Majic Projects ~ [CLOSED] MAR-54 - Separate SMTP submission for servers and clients and harden TLS

Majic Projects

Majic Ansible Roles

Projects
Wiki
- Quick links
- Wiki
- Project wikis
- Conntrackt
- Django Pydenticon
- Gimmecert
- Majic Ansible Roles
- Pydenticon
- Scripts
- Global content

You are not logged in

Majic Ansible Roles / Closed Feature request MAR-54 Separate SMTP submission for servers and clients and harden TLS

Votes

This issue has been closed with status "Closed" and resolution "RESOLVED".

- No additional actions available

Issue basics

Type of issue

Feature request Unknown issue type
Issue label

No label set
Category

Security Not determined
Targetted for

1.0.0 Not determined
Status

Closed

Status not determined
Progress
Priority

Normal Not determined

Affected by this issue (0)

There are no items

People involved

Posted by
branko (@branko)

Branko Majic
@branko

Last seen online at Apr 24, 2024 - 20:11

Show user details
Owned by

Not owned by anyone
Assigned to
branko (@branko)

Branko Majic
@branko

Last seen online at Apr 24, 2024 - 20:11

Show user details
Not assigned to anyone
Subscribers

0 subscriber(s)

Click here to show the list of subscribers

Times and dates

Posted at

Jan 24, 2016
Last updated

Mar 08, 2016
Estimated time

3 hours Not estimated
Time spent

No time spent

Click here to see time logged against this issue

Issue details

Resolution

RESOLVED Not determined
Reproducability

Not determined
Severity

Not determined

Attachments (0)

There is nothing attached to this issue

Child issues (0)

This issue does not have any child issues

Duplicate issues (0)

This issue does not have any duplicates

Show / hide more details »

Description

In order to be able to harden the TLS configuration of Postfix (TLSv1.2 + PFS ciphers), it is necessary to separate the SMTP traffic for inter-server and client communication.

The main issue is that a lot of mail servers out there may not support TLS 1.2, or might not be able to use a narrow set of PFS ciphers.

Separation seems to be possible, and client communication could be shifted towards port 587. Options to look into would be:

-o smtpd_tls_security_level=encrypt
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_mandatory_protocols=TLSv1.2
-o smtpd_tls_mandatory_ciphers=high
-o tls_high_cipherlist=DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA\
384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT

This would require update to master.cf to include the above options, changes to main.cf, or some change in-between.

For smtp server comms, it would be necessary to set smtpd_sasl_auth_enable=no

Useful link - https://blog.tinned-software.net/harden-the-ssl-configuration-of-your-mailserver/

Docs would need updating too (both usage instructions and role reference). Don't forget the swaks commands.

Todos (0 / 0)

Options

Issue created

Welcome to The Bug Genie

Log in with your username and password