can be chosen freely, e.g. the name of *************** *** 725,733 ****
Example:
--- 924,933 ---- kbytes and that supports the sequence operator. DBM databases are not suitable because they can only store small objects. The cache is maintained by the tlsmgr(8) process, so there is no problem with ! concurrent access. Session caching is highly recommended, because ! the cost of repeatedly negotiating TLS session keys is high. Future ! Postfix SMTP servers may limit the number of sessions that a client ! is allowed to negotiate per unit time.Example:
*************** *** 930,953 **** !By default, TLS is disabled in the Postfix SMTP client, so no difference to plain Postfix is visible. If you enable TLS, the Postfix SMTP client will send STARTTLS when TLS support is announced by the remote SMTP server.
!WARNING: MS Exchange servers will announce STARTTLS support ! even when the service is not configured, so that the TLS handshake ! will fail. It may be wise to not use this option on your central ! mail hub, as you don't know in advance whether you are going to ! connect to such a host. Instead, use the smtp_tls_per_site ! recipient/site specific options that are described below.
! !When the TLS handshake fails and no other server is available, ! the Postfix SMTP client defers the delivery attempt, and the mail ! stays in the queue.
Example:
--- 953,971 ---- !By default, TLS is disabled in the Postfix SMTP client, so no difference to plain Postfix is visible. If you enable TLS, the Postfix SMTP client will send STARTTLS when TLS support is announced by the remote SMTP server.
!When the server accepts the STARTTLS command, but the subsequent ! TLS handshake fails, and no other server is available, the Postfix SMTP ! client defers the delivery attempt, and the mail stays in the queue. After ! a handshake failure, the communications channel is in an indeterminate ! state and cannot be used for non-TLS deliveries.
Example:
*************** *** 958,963 **** --- 976,984 ---- +You can ENFORCE the use of TLS, so that the Postfix SMTP client will not deliver mail over unencrypted connections. In this mode, the remote SMTP server hostname must match the information in the *************** *** 967,980 **** doesn't match, and no other server is available, the delivery attempt is deferred and the mail stays in the queue.
!The remote SMTP server hostname used in the check is beyond ! question, as it must be the principal hostname (no CNAME allowed ! here). Checks are performed against all names provided as dNSNames in the SubjectAlternativeName. If no dNSNames are specified, the ! CommonName is checked. The behavior may be changed with the smtp_tls_enforce_peername option which is discussed below.
!This option is useful only if you know that you will only connect to servers that support RFC 2487 _and_ that present server certificates that meet the above requirements. An example would be a client only sends email to one specific mailhub that offers --- 988,1001 ---- doesn't match, and no other server is available, the delivery attempt is deferred and the mail stays in the queue.
!The remote SMTP server hostname is verified against all names ! provided as dNSNames in the SubjectAlternativeName. If no dNSNames are specified, the ! CommonName is checked. Verification may be turned off with the smtp_tls_enforce_peername option which is discussed below.
!Enforcing the use of TLS is useful if you know that you will ! only connect to servers that support RFC 2487 _and_ that present server certificates that meet the above requirements. An example would be a client only sends email to one specific mailhub that offers *************** *** 985,994 ****
/etc/postfix/main.cf: ! smtp_enforce_tls = no
As of RFC 2487 the requirements for hostname checking for MTA clients are not set. When TLS is required (smtp_enforce_tls = yes), the option smtp_tls_enforce_peername can be set to "no" to disable --- 1006,1018 ----
+/etc/postfix/main.cf: ! smtp_enforce_tls = yes
As of RFC 2487 the requirements for hostname checking for MTA clients are not set. When TLS is required (smtp_enforce_tls = yes), the option smtp_tls_enforce_peername can be set to "no" to disable *************** *** 996,1101 **** delivery will proceed regardless of the CommonName etc. listed in the certificate.
!Note: the smtp_tls_enforce_peername setting has no effect on ! sessions that are controlled via the smtp_tls_per_site table.
! !Disabling the remote SMTP server hostname verification can ! make sense in closed environment where special CAs are created. ! If not used carefully, this option opens the danger of a ! "man-in-the-middle" attack (the CommonName of this possible attacker ! is logged).
Example:
!/etc/postfix/main.cf: ! smtp_tls_enforce_peername = yes
Generally, trying TLS can be a bad idea, as some servers offer ! STARTTLS but the negotiation will fail leading to unexplainable ! failures. Instead, it may be a good idea to choose the TLS usage ! policy based on the recipient or the mailhub to which you are ! connecting.
!Deciding the TLS usage policy per recipient may be difficult, ! since a single email delivery attempt can involve several recipients. ! Instead, use of TLS is controlled by the Postfix next-hop destination ! domain name and by the remote SMTP server hostname. If either of these ! matches an entry in the smtp_tls_per_site table, appropriate action ! is taken.
!The remote SMTP server hostname is simply the DNS name of the ! server that the Postfix SMTP client connects to. The next-hop ! destination is Postfix specific. By default, this is the domain ! name in the recipient address, but this information can be overruled ! by the transport(5) table or by the relayhost parameter setting. ! In these cases the relayhost etc. must be listed in the smtp_tls_per_site ! table, instead of the recipient domain name.
!Format of the table: domain or host names are specified on the ! left-hand side; no wildcards are allowed. On the right hand side ! specify one of the following keywords:
!!
