TLS error

General eFa discussion
Post Reply
jamerson
Posts: 130
Joined: 19 Aug 2017 18:57
Location: kaaskop

TLS error

Post by jamerson » 10 May 2018 22:19

Dear All,
after we did a EFA scan we figured out that the EFA does not send with TLS.

Code: Select all

seconds		test stage and result
[000.096]		Connected to server
[000.188]	<-- 	220 filter.domain.com ESMTP Postfix
[000.189]		We are allowed to connect
[000.189]	 -->	EHLO www6.CheckTLS.com
[000.278]	<-- 	250-filter.domain.com
250-PIPELINING
250-SIZE 50240000
250-ETRN
250-STARTTLS
250-AUTH CRAM-MD5 LOGIN DIGEST-MD5 PLAIN
250-AUTH=CRAM-MD5 LOGIN DIGEST-MD5 PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
[000.281]		We can use this server
[000.284]		TLS is an option on this server
[000.285]	 -->	MAIL FROM:<test@checktls.com>
[000.375]	<-- 	250 2.1.0 Ok
[000.375]		Sender is OK
[000.375]		It looks like we can send without TLS
[000.376]	 -->	QUIT
[000.463]	<-- 	221 2.0.0 Bye
If the EFA does not send using TLS, is it a security issue ? can we configure this to send out using TLS ?
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!

budy
Posts: 74
Joined: 10 Sep 2017 07:33

Re: TLS error

Post by budy » 11 May 2018 13:46

This is more of a Postfix configuration option. Usually, TLS - and STARTTLS for that matter is opportunistic, so postfix does offer TLS, but does not mandate it. You can setup Postfix to require TLS with specific domains and have it reject connections otherwiese. E.g., you could setup a mandantory TLS conenction by deploying a text file, where you enoumerate all domains, which Posftfix only is allowed to send/receive messages via a TLS connection like this:

Code: Select all

## tls-policy
maydotls.com	may
needdotls.com	secure
needspecificmx.com secure match=server1.needspecificmx.com match=server2.needspecificmx.com
Configure this file in Postfix's SMTP settings:

Code: Select all

smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
Reload Postfix and only be able to use either TLS or TLS to specific MXs of the specific domain.

jamerson
Posts: 130
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: TLS error

Post by jamerson » 11 May 2018 13:57

Thank you budy for your time.
if we dont configure the tls its not going to be a security issue ?
Thank you
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!

budy
Posts: 74
Joined: 10 Sep 2017 07:33

Re: TLS error

Post by budy » 11 May 2018 14:04

This seems to be the wrong question. As I said… Postfix does TLS on an opportunistic approach. If both side agree on TLS, than it will be used. If the other end doesn't, than Postfix doesn't care and proceeds anyway. You can use the tls_policy to enforce TLS connections, where necessary. However, you can't force the other end into TLS, if it doesn't support that. In that case, you would cut-off any communications with that other domain. The tls_policy only assures, that no non-TLS connection can be made to any of the domains marked as being secure in the config file.

jamerson
Posts: 130
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: TLS error

Post by jamerson » 19 May 2018 14:14

budy wrote:
11 May 2018 14:04
This seems to be the wrong question. As I said… Postfix does TLS on an opportunistic approach. If both side agree on TLS, than it will be used. If the other end doesn't, than Postfix doesn't care and proceeds anyway. You can use the tls_policy to enforce TLS connections, where necessary. However, you can't force the other end into TLS, if it doesn't support that. In that case, you would cut-off any communications with that other domain. The tls_policy only assures, that no non-TLS connection can be made to any of the domains marked as being secure in the config file.
as i understand EFA send without TLS. and we can configure it to send using TLS,
it will use the TLS if the other side support that, and if not it won't use.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!

budy
Posts: 74
Joined: 10 Sep 2017 07:33

Re: TLS error

Post by budy » 20 May 2018 07:53

Well… it's always the receiving end, which advertises TLS capabilities or not. If the receiving end doesn't asvertise TLS in it's EHLO response, than postfix happily starts sending in plain text, since there is no other way to connect to the other end. If you, however, instruct postfix to only send to specific endpoint using TLS, it will not ever send messages in plain text.

thewomble
Posts: 43
Joined: 17 Jan 2017 12:52

Re: TLS error

Post by thewomble » 15 Jun 2018 19:43

If you have a need/requirement enforce TLS inbound from certain domains. This is an HOW TO:

create a file /etc/postfix/tls_server_policy_sender

Code: Select all

sender-must-be-tls.com   reject_plaintext_session
In main.cf add check_sender_access hash:/etc/postfix/tls_server_policy_sender, under smtpd_sender_restrictions

Code: Select all

smtpd_sender_restrictions = 
	.....
	.....
	check_sender_access hash:/etc/postfix/tls_server_policy_sender,
	.....	
	.....
It forces the sending server to send TLS, if they cannot it will queue.

We have a requirement to send and receive certain emails using TLS, make sure the sending domain can use TLS before adding the domain to the file, if they cannot you will not receive the email. You have been warned.

jamerson
Posts: 130
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: TLS error

Post by jamerson » 15 Jun 2018 23:30

thewomble wrote:
15 Jun 2018 19:43
If you have a need/requirement enforce TLS inbound from certain domains. This is an HOW TO:

create a file /etc/postfix/tls_server_policy_sender

Code: Select all

sender-must-be-tls.com   reject_plaintext_session
In main.cf add check_sender_access hash:/etc/postfix/tls_server_policy_sender, under smtpd_sender_restrictions

Code: Select all

smtpd_sender_restrictions = 
	.....
	.....
	check_sender_access hash:/etc/postfix/tls_server_policy_sender,
	.....	
	.....
It forces the sending server to send TLS, if they cannot it will queue.

We have a requirement to send and receive certain emails using TLS, make sure the sending domain can use TLS before adding the domain to the file, if they cannot you will not receive the email. You have been warned.
Thank you for your answer.
this has been set up and working fine.
big thank you guys
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!

Post Reply