Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Modernize postfix template #259

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

lelutin
Copy link
Contributor

@lelutin lelutin commented Jun 16, 2018

The postfix templates for default configuration of main.cf are still using some old options. It's also configuring smtp client certs, which is not desirable at all, and some options need some changes.

I've taken a stab at modernizing those templates a bit and to also make both files look ass much alike as possible so that it's easier to compare what's different between the "primary" and "relay" mail servers.

I haven't touched the cipher lists since this subject is way more difficult to evaluate, especially in the context of mail servers.

I'm open to discuss the changes. Maybe I've missed some intentions that were not specified in comments, or maybe some ppl might disagree with some changes.

For detailed explanations about changes, see the commit message on the second commit, b414125

The organization of the options in the postfix templates is confusing.
there are some titles for some options, but not others that are
unrelated.

We can just reorder the options and add some titles to make it easier to
read the files.
Options that are related to TLS are currently split into two groups in
the template, and this makes it hard to understand what is happening.

Some changes to configuration are necessary since a lot of time has
passed since the latest changes to this template. Some configuration is
actually plain wrong, and some other is doing what the documentation
recommends against. Following are some details about why options were
changed:

 * smtpd_use_tls and smtp_use_tls are deprecated. We should use instead
smtp(d)_tls_security_level.
   * smtpd_tls_security_level should be set to "may" in order to use
encryption opportunistically when delivering emails to other MTAs
whenever they advertise that they can do it.

 * smtpd_tls_dcert_file and smtpd_tls_dkey_file exist specifically for
certificates that use DSA key pairs. This is not the norm anymore and
RSA has been the default for many years now. We should use the more
generic option smtpd_tls_cert_file.
   * Since alternc generates a single file apache.pem that contains the
certificate and the private key, we don't actually need to specify
smtpd_tls_key_file.

 * smtpd_tls_CApath restricts postfix to using *only* the
system-provided CAs. This might not be what some folks want to do and
the restriction that the template imposes is useless.

 * we should *not* set smtp_tls_{dcert,dkey,cert,key}_file ! This is
setting up postfix to use a *client* certificate when contacting other
servers for delivery to other MTAs. This is very probably not what most
ppl want to be doing, and if some users actually want to do this because
for example the MTA configured by alternc needs to authenticate to a
remailer to get mail out to the world, then they will *not* want to use
the same certificate/private key pair than the one that's used on the
mail submission side (smtpd_*).

 * smtpd_tls_auth_only, when set to "no" permits clients to send their
credentials unencrypted! This is not a good default if we expect to be
using TLS

 * smtp(d)_tls_protocols should exclude deprecated cipher "families"
instead of including some of them, as is recommended in
http://www.postfix.org/postconf.5.html#smtpd_tls_protocols

 * smtpd_sasl_auth_enable is there twice
@sebas891
Copy link
Contributor

Quoi dire de plus qu'un gros merci pour ce boulot 👍

@vincib vincib added this to the 3.5.0rc2 milestone Jun 21, 2018
@camlafit
Copy link
Contributor

Should wait ssl-feature branch merging first

@lelutin
Copy link
Contributor Author

lelutin commented Nov 23, 2018

@camlafit salut! je crois voir que la branche feature-ssl a été mergée dans master, super! donc normalement on peut merge ceci?

@camlafit
Copy link
Contributor

Salut

On va finaliser la release en cours avant. On a du mal à sortir une version stable strech compatible. Donc on va finir ce point avant tout merge complémentaire. :)

Mais oui on va l'intégrer

@lelutin lelutin added this to To do in release 3.5.0 Sep 19, 2019
@kienanstewart kienanstewart moved this from To do to In progress in release 3.5.0 Dec 16, 2019
@camlafit camlafit removed this from the 3.5.0rc2 milestone Jun 17, 2021
@camlafit camlafit changed the base branch from stable-3.1 to main January 25, 2024 19:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
release 3.5.0
  
In progress
Development

Successfully merging this pull request may close these issues.

None yet

5 participants