- NONE
- Don't use TLS at all.
!- MAY
- Try to use STARTTLS if offered, otherwise use ! the unencrypted connection.
!- MUST
- Require usage of STARTTLS, require that the ! remote SMTP server hostname matches the information in the remote ! SMTP server certificate, and require that the remote SMTP server ! certificate was issued by a trusted CA.
! !- MUST_NOPEERMATCH
- Require usage of STARTTLS, but do ! not require that the remote SMTP server hostname matches the ! information in the remote SMTP server certificate, or that the ! server certificate was issued by a trusted CA.
The actual TLS usage policy depends not only on whether the ! next-hop destination or remote SMTP server hostname are found in ! the smtp_tls_per_site table, but also on the smtp_enforce_tls ! setting:
If no match was found, the policy is applied as specified ! with smtp_enforce_tls.
! !If a match was found, and the smtp_enforce_tls policy is ! "enforce", NONE explicitly switches it off; otherwise the "enforce" ! mode is used even for entries that specify MAY.
Special hint for TLS enforcement mode: since no secure DNS ! lookup mechanism is available, mail can be delivered to the wrong ! remote SMTP server. This is not prevented by specifying MUST for ! the next-hop domain name. The recommended setup is: specify local ! transport(5) table entries for sensitive domains with explicit ! smtp:[mailhost] destinations (since you can assure security of this ! table unlike DNS), then specify MUST for these mail hosts in the ! smtp_tls_per_site table.
Example:
! !
!
/etc/postfix/main.cf:
smtp_tls_per_site = hash:/etc/postfix/tls_per_site
As we decide on a "per site" basis whether or not to use TLS, it would be good to have a list of sites that offered "STARTTLS". We can collect it ourselves with this option.
--- 1020,1219 ---- delivery will proceed regardless of the CommonName etc. listed in the certificate. !Despite the potential for eliminating "man-in-the-middle" and ! other attacks, mandatory certificate/peername verification is not ! viable as a default Internet mail delivery policy at this time. A ! significant fraction of TLS enabled MTAs uses self-signed certificates, ! or certificates that are signed by a private certificate authority. ! On a machine that delivers mail to the Internet, if you set ! smtp_enforce_tls = yes, you should probably also set ! smtp_tls_enforce_peername = no. You can use the per-site TLS ! policies (see below) to enable full peer verification for specific ! destinations that are known to have verifiable TLS server certificates. !
Example:
!/etc/postfix/main.cf: ! smtp_enforce_tls = yes ! smtp_tls_enforce_peername = no
A small fraction of servers offer STARTTLS but the negotiation ! consistently fails, leading to mail aging out of the queue and ! bouncing back to the sender. In such cases, you can use the per-site ! policies to disable TLS for the problem sites. Alternatively, you ! can enable TLS for just a few specific sites and not enable it for ! all sites.
! ! ! !The smtp_tls_per_site table is searched for a policy that matches ! the following information:
! !!
!- remote SMTP server hostname
- This is simply the DNS ! name of the server that the Postfix SMTP client connects to; this ! name may be obtained from other DNS lookups, such as MX lookups or ! CNAME lookups.
! !- next-hop destination
- This is normally the domain ! portion of the recipient address, but it may be overruled by ! information from the transport(5) table, from the relayhost parameter ! setting, or from the relay_transport setting. When it's not the ! recipient domain, the next-hop destination can have the Postfix-specific ! form "[name]", [name]:port", "name" or ! "name:port".
!
When both the hostname lookup and the next-hop lookup succeed, ! the host policy does not automatically override the next-hop policy. ! Instead, precedence is given to either the more specific or the ! more secure per-site policy as described below.
! !The smtp_tls_per_site table uses a simple "name whitespace ! value" format. Specify host names or next-hop destinations on ! the left-hand side; no wildcards are allowed. On the right hand ! side specify one of the following keywords:
! !! !!! !
- NONE
- Don't use TLS at all. This overrides a less ! specific MAY lookup result from the alternate host or next-hop ! lookup key, and overrides the global smtp_use_tls, smtp_enforce_tls, ! and smtp_tls_enforce_peername settings.
! !- MAY
- Try to use TLS if the server announces support, ! otherwise use the unencrypted connection. This has less precedence ! than a more specific result (including NONE) from the alternate ! host or next-hop lookup key, and has less precedence than the more ! specific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername ! = yes".
! !- MUST_NOPEERMATCH
- Require TLS encryption, but do not ! require that the remote SMTP server hostname matches the information ! in the remote SMTP server certificate, or that the server certificate ! was issued by a trusted CA. This overrides a less secure NONE ! or a less specific MAY lookup result from the alternate host ! or next-hop lookup key, and overrides the global smtp_use_tls, ! smtp_enforce_tls and smtp_tls_enforce_peername settings.
! !- MUST
- Require TLS encryption, require that the remote ! SMTP server hostname matches the information in the remote SMTP ! server certificate, and require that the remote SMTP server certificate ! was issued by a trusted CA. This overrides a less secure NONE ! and MUST_NOPEERMATCH or a less specific MAY lookup ! result from the alternate host or next-hop lookup key, and overrides ! the global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername ! settings.
