1

I want to deny non TLS incoming mails on my postfix server.

Here is what i've done:

smtpd_tls_security_level = encrypt
smtpd_tls_auth_only = yes

I do not really understand the difference between this 2 lines, but it seems to work.

Now, what i want to do is to check if TLS certificate is correct. Is there a way to do that, because i do not understand value add of TLS if we cannot be sure of the source server

Thanks

* EDIT *

I got this information in destination mailbox message headers:

(No client certificate requested)

In fact my question is how can i setup client certificate authentification

Bob5421
  • 501

1 Answers1

0

Although, according to Google Transparency Report for Email encryption in transit, most of the servers supports TLS, there are still many that don't, and mandatory TLS will break your email delivery. Also, unlike HTTPS, SMTP doesn't have a strong PKI widely in use. As valid certificates hasn't been generally required neither for sending nor accepting mail, many are using self-signed certificates for their mail servers.

Therefore, opportunistic TLS is still the best choice. That's even said in the documentation for smtpd_tls_security_level:

may

  • Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do not require that clients use TLS encryption.

encrypt

  • Mandatory TLS encryption: announce STARTTLS support to remote SMTP clients, and require that clients use TLS encryption. According to RFC 2487 this MUST NOT be applied in case of a publicly-referenced SMTP server. Instead, this option should be used only on dedicated servers.

Ok, RFC 2487 has been obsoleted by RFC 3207, but this part hasn't changed. From section 4:

A publicly-referenced SMTP server MUST NOT require use of the STARTTLS extension in order to deliver mail locally. This rule prevents the STARTTLS extension from damaging the interoperability of the Internet's SMTP infrastructure. A publicly-referenced SMTP server is an SMTP server which runs on port 25 of an Internet host listed in the MX record (or A record if an MX record is not present) for the domain name on the right hand side of an Internet mail address.

If you want to take a step forward in enforcing TLS on your mail exchange, it's not mandatory TLS encryption. Instead, you could implement DNS-Based Authentication of Named Entities (DANE) lookup for your outbound SMTP: namely RFC 7672 on SMTP Security via Opportunistic DANE TLS. This ensures you won't deliver emails to wrong servers if the recipient has decided to publish information on their accepted certificates. That's configured through smtp_tls_security_level and requires DNSSEC:

smtp_tls_security_level = dane
smtp_dns_support_level = dnssec

If you wish to implement DANE for both outbound and inbound mail, you could read my more comprehensive answer from another question: Enabling TLS/SSL on Postfix.

Community
  • 1
Esa Jokinen
  • 52,963
  • 3
  • 95
  • 151