Postfix configure to use TLSv1.2

Question

I start build my first cloud server: Ubuntu 16.04 with postfix.

Question is how can i configure postfix to use TLSv1.2 when i send mail from my webshop?

When my webshop sending mail to my postfix server it uses TLSv1 Here is log:

postfix/submission/smtpd[19111]: Anonymous TLS connection established from domainname.com[xxx.xxx.xxx.xxx]: TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)

in my webshop i set in config: use: TLS port: 587

Thanks J

My server info:
Ubuntu 16.04
postfix:
  Installed: 3.1.0-3

openssl:
  Installed: 1.0.2h-1+deb.sury.org~xenial+1

Here is log from postfix: can see mail come in with TLSv1 ... :(

Sep 19 19:10:56 ubuntu postfix/master[6992]: daemon started -- version 3.1.0, configuration /etc/postfix
Sep 19 19:11:04 ubuntu postfix/submission/smtpd[7126]: connect from domainname.com[xxx.xxx.xxx.xxx]
Sep 19 19:11:04 ubuntu postfix/submission/smtpd[7126]: Anonymous TLS connection established from domainname.com[xxx.xxx.xxx.xxx]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Sep 19 19:11:04 ubuntu postfix/submission/smtpd[7126]: 803AB41C0A: client=domainname.com[xxx.xxx.xxx.xxx], sasl_method=LOGIN, sasl_username=raitis
Sep 19 19:11:04 ubuntu postfix/cleanup[7131]: 803AB41C0A: message-id=<d140ddbbdfc3d0b9d1da2231e6c2af6d@www.domainname.com>
Sep 19 19:11:04 ubuntu postfix/qmgr[7010]: 803AB41C0A: from=<info@domainname.com>, size=694, nrcpt=1 (queue active)
Sep 19 19:11:04 ubuntu postfix/submission/smtpd[7126]: disconnect from domainname.com[xxx.xxx.xxx.xxx] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
Sep 19 19:11:04 ubuntu postfix/smtp[7133]: Trusted TLS connection established to gmail-smtp-in.l.google.com[66.102.1.26]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Sep 19 19:11:04 ubuntu postfix/smtp[7133]: 803AB41C0A: to=<webshopmail@gmail.com>, relay=gmail-smtp-in.l.google.com[66.102.1.26]:25, delay=0.43, delays=0.06/0.04/0.2/0.14, dsn=2.0.0, status=sent (250 2.0.0 OK 1474305064 14si1756669wmn.119 - gsmtp)
Sep 19 19:11:04 ubuntu postfix/qmgr[7010]: 803AB41C0A: removed

master.cf

smtp        inet  n       -       -       -       -       smtpd
smtpd       pass  n       -       -       -       -       smtpd
submission  inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtp_tls_mandatory_protocols=TLSv1

#628        inet  n       -       y       -       -       qmqpd
pickup      unix  n       -       y       60      1       pickup
cleanup     unix  n       -       y       -       0       cleanup
qmgr        unix  n       -       n       300     1       qmgr
#qmgr       unix  n       -       n       300     1       oqmgr
tlsmgr      unix  -       -       y       1000?   1       tlsmgr
rewrite     unix  -       -       y       -       -       trivial-rewrite
bounce      unix  -       -       y       -       0       bounce
defer       unix  -       -       y       -       0       bounce
trace       unix  -       -       y       -       0       bounce
verify      unix  -       -       y       -       1       verify
flush       unix  n       -       y       1000?   0       flush
proxymap    unix  -       -       n       -       -       proxymap
proxywrite  unix -       -       n       -       1       proxymap
smtp        unix  -       -       y       -       -       smtp
relay       unix  -       -       y       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq       unix  n       -       y       -       -       showq
error       unix  -       -       y       -       -       error
retry       unix  -       -       y       -       -       error
discard     unix  -       -       y       -       -       discard
local       unix  -       n       n       -       -       local
virtual     unix  -       n       n       -       -       virtual
lmtp        unix  -       -       y       -       -       lmtp
anvil       unix  -       -       y       -       1       anvil
scache      unix  -       -       y       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -   n   n   -   2   pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

Alexis Wilke · Answer 1 · 2018-08-14T03:49:53.527

TLS version 1.0 is often considered unsecure, which is why you are asked to turn it off. There are two potential bugs that affected TLS v1.0: BEAST and POODLE. The problems with TLS 1.0 were discovered a little later and are somewhat different than SSL v3 (see this discussion) but they are often viewed as the same.