The precedences between global (main.cf) and per-site TLS ! policies can be summarized as follows:
When neither the remote SMTP server hostname nor the ! next-hop destination are found in the smtp_tls_per_site table, the ! policy is based on smtp_use_tls, smtp_enforce_tls and ! smtp_tls_enforce_peername. Note: "smtp_enforce_tls = yes" and ! "smtp_tls_enforce_peername = yes" imply "smtp_use_tls = yes".
! !When both hostname and next-hop destination lookups produce ! a result, the more specific per-site policy (NONE, MUST, etc) ! overrides the less specific one (MAY), and the more secure per-site ! policy (MUST, etc) overrides the less secure one (NONE).
! !After the per-site policy lookups are combined, the result ! generally overrides the global policy. The exception is the less ! specific MAY per-site policy, which is overruled by the more ! specific global "smtp_enforce_tls = yes" with server certificate ! verification as specified with the smtp_tls_enforce_peername ! parameter.
As long as no secure DNS lookup mechanism is available, false ! hostnames in MX or CNAME responses can change the server hostname ! that Postfix uses for TLS policy lookup and server certificate ! verification. Even with a perfect match between the server hostname ! and the server certificate, there is no guarantee that Postfix is ! connected to the right server. To avoid this loophole take the ! following steps:
! !Eliminate MX lookups. Specify local transport(5) table ! entries for sensitive domains with explicit smtp:[mailhost] ! or smtp:[mailhost]:port destinations (you can assure ! security of this table unlike DNS); in the smtp_tls_per_site table ! specify the value MUST for the key [mailhost] or ! smtp:[mailhost]:port. This prevents false hostname ! information in DNS MX records from changing the server hostname ! that Postfix uses for TLS policy lookup and server certificate ! verification.
! !Disallow CNAME hostname overrides. In main.cf specify ! "smtp_cname_overrides_servername = no". This prevents false hostname ! information in DNS CNAME records from changing the server hostname ! that Postfix uses for TLS policy lookup and server certificate ! verification. This feature requires Postfix 2.2.9 or later.
! !Example:
! !
/etc/postfix/main.cf:
smtp_tls_per_site = hash:/etc/postfix/tls_per_site
+ relayhost = [msa.example.net]:587
+
+ /etc/postfix/tls_per_site:
+ # relayhost exact nexthop match
+ [msa.example.net]:587 MUST
+
+ # TLS should not be used with the example.org MX hosts.
+ example.org NONE
+
+ # TLS should not be used with the host smtp.example.com.
+ smtp.example.com NONE
+ As we decide on a "per site" basis whether or not to use TLS, it would be good to have a list of sites that offered "STARTTLS". We can collect it ourselves with this option.
*************** *** 1119,1125 **** !When verifying a remote SMTP server certificate, a verification depth of 1 is sufficient if the certificate is directly issued by --- 1237,1243 ---- !
When verifying a remote SMTP server certificate, a verification depth of 1 is sufficient if the certificate is directly issued by *************** *** 1376,1382 ****
Configure Postfix, by adding the following to ! /etc/postfix/main.cf.
--- 1494,1500 ----
Configure Postfix, by adding the following to ! /etc/postfix/main.cf .
*************** *** 1443,1450 **** --- 1561,1582 ---- generation (PRNG) pool, and in order to access the TLS session cache databases. Such a protocol cannot be run across fifos. +smtp_tls_per_site: the MUST_NOPEERMATCH per-site policy + cannot override the global "smtp_tls_enforce_peername = yes" setting. +
+ +smtp_tls_per_site: a combined (NONE + MAY) lookup result + for (hostname and next-hop destination) produces counter-intuitive + results for different main.cf settings. TLS is enabled with + "smtp_tls_enforce_peername = no", but it is disabled when both + "smtp_enforce_tls = yes" and "smtp_tls_enforce_peername = yes". +
+
The smtp_tls_per_site limitations were removed by the end of + the Postfix 2.2 support cycle.
+Examples:
!The Postfix < 2.2 backwards compatible setting: always rewrite message headers, and always append my own domain to incomplete header addresses.
--- 3352,3358 ----Examples:
!The Postfix < 2.2 backwards compatible setting: always rewrite message headers, and always append my own domain to incomplete header addresses.
*************** *** 5767,5772 **** --- 5767,5787 ---- +Allow DNS CNAME records to override the servername that the + Postfix SMTP client uses for logging, SASL password lookup, TLS + policy decisions, or TLS certificate verification. The default value + (yes) is backwards compatible. Specify "no" to harden Postfix 2.2 + smtp_tls_per_site hostname-based policies against false hostname + information in DNS CNAME records.
+ +This feature is available in Postfix 2.2.9 and later.
+ + +Optional lookup tables with the Postfix SMTP client TLS usage ! policy by next-hop domain name and by remote SMTP server hostname. !
! !Table format: domain names or server hostnames are specified ! on the left-hand side; no wildcards are allowed. On the right hand ! side specify one of the following keywords:
Special hint for enforcement mode: since no secure DNS lookup ! mechanism is available, the recommended setup is: specify local ! transport(5) table entries for sensitive domains with explicit ! smtp:[mailhost] destinations (since you can assure security of this ! table unlike DNS), then specify MUST for these mail hosts in the ! smtp_tls_per_site table.
Optional lookup tables with the Postfix SMTP client TLS usage ! policy by next-hop destination and by remote SMTP server hostname. ! When both lookups succeed, the more specific per-site policy (NONE, ! MUST, etc) overrides the less specific one (MAY), and the more ! secure per-site policy (MUST, etc) overrides the less secure one ! (NONE).
