Postfix and “eMail made in Germany”

If you use Postfix as your MTA, one can (and should) enable transport encryption for outgoing connections using “smtp_tls_security_level=may” (or “smtp_use_tls=yes”, deprecated since Postfix 2.3). However, this does not enforce that…

  • encryption is always used for every site (supporting it). Enforcing this by setting “smtp_tls_security_level=encrypt” also is not an option because there are lots of sites which do not support transport encryption (like I.e. if someone can perform a MitM attack, the attacker can “hide” the STARTTLS announcement of the server and thus the mail goes over the wire unencrypted.
  • the remote server which supports encryption is the “right” one (e.g., in case of DNS hijacking or MitM attacks). The problem is, that one cannot set “smtp_tls_security_level=verify” because there are lots of sites which have self-signed certificates or certificates where the domain name of the certificate does not match the MX server hostname or the mail-address domain name.

In order to enforce transport encryption for specific sites and avoid the problems described above one can use “smtp_tls_policy_maps” to specify that encryption is mandatory and that the “right” server is used. Insert “smtp_tls_policy_maps = hash:/etc/postfix/tls_policy” to /etc/postfix/, use the example content from below (or a the latest version) and run “postmap /etc/postfix/tls_policy” and reload postfix. It is also required that “smtp_tls_CApath” is set correctly so that the certificates can be checked against “trusted” root certificates; on Debian it can be set to “smtp_tls_CApath = /etc/ssl/certs/” and the package “ca-certificates” is required.

The main problem with this solution is, that you need to manually create a list of servers. I checked my logs and created this list for the most-used destination domains (I created a repository on GitHub in case someone wants to contribute:

# members of email made in germany secure secure secure secure secure secure secure
# other mail providers secure secure secure secure
#hotmail,outlook: not all mx-servers support starttls secure secure secure does not support starttls at all secure secure secure secure
# universities secure secure
# states of germany mx has selfsigned cert encrypt secure secure secure

Update 2014-05-24: I’m running Postfix > 2.11.0 (and I’ve a DNSSEC capable dns server) so I’ve set “smtp_tls_security_level=dane” which is a bit better than “may”, because DANE/TLSA enabled sites are more secure and authenticated.