What I've done on my end to make postfix compliant, though, is prevent the use of SSL v2/3 and TLS v1.0 with the following in main.cf:

smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_mandatory_protocols  = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_protocols           = !SSLv2,!SSLv3,!TLSv1
smtp_tls_protocols            = !SSLv2,!SSLv3,!TLSv1

I did not change anything in master.cf.

I also prevent basic encryption protocols with:

smtpd_tls_exclude_ciphers = RC4, aNULL

As per comment below, the complete list of exclusion should be updated to a longer list as follow:

smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5,
                            DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256,
                            RSA+AES, eNULL

As a side note, you also need to force some form of encryption with the following two lines:

smtpd_tls_security_level = encrypt
smtp_tls_security_level  = encrypt

This may have all sorts of side effects, so you may want to test any such changes before making the changes permanent. For example, mailman does not seem to support encryption at all.

I was doing a PCI compliance test and was wondering why the most recent round of updates fixed this bug for IMAP, but not SMTP/S. This answer is *exactly* what I needed. Thanks! — Kaji, Sep 09 '17 at 02:28
here is the current suggested values smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL — Scott Stensland, Aug 13 '18 at 17:50
this is legacy syntax. after Postfix >= 3.6 use `smtpd_tls_mandatory_protocols = >=TLSv1.2` (see [postfix manual](http://www.postfix.org/TLS_README.html)) — mcantsin, Jan 03 '21 at 17:01
@mcantsin, we still have Postfix 3.1 in Ubuntu 18.04. But it's good to know that there is an easier to use syntax available in newer versions. — Alexis Wilke, Jan 04 '21 at 16:13

score 1 · Answer 2 · answered Sep 19 '16 at 10:20

man 5 postconf:

smtp_tls_mandatory_protocols (default: !SSLv2)
   List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption.  In main.cf the values are separated by whitespace, commas or colons. In the policy table "protocols" attribute (see smtp_tls_policy_maps) the only  valid
   separator is colon. An empty value means allow all protocols. The valid protocol names, (see \fBfBSSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".

   Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and "TLSv1.2". If an older Postfix version is linked against OpenSSL 1.0.1 or later, these, or any other new protocol versions, are unconditionally enabled.

   With Postfix >= 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2,
   !SSLv3". Listing the protocols to include, rather than protocols to exclude, is supported, but not recommended. The exclusion form more closely matches the behaviour when the OpenSSL library is newer than Postfix.

   Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2".  This means that by default, SSL version 2 will not be used at the "encrypt" security level and higher.

   See the documentation of the smtp_tls_policy_maps parameter and TLS_README for more information about security levels.

   Example:

   # Preferred form with Postfix >= 2.5:
   smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
   # Alternative form.
   smtp_tls_mandatory_protocols = TLSv1

   This feature is available in Postfix 2.3 and later.

score 0 · Answer 3 · edited Mar 07 '17 at 00:15

First, make sure you have OpenSSL 1.0.1 or newer and at least Postfix 2.3 or newer (because only this combination can support TLSv1.1 and TLSv1.2). Older OpenSSL will not support TLSv1.2, older Postfix versions have very basic or no SSL/TLS support at all.

If you have Postfix older than 2.5 and OpenSSL 1.0.1 or newer then the TLSv1.1 and TLSv1.2 protocols are unconditionally enabled, as @rudimeier mentioned. In this case, you have nothing to do, Postfix will automagically detect for you which is the best for your connection. If this does not meet your expectations then you should consider to upgrade your Postfix to a newer version (not just because of this problem but because Postfix is at 2.11 now, and 2.5 is pretty old).

If you have Postfix 2.5.0 or newer, the following modification will be required in /etc/postfix/master.cf:

submission inet n - - - - smtpd
  -o smtp_tls_mandatory_protocols=TLSv1

Please keep in mind: if you have other options defined below the submission line, then you should not delete them, just add this new option below them. If the smtp_tls_mandatory_protocols option is already present in the options list, do not add it again, instead modify the value to the mentioned TLSv1. And never ever duplicate your submission line, this can lead to Postfix refusing to start.

Postfix configure to use TLSv1.2

3 Answers3