! !Specify a next-hop destination or server hostname on the left-hand ! side; no wildcards are allowed. The next-hop destination is either ! the recipient domain, or the destination specified with a transport(5) ! table, the relayhost parameter, or the relay_transport parameter. ! On the right hand side specify one of the following keywords:
As long as no secure DNS lookup mechanism is available, false ! hostnames in MX or CNAME responses can change the server hostname ! that Postfix uses for TLS policy lookup and server certificate ! verification. Even with a perfect match between the server hostname ! and the server certificate, there is no guarantee that Postfix is ! connected to the right server. To avoid this loophole take the ! following steps:
!
As for programmer-level documentation, this will have to be --- 68,74 ---- while qmgr(8) uses simple FIFO, except for some preemptive magic. The postconf(5) manual documents all the knobs the user can use to control this preemptive magic - there is nothing else ! to the preemption than the quite simple conditions described in there.
As for programmer-level documentation, this will have to be diff -cr /var/tmp/postfix-2.2.8/proto/TLS_README.html ./proto/TLS_README.html *** /var/tmp/postfix-2.2.8/proto/TLS_README.html Sat Oct 29 18:34:16 2005 --- ./proto/TLS_README.html Fri Feb 17 14:55:04 2006 *************** *** 129,134 **** --- 129,139 ---- done by invoking the command "make makefiles" in the Postfix top-level directory and with arguments as shown next.
+NOTE: Do not use Gnu TLS. It will spontaneously terminate + a Postfix daemon process with exit status code 2, instead of allowing + Postfix to 1) report the error to the maillog file, and to 2) provide + plaintext service where this is appropriate.
+If the OpenSSL include files (such as ssl.h) are *************** *** 553,559 **** kbytes and that supports the sequence operator. DBM databases are not suitable because they can only store small objects. The cache is maintained by the tlsmgr(8) process, so there is no problem with ! concurrent access.
Example:
--- 558,565 ---- kbytes and that supports the sequence operator. DBM databases are not suitable because they can only store small objects. The cache is maintained by the tlsmgr(8) process, so there is no problem with ! concurrent access. Session caching is highly recommended, because ! the cost of repeatedly negotiating TLS session keys is high.Example:
*************** *** 632,638 ****The Postfix list manipulation routines give special treatment to whitespace and some other characters, making the use of certificate ! names unpractical. Instead we use the certificate fingerprints as they are difficult to fake but easy to use for lookup. Postfix lookup tables are in the form of (key, value) pairs. Since we only need the key, the value can be chosen freely, e.g. the name of --- 638,644 ----
The Postfix list manipulation routines give special treatment to whitespace and some other characters, making the use of certificate ! names impractical. Instead we use the certificate fingerprints as they are difficult to fake but easy to use for lookup. Postfix lookup tables are in the form of (key, value) pairs. Since we only need the key, the value can be chosen freely, e.g. the name of *************** *** 725,733 ****
Example:
--- 924,933 ---- kbytes and that supports the sequence operator. DBM databases are not suitable because they can only store small objects. The cache is maintained by the tlsmgr(8) process, so there is no problem with ! concurrent access. Session caching is highly recommended, because ! the cost of repeatedly negotiating TLS session keys is high. Future ! Postfix SMTP servers may limit the number of sessions that a client ! is allowed to negotiate per unit time.Example:
*************** *** 930,953 **** !By default, TLS is disabled in the Postfix SMTP client, so no difference to plain Postfix is visible. If you enable TLS, the Postfix SMTP client will send STARTTLS when TLS support is announced by the remote SMTP server.
!WARNING: MS Exchange servers will announce STARTTLS support ! even when the service is not configured, so that the TLS handshake ! will fail. It may be wise to not use this option on your central ! mail hub, as you don't know in advance whether you are going to ! connect to such a host. Instead, use the smtp_tls_per_site ! recipient/site specific options that are described below.
! !When the TLS handshake fails and no other server is available, ! the Postfix SMTP client defers the delivery attempt, and the mail ! stays in the queue.
Example:
--- 953,971 ---- !By default, TLS is disabled in the Postfix SMTP client, so no difference to plain Postfix is visible. If you enable TLS, the Postfix SMTP client will send STARTTLS when TLS support is announced by the remote SMTP server.
!When the server accepts the STARTTLS command, but the subsequent ! TLS handshake fails, and no other server is available, the Postfix SMTP ! client defers the delivery attempt, and the mail stays in the queue. After ! a handshake failure, the communications channel is in an indeterminate ! state and cannot be used for non-TLS deliveries.
Example:
*************** *** 958,963 **** --- 976,984 ---- +You can ENFORCE the use of TLS, so that the Postfix SMTP client will not deliver mail over unencrypted connections. In this mode, the remote SMTP server hostname must match the information in the *************** *** 967,980 **** doesn't match, and no other server is available, the delivery attempt is deferred and the mail stays in the queue.
!The remote SMTP server hostname used in the check is beyond ! question, as it must be the principal hostname (no CNAME allowed ! here). Checks are performed against all names provided as dNSNames in the SubjectAlternativeName. If no dNSNames are specified, the ! CommonName is checked. The behavior may be changed with the smtp_tls_enforce_peername option which is discussed below.
