1

I want to deny non TLS incoming mails on my postfix server.

Here is what i've done:

smtpd_tls_security_level = encrypt
smtpd_tls_auth_only = yes

I do not really understand the difference between this 2 lines, but it seems to work.

Now, what i want to do is to check if TLS certificate is correct. Is there a way to do that, because i do not understand value add of TLS if we cannot be sure of the source server

Thanks

* EDIT *

I got this information in destination mailbox message headers:

(No client certificate requested)

In fact my question is how can i setup client certificate authentification

Bob5421
  • 337
  • 2
  • 8
  • 13
  • *"... because i do not understand value add of TLS if we cannot be sure of the source server"* - your question makes no sense for me. For incoming mail the server is your own mail server and the server certificate is your own certificate. While it might be possible to authenticate the sender using client certificates this is rarely used and most senders don't support it. TLS is about protecting the communication, not about being *"sure of the source server"* - whatever you exactly mean with this. – Steffen Ullrich May 15 '20 at 20:41
  • I am sorry, i made a mistake. What i want to do is to authenticate the sender using client certificate – Bob5421 May 15 '20 at 20:54
  • *"What i want to do is to authenticate the sender using client certificate"* - Everything you need to know for this is pretty well documented - http://www.postfix.org/TLS_README.html#server_vrfy_client – Steffen Ullrich May 15 '20 at 21:07
  • I have read it. The only thing which is strange is the header message: no client certificate requested – Bob5421 May 16 '20 at 06:41
  • *"I have read it."*- then why you didn't use any of the options explicitly documented for requesting client certificates, like `smtpd_tls_req_ccert`? – Steffen Ullrich May 16 '20 at 07:03
  • Note that `smtpd_tls_auth_only`has nothing to do with client certificates but is about using SMTP AUTH only within TLS connection in order to protect the authentication credentials. Given that all the options are well documented it might be better that you explain what you understood so far so that one can point out the problems in your understanding. Just citing the relevant parts of the documentation will not help since you likely understand it wrong again. – Steffen Ullrich May 16 '20 at 07:09

1 Answers1

0

Although, according to Google Transparency Report for Email encryption in transit, most of the servers supports TLS, there are still many that don't, and mandatory TLS will break your email delivery. Also, unlike HTTPS, SMTP doesn't have a strong PKI widely in use. As valid certificates hasn't been generally required neither for sending nor accepting mail, many are using self-signed certificates for their mail servers.

Therefore, opportunistic TLS is still the best choice. That's even said in the documentation for smtpd_tls_security_level:

may

  • Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do not require that clients use TLS encryption.

encrypt

  • Mandatory TLS encryption: announce STARTTLS support to remote SMTP clients, and require that clients use TLS encryption. According to RFC 2487 this MUST NOT be applied in case of a publicly-referenced SMTP server. Instead, this option should be used only on dedicated servers.

Ok, RFC 2487 has been obsoleted by RFC 3207, but this part hasn't changed. From section 4:

A publicly-referenced SMTP server MUST NOT require use of the STARTTLS extension in order to deliver mail locally. This rule prevents the STARTTLS extension from damaging the interoperability of the Internet's SMTP infrastructure. A publicly-referenced SMTP server is an SMTP server which runs on port 25 of an Internet host listed in the MX record (or A record if an MX record is not present) for the domain name on the right hand side of an Internet mail address.

If you want to take a step forward in enforcing TLS on your mail exchange, it's not mandatory TLS encryption. Instead, you could implement DNS-Based Authentication of Named Entities (DANE) lookup for your outbound SMTP: namely RFC 7672 on SMTP Security via Opportunistic DANE TLS. This ensures you won't deliver emails to wrong servers if the recipient has decided to publish information on their accepted certificates. That's configured through smtp_tls_security_level and requires DNSSEC:

smtp_tls_security_level = dane
smtp_dns_support_level = dnssec

If you wish to implement DANE for both outbound and inbound mail, you could read my more comprehensive answer from another question: Enabling TLS/SSL on Postfix.

Community
  • 1
Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • Thanks for this explanation but I want to experiment something and I need to configure postfix in order to check is sender has a valid certificate. So I have to set smtpd_tls_security_level to encrypt but this will accept self signed certificates. Is there an option to force postfix to check if the certificate is good and valid ? Thanks – Bob5421 May 29 '20 at 08:08
  • You must understand that although the MTA sending email to your server is a mail server, too, technically it **acts as a client** to your server (`smtpd`). Your server does send a certificate by default, and the sender could verify that, but in order to validate the certificate of the sender, you need to explicitly ask for it (`smtpd_tls_ask_ccert`) and the sending server must be configured to give client certificates. Generally they aren't configured like that, so while you could test this on your lab environment, such server simply can't work as a public MX for any domain. – Esa Jokinen May 29 '20 at 08:33
  • I have add this to my postfix /etc/postfix/main.cf: smtpd_tls_ask_ccert = yes and smtpd_tls_ccert_verifydepth = 5. I have tried to send an email from a mail server which sends mails with TLS, but who do no have a valid certificate. And the mails get in box... How can i check certificate is not valid ? Thanks – Bob5421 May 29 '20 at 13:39