{"id":175,"date":"2014-05-10T21:43:00","date_gmt":"2014-05-10T19:43:00","guid":{"rendered":"http:\/\/www.cs-ware.de\/blog\/?p=175"},"modified":"2014-06-04T18:12:55","modified_gmt":"2014-06-04T16:12:55","slug":"postfix-and-email-made-in-germany","status":"publish","type":"post","link":"https:\/\/www.cs-ware.de\/blog\/archives\/175","title":{"rendered":"Postfix and &#8220;eMail made in Germany&#8221;"},"content":{"rendered":"<p>If you use Postfix as your MTA, one can (and should) enable transport encryption for outgoing connections using &#8220;<a href=\"http:\/\/www.postfix.org\/postconf.5.html#smtp_tls_security_level\" title=\"smtp_tls_security_level\" target=\"_blank\">smtp_tls_security_level<\/a>=may&#8221; (or &#8220;smtp_use_tls=yes&#8221;, deprecated since Postfix 2.3). However, this does not enforce that&#8230;<\/p>\n<ul>\n<li>encryption is always used for every site (supporting it). Enforcing this by setting &#8220;<a href=\"http:\/\/www.postfix.org\/postconf.5.html#smtp_tls_security_level\" title=\"smtp_tls_security_level\" target=\"_blank\">smtp_tls_security_level<\/a>=encrypt&#8221; also is not an option because there are lots of sites which do not support transport encryption (like @me.com). I.e. if someone can perform a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Man-in-the-Middle\" title=\"MitM\" target=\"_blank\">MitM<\/a> attack, the attacker can &#8220;hide&#8221; the <em>STARTTLS<\/em> announcement of the server and thus the mail goes over the wire unencrypted.<\/li>\n<li>the remote server which supports encryption is the &#8220;right&#8221; one (e.g., in case of DNS hijacking or MitM attacks). The problem is, that one cannot set &#8220;<a href=\"http:\/\/www.postfix.org\/postconf.5.html#smtp_tls_security_level\" title=\"smtp_tls_security_level\" target=\"_blank\">smtp_tls_security_level<\/a>=verify&#8221; because there are lots of sites which have self-signed certificates or certificates where the domain name of the certificate does not match the MX server hostname or the mail-address domain name.<\/li>\n<\/ul>\n<p>In order to enforce transport encryption for specific sites and avoid the problems described above one can use &#8220;<a href=\"http:\/\/www.postfix.org\/postconf.5.html#smtp_tls_policy_maps\" title=\"smtp_tls_policy_maps\" target=\"_blank\">smtp_tls_policy_maps<\/a>&#8221; to specify that encryption is mandatory and that the &#8220;right&#8221; server is used. Insert &#8220;smtp_tls_policy_maps = hash:\/etc\/postfix\/tls_policy&#8221; to \/etc\/postfix\/main.cf, use the example content from below (or a the <a href=\"https:\/\/github.com\/csware\/postfix-tls-policy\/blob\/master\/tls_policy\" title=\"latest version\" target=\"_blank\">latest version<\/a>) and run &#8220;postmap \/etc\/postfix\/tls_policy&#8221; and reload postfix. It is also required that &#8220;<a href=\"http:\/\/www.postfix.org\/postconf.5.html#smtp_tls_CApath\" title=\"smtp_tls_CApath\" target=\"_blank\">smtp_tls_CApath<\/a>&#8221; is set correctly so that the certificates can be checked against &#8220;trusted&#8221; root certificates; on Debian it can be set to &#8220;<a href=\"http:\/\/www.postfix.org\/postconf.5.html#smtp_tls_CApath\" title=\"smtp_tls_CApath\" target=\"_blank\">smtp_tls_CApath<\/a> = \/etc\/ssl\/certs\/&#8221; and the package &#8220;ca-certificates&#8221; is required.