!This option is useful only if you know that you will only connect to servers that support RFC 2487 _and_ that present server certificates that meet the above requirements. An example would be a client only sends email to one specific mailhub that offers --- 988,1001 ---- doesn't match, and no other server is available, the delivery attempt is deferred and the mail stays in the queue.
!The remote SMTP server hostname is verified against all names ! provided as dNSNames in the SubjectAlternativeName. If no dNSNames are specified, the ! CommonName is checked. Verification may be turned off with the smtp_tls_enforce_peername option which is discussed below.
!Enforcing the use of TLS is useful if you know that you will ! only connect to servers that support RFC 2487 _and_ that present server certificates that meet the above requirements. An example would be a client only sends email to one specific mailhub that offers *************** *** 985,994 ****
/etc/postfix/main.cf: ! smtp_enforce_tls = no
As of RFC 2487 the requirements for hostname checking for MTA clients are not set. When TLS is required (smtp_enforce_tls = yes), the option smtp_tls_enforce_peername can be set to "no" to disable --- 1006,1018 ----
+/etc/postfix/main.cf: ! smtp_enforce_tls = yes
As of RFC 2487 the requirements for hostname checking for MTA clients are not set. When TLS is required (smtp_enforce_tls = yes), the option smtp_tls_enforce_peername can be set to "no" to disable *************** *** 996,1101 **** delivery will proceed regardless of the CommonName etc. listed in the certificate.
!Note: the smtp_tls_enforce_peername setting has no effect on ! sessions that are controlled via the smtp_tls_per_site table.
! !Disabling the remote SMTP server hostname verification can ! make sense in closed environment where special CAs are created. ! If not used carefully, this option opens the danger of a ! "man-in-the-middle" attack (the CommonName of this possible attacker ! is logged).
Example:
!/etc/postfix/main.cf: ! smtp_tls_enforce_peername = yes
Generally, trying TLS can be a bad idea, as some servers offer ! STARTTLS but the negotiation will fail leading to unexplainable ! failures. Instead, it may be a good idea to choose the TLS usage ! policy based on the recipient or the mailhub to which you are ! connecting.
!Deciding the TLS usage policy per recipient may be difficult, ! since a single email delivery attempt can involve several recipients. ! Instead, use of TLS is controlled by the Postfix next-hop destination ! domain name and by the remote SMTP server hostname. If either of these ! matches an entry in the smtp_tls_per_site table, appropriate action ! is taken.
!The remote SMTP server hostname is simply the DNS name of the ! server that the Postfix SMTP client connects to. The next-hop ! destination is Postfix specific. By default, this is the domain ! name in the recipient address, but this information can be overruled ! by the transport(5) table or by the relayhost parameter setting. ! In these cases the relayhost etc. must be listed in the smtp_tls_per_site ! table, instead of the recipient domain name.
!Format of the table: domain or host names are specified on the ! left-hand side; no wildcards are allowed. On the right hand side ! specify one of the following keywords:
!!
- NONE
- Don't use TLS at all.
!- MAY
- Try to use STARTTLS if offered, otherwise use ! the unencrypted connection.
!- MUST
- Require usage of STARTTLS, require that the ! remote SMTP server hostname matches the information in the remote ! SMTP server certificate, and require that the remote SMTP server ! certificate was issued by a trusted CA.
! !- MUST_NOPEERMATCH
- Require usage of STARTTLS, but do ! not require that the remote SMTP server hostname matches the ! information in the remote SMTP server certificate, or that the ! server certificate was issued by a trusted CA.
The actual TLS usage policy depends not only on whether the ! next-hop destination or remote SMTP server hostname are found in ! the smtp_tls_per_site table, but also on the smtp_enforce_tls ! setting:
If no match was found, the policy is applied as specified ! with smtp_enforce_tls.
! !If a match was found, and the smtp_enforce_tls policy is ! "enforce", NONE explicitly switches it off; otherwise the "enforce" ! mode is used even for entries that specify MAY.
Special hint for TLS enforcement mode: since no secure DNS ! lookup mechanism is available, mail can be delivered to the wrong ! remote SMTP server. This is not prevented by specifying MUST for ! the next-hop domain name. The recommended setup is: specify local ! transport(5) table entries for sensitive domains with explicit ! smtp:[mailhost] destinations (since you can assure security of this ! table unlike DNS), then specify MUST for these mail hosts in the ! smtp_tls_per_site table.
Example:
! !
!
/etc/postfix/main.cf:
smtp_tls_per_site = hash:/etc/postfix/tls_per_site
As we decide on a "per site" basis whether or not to use TLS, it would be good to have a list of sites that offered "STARTTLS". We can collect it ourselves with this option.
--- 1020,1219 ---- delivery will proceed regardless of the CommonName etc. listed in the certificate. !Despite the potential for eliminating "man-in-the-middle" and ! other attacks, mandatory certificate/peername verification is not ! viable as a default Internet mail delivery policy at this time. A ! significant fraction of TLS enabled MTAs uses self-signed certificates, ! or certificates that are signed by a private certificate authority. ! On a machine that delivers mail to the Internet, if you set ! smtp_enforce_tls = yes, you should probably also set ! smtp_tls_enforce_peername = no. You can use the per-site TLS ! policies (see below) to enable full peer verification for specific ! destinations that are known to have verifiable TLS server certificates. !
Example:
!/etc/postfix/main.cf: ! smtp_enforce_tls = yes ! smtp_tls_enforce_peername = no
A small fraction of servers offer STARTTLS but the negotiation ! consistently fails, leading to mail aging out of the queue and ! bouncing back to the sender. In such cases, you can use the per-site ! policies to disable TLS for the problem sites. Alternatively, you ! can enable TLS for just a few specific sites and not enable it for ! all sites.
! ! ! !The smtp_tls_per_site table is searched for a policy that matches ! the following information:
! !!
!- remote SMTP server hostname
- This is simply the DNS ! name of the server that the Postfix SMTP client connects to; this ! name may be obtained from other DNS lookups, such as MX lookups or ! CNAME lookups.
! !- next-hop destination
- This is normally the domain ! portion of the recipient address, but it may be overruled by ! information from the transport(5) table, from the relayhost parameter ! setting, or from the relay_transport setting. When it's not the ! recipient domain, the next-hop destination can have the Postfix-specific ! form "[name]", [name]:port", "name" or ! "name:port".
!
When both the hostname lookup and the next-hop lookup succeed, ! the host policy does not automatically override the next-hop policy. ! Instead, precedence is given to either the more specific or the ! more secure per-site policy as described below.
! !The smtp_tls_per_site table uses a simple "name whitespace ! value" format. Specify host names or next-hop destinations on ! the left-hand side; no wildcards are allowed. On the right hand ! side specify one of the following keywords:
! !! !!! !
- NONE
- Don't use TLS at all. This overrides a less ! specific MAY lookup result from the alternate host or next-hop ! lookup key, and overrides the global smtp_use_tls, smtp_enforce_tls, ! and smtp_tls_enforce_peername settings.
! !- MAY
- Try to use TLS if the server announces support, ! otherwise use the unencrypted connection. This has less precedence ! than a more specific result (including NONE) from the alternate ! host or next-hop lookup key, and has less precedence than the more ! specific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername ! = yes".
! !- MUST_NOPEERMATCH
- Require TLS encryption, but do not ! require that the remote SMTP server hostname matches the information ! in the remote SMTP server certificate, or that the server certificate ! was issued by a trusted CA. This overrides a less secure NONE ! or a less specific MAY lookup result from the alternate host ! or next-hop lookup key, and overrides the global smtp_use_tls, ! smtp_enforce_tls and smtp_tls_enforce_peername settings.
! !- MUST
- Require TLS encryption, require that the remote ! SMTP server hostname matches the information in the remote SMTP ! server certificate, and require that the remote SMTP server certificate ! was issued by a trusted CA. This overrides a less secure NONE ! and MUST_NOPEERMATCH or a less specific MAY lookup ! result from the alternate host or next-hop lookup key, and overrides ! the global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername ! settings.
The precedences between global (main.cf) and per-site TLS ! policies can be summarized as follows:
When neither the remote SMTP server hostname nor the ! next-hop destination are found in the smtp_tls_per_site table, the ! policy is based on smtp_use_tls, smtp_enforce_tls and ! smtp_tls_enforce_peername. Note: "smtp_enforce_tls = yes" and ! "smtp_tls_enforce_peername = yes" imply "smtp_use_tls = yes".
! !When both hostname and next-hop destination lookups produce ! a result, the more specific per-site policy (NONE, MUST, etc) ! overrides the less specific one (MAY), and the more secure per-site ! policy (MUST, etc) overrides the less secure one (NONE).
! !After the per-site policy lookups are combined, the result ! generally overrides the global policy. The exception is the less ! specific MAY per-site policy, which is overruled by the more ! specific global "smtp_enforce_tls = yes" with server certificate ! verification as specified with the smtp_tls_enforce_peername ! parameter.
As long as no secure DNS lookup mechanism is available, false ! hostnames in MX or CNAME responses can change the server hostname ! that Postfix uses for TLS policy lookup and server certificate ! verification. Even with a perfect match between the server hostname ! and the server certificate, there is no guarantee that Postfix is ! connected to the right server. To avoid this loophole take the ! following steps:
! !Eliminate MX lookups. Specify local transport(5) table ! entries for sensitive domains with explicit smtp:[mailhost] ! or smtp:[mailhost]:port destinations (you can assure ! security of this table unlike DNS); in the smtp_tls_per_site table ! specify the value MUST for the key [mailhost] or ! smtp:[mailhost]:port. This prevents false hostname ! information in DNS MX records from changing the server hostname ! that Postfix uses for TLS policy lookup and server certificate ! verification.
! !Disallow CNAME hostname overrides. In main.cf specify ! "smtp_cname_overrides_servername = no". This prevents false hostname ! information in DNS CNAME records from changing the server hostname ! that Postfix uses for TLS policy lookup and server certificate ! verification. This feature requires Postfix 2.2.9 or later.
! !Example:
! !
/etc/postfix/main.cf:
smtp_tls_per_site = hash:/etc/postfix/tls_per_site
+ relayhost = [msa.example.net]:587
+
+ /etc/postfix/tls_per_site:
+ # relayhost exact nexthop match
+ [msa.example.net]:587 MUST
+
+ # TLS should not be used with the example.org MX hosts.
+ example.org NONE
+
+ # TLS should not be used with the host smtp.example.com.
+ smtp.example.com NONE
+ As we decide on a "per site" basis whether or not to use TLS, it would be good to have a list of sites that offered "STARTTLS". We can collect it ourselves with this option.