<\/p>\n<p>The main problem with this solution is, that you need to manually create a list of servers. I checked my logs and created this list for the most-used destination domains (I created a repository on GitHub in case someone wants to contribute: <a href=\"https:\/\/github.com\/csware\/postfix-tls-policy\" title=\"https:\/\/github.com\/csware\/postfix-tls-policy\" target=\"_blank\">https:\/\/github.com\/csware\/postfix-tls-policy<\/a>):<\/p>\n<p><code>\/etc\/postfix\/tls_policy:<br \/>\n# members of email made in germany<br \/>\nt-online.de secure match=.t-online.de<br \/>\ngmx.net secure match=.gmx.net<br \/>\ngmx.de secure match=.gmx.net<br \/>\ngmx.at secure match=.gmx.net<br \/>\nweb.de secure match=.web.de<br \/>\nfreenet.de secure match=.freenet.de<br \/>\nemail.de secure match=.web.de<br \/>\n# other mail providers<br \/>\ngmail.com secure match=.google.com<br \/>\ngooglemail.com secure match=.google.com<br \/>\ngoogle.com secure match=.google.com<br \/>\nkabelmail.de secure match=.xworks.net<br \/>\n#hotmail,outlook: not all mx-servers support starttls<br \/>\n#hotmail.com secure match=.hotmail.com:.outlook.com<br \/>\n#outlook.com secure match=.hotmail.com:.outlook.com<br \/>\n#hotmail.de secure match=.hotmail.com:.outlook.com<br \/>\n#me.com does not support starttls at all<br \/>\naol.com secure match=.aol.com<br \/>\nyahoo.com secure match=.yahoodns.net<br \/>\nyahoo.de secure match=.yahoodns.net<br \/>\narcor.de secure match=.arcor.de<br \/>\n# universities<br \/>\n.hu-berlin.de secure match=.hu-berlin.de<br \/>\n.tu-clausthal.de secure match=.mx.srv.dfn.de:.tu-clausthal.de<br \/>\n# states of germany<br \/>\n#.bayern.de: mx has selfsigned cert<br \/>\n.bayern.de encrypt<br \/>\n.berlin.de secure match=.berlin.de<br \/>\n.hessen.de secure match=.hessen.de<br \/>\n.niedersachsen.de secure match=.niedersachsen.de<br \/>\n<\/code><\/p>\n<p><strong>Update 2014-05-24:<\/strong> I&#8217;m running Postfix > 2.11.0 (and I&#8217;ve a DNSSEC capable dns server) so I&#8217;ve set &#8220;smtp_tls_security_level=dane&#8221; which is a bit better than &#8220;may&#8221;, because DANE\/TLSA enabled sites are more secure and authenticated.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you use Postfix as your MTA, one can (and should) enable transport encryption for outgoing connections using &#8220;smtp_tls_security_level=may&#8221; (or &#8220;smtp_use_tls=yes&#8221;, deprecated since Postfix 2.3). However, this does not enforce that&#8230; encryption is always used for every site (supporting it). Enforcing this by setting &#8220;smtp_tls_security_level=encrypt&#8221; also is not an option because there are lots of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[14],"class_list":["post-175","post","type-post","status-publish","format-standard","hentry","category-linux","tag-postfix"],"_links":{"self":[{"href":"https:\/\/www.cs-ware.de\/blog\/wp-json\/wp\/v2\/posts\/175","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cs-ware.de\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cs-ware.de\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cs-ware.de\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cs-ware.de\/blog\/wp-json\/wp\/v2\/comments?post=175"}],"version-history":[{"count":25,"href":"https:\/\/www.cs-ware.de\/blog\/wp-json\/wp\/v2\/posts\/175\/revisions"}],"predecessor-version":[{"id":205,"href":"https:\/\/www.cs-ware.de\/blog\/wp-json\/wp\/v2\/posts\/175\/revisions\/205"}],"wp:attachment":[{"href":"https:\/\/www.cs-ware.de\/blog\/wp-json\/wp\/v2\/media?parent=175"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cs-ware.de\/blog\/wp-json\/wp\/v2\/categories?post=175"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cs-ware.de\/blog\/wp-json\/wp\/v2\/tags?post=175"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}