*************** *** 1119,1125 **** !When verifying a remote SMTP server certificate, a verification depth of 1 is sufficient if the certificate is directly issued by --- 1237,1243 ---- !
When verifying a remote SMTP server certificate, a verification depth of 1 is sufficient if the certificate is directly issued by *************** *** 1376,1382 ****
Configure Postfix, by adding the following to ! /etc/postfix/main.cf.
--- 1494,1500 ----
Configure Postfix, by adding the following to ! /etc/postfix/main.cf .
*************** *** 1443,1450 **** --- 1561,1582 ---- generation (PRNG) pool, and in order to access the TLS session cache databases. Such a protocol cannot be run across fifos. +smtp_tls_per_site: the MUST_NOPEERMATCH per-site policy + cannot override the global "smtp_tls_enforce_peername = yes" setting. +
+ +smtp_tls_per_site: a combined (NONE + MAY) lookup result + for (hostname and next-hop destination) produces counter-intuitive + results for different main.cf settings. TLS is enabled with + "smtp_tls_enforce_peername = no", but it is disabled when both + "smtp_enforce_tls = yes" and "smtp_tls_enforce_peername = yes". +
+
The smtp_tls_per_site limitations were removed by the end of + the Postfix 2.2 support cycle.
+Examples:
!The Postfix < 2.2 backwards compatible setting: always rewrite message headers, and always append my own domain to incomplete header addresses.
--- 7750,7756 ----Examples:
!The Postfix < 2.2 backwards compatible setting: always rewrite message headers, and always append my own domain to incomplete header addresses.
*************** *** 8251,8288 **** %PARAM smtp_tls_per_siteOptional lookup tables with the Postfix SMTP client TLS usage ! policy by next-hop domain name and by remote SMTP server hostname. !
! !Table format: domain names or server hostnames are specified ! on the left-hand side; no wildcards are allowed. On the right hand ! side specify one of the following keywords:
Special hint for enforcement mode: since no secure DNS lookup ! mechanism is available, the recommended setup is: specify local ! transport(5) table entries for sensitive domains with explicit ! smtp:[mailhost] destinations (since you can assure security of this ! table unlike DNS), then specify MUST for these mail hosts in the ! smtp_tls_per_site table.
%PARAM smtp_tls_scert_verifydepth 5 --- 8251,8329 ---- %PARAM smtp_tls_per_siteOptional lookup tables with the Postfix SMTP client TLS usage ! policy by next-hop destination and by remote SMTP server hostname. ! When both lookups succeed, the more specific per-site policy (NONE, ! MUST, etc) overrides the less specific one (MAY), and the more ! secure per-site policy (MUST, etc) overrides the less secure one ! (NONE).
! !Specify a next-hop destination or server hostname on the left-hand ! side; no wildcards are allowed. The next-hop destination is either ! the recipient domain, or the destination specified with a transport(5) ! table, the relayhost parameter, or the relay_transport parameter. ! On the right hand side specify one of the following keywords:
As long as no secure DNS lookup mechanism is available, false ! hostnames in MX or CNAME responses can change the server hostname ! that Postfix uses for TLS policy lookup and server certificate ! verification. Even with a perfect match between the server hostname ! and the server certificate, there is no guarantee that Postfix is ! connected to the right server. To avoid this loophole take the ! following steps:
! !%PARAM smtp_tls_scert_verifydepth 5 *************** *** 8412,8414 **** --- 8453,8466 ---- STANDARD_CONFIGURATION_README documents.
This feature is available in Postfix 2.2 and later.
+ + %PARAM smtp_cname_overrides_servername yes + +Allow DNS CNAME records to override the servername that the + Postfix SMTP client uses for logging, SASL password lookup, TLS + policy decisions, or TLS certificate verification. The default value + (yes) is backwards compatible. Specify "no" to harden Postfix 2.2 + smtp_tls_per_site hostname-based policies against false hostname + information in DNS CNAME records.
+ +This feature is available in Postfix 2.2.9 and later.
diff -cr /var/tmp/postfix-2.2.8/src/cleanup/cleanup_api.c ./src/cleanup/cleanup_api.c *** /var/tmp/postfix-2.2.8/src/cleanup/cleanup_api.c Tue Dec 2 20:38:57 2003 --- ./src/cleanup/cleanup_api.c Sun Feb 12 09:42:35 2006 *************** *** 224,229 **** --- 224,237 ---- vstream_control(state->handle->stream, VSTREAM_CTL_PATH, cleanup_path, VSTREAM_CTL_END); + + /* + * XXX: When delivering to a non-incoming queue, do not consume + * in_flow tokens. Unfortunately we can't move the code that + * consumes tokens until after the mail is received, because that + * would increase the risk of duplicate deliveries (RFC 1047). + */ + (void) mail_flow_put(1); } state->errs = mail_stream_finish(state->handle, (VSTRING *) 0); } else { diff -cr /var/tmp/postfix-2.2.8/src/dns/dns.h ./src/dns/dns.h *** /var/tmp/postfix-2.2.8/src/dns/dns.h Tue Nov 15 09:46:27 2005 --- ./src/dns/dns.h Wed Jan 4 14:52:05 2006 *************** *** 80,86 **** * named after the things one can expect to find in a DNS resource record. */ typedef struct DNS_RR { ! char *name; /* name, mystrdup()ed */ unsigned short type; /* T_A, T_CNAME, etc. */ unsigned short class; /* C_IN, etc. */ unsigned int ttl; /* always */ --- 80,87 ---- * named after the things one can expect to find in a DNS resource record. */ typedef struct DNS_RR { ! char *qname; /* query name, mystrdup()ed */ ! char *rname; /* reply name, mystrdup()ed */ unsigned short type; /* T_A, T_CNAME, etc. */ unsigned short class; /* C_IN, etc. */ unsigned int ttl; /* always */ *************** *** 104,110 **** /* * dns_rr.c */ ! extern DNS_RR *dns_rr_create(const char *, ushort, ushort, unsigned, unsigned, const char *, unsigned); extern void dns_rr_free(DNS_RR *); --- 105,112 ---- /* * dns_rr.c */ ! extern DNS_RR *dns_rr_create(const char *, const char *, ! ushort, ushort, unsigned, unsigned, const char *, unsigned); extern void dns_rr_free(DNS_RR *); diff -cr /var/tmp/postfix-2.2.8/src/dns/dns_lookup.c ./src/dns/dns_lookup.c *** /var/tmp/postfix-2.2.8/src/dns/dns_lookup.c Tue Jan 18 20:22:01 2005 --- ./src/dns/dns_lookup.c Thu Feb 2 14:59:23 2006 *************** *** 97,102 **** --- 97,107 ---- /* The query failed; the problem is transient. /* .IP DNS_FAIL /* The query failed. + /* + /* As a workaround, this result value is also returned when + /* the DNS query succeeded, but the result could not be parsed, + /* or the result domain name did not pass the valid_hostname() + /* syntax test (e.g., a null MX hostname). /* BUGS /* dns_lookup() implements a subset of all possible resource types: /* CNAME, MX, A, and some records with similar formatting requirements. *************** *** 324,330 **** /* dns_get_rr - extract resource record from name server reply */ ! static DNS_RR *dns_get_rr(DNS_REPLY *reply, unsigned char *pos, char *rr_name, DNS_FIXED *fixed) { char temp[DNS_NAME_LEN]; --- 329,335 ---- /* dns_get_rr - extract resource record from name server reply */ ! static DNS_RR *dns_get_rr(const char *name, DNS_REPLY *reply, unsigned char *pos, char *rr_name, DNS_FIXED *fixed) { char temp[DNS_NAME_LEN]; *************** *** 397,403 **** *dst = 0; break; } ! return (dns_rr_create(rr_name, fixed->type, fixed->class, fixed->ttl, pref, temp, data_len)); } --- 402,408 ---- *dst = 0; break; } ! return (dns_rr_create(name, rr_name, fixed->type, fixed->class, fixed->ttl, pref, temp, data_len)); } *************** *** 417,423 **** /* dns_get_answer - extract answers from name server reply */ ! static int dns_get_answer(DNS_REPLY *reply, int type, DNS_RR **rrlist, VSTRING *fqdn, char *cname, int c_len) { char rr_name[DNS_NAME_LEN]; --- 422,428 ---- /* dns_get_answer - extract answers from name server reply */ ! static int dns_get_answer(const char *name, DNS_REPLY *reply, int type, DNS_RR **rrlist, VSTRING *fqdn, char *cname, int c_len) { char rr_name[DNS_NAME_LEN]; *************** *** 490,500 **** CORRUPT; if (type == fixed.type || type == T_ANY) { /* requested type */ if (rrlist) { ! if ((rr = dns_get_rr(reply, pos, rr_name, &fixed)) != 0) { resource_found++; *rrlist = dns_rr_append(*rrlist, rr); ! } else ! not_found_status = DNS_RETRY; } else resource_found++; } else if (fixed.type == T_CNAME) { /* cname resource */ --- 495,505 ---- CORRUPT; if (type == fixed.type || type == T_ANY) { /* requested type */ if (rrlist) { ! if ((rr = dns_get_rr(name, reply, pos, rr_name, &fixed)) != 0) { resource_found++; *rrlist = dns_rr_append(*rrlist, rr); ! } else if (not_found_status != DNS_RETRY) ! not_found_status = DNS_FAIL; /* XXX */ } else resource_found++; } else if (fixed.type == T_CNAME) { /* cname resource */ *************** *** 528,533 **** --- 533,539 ---- DNS_REPLY reply; int count; int status; + const char *saved_name = name; /* * DJBDNS produces a bogus A record when given a numerical hostname. *************** *** 569,575 **** * Extract resource records of the requested type. Pick up CNAME * information just in case the requested data is not found. */ ! status = dns_get_answer(&reply, type, rrlist, fqdn, cname, c_len); switch (status) { default: if (why) --- 575,582 ---- * Extract resource records of the requested type. Pick up CNAME * information just in case the requested data is not found. */ ! status = dns_get_answer(saved_name, &reply, type, rrlist, fqdn, ! cname, c_len); switch (status) { default: if (why) diff -cr /var/tmp/postfix-2.2.8/src/dns/dns_rr.c ./src/dns/dns_rr.c *** /var/tmp/postfix-2.2.8/src/dns/dns_rr.c Tue Jan 18 20:22:01 2005 --- ./src/dns/dns_rr.c Wed Jan 4 15:20:56 2006 *************** *** 6,14 **** /* SYNOPSIS /* #include