Thanks for help. A lot to digest and read before doing changes to config. Wolfgang
On Wed, Nov 28, 2018 at 11:26 PM Bill Cole < postfixlists-070...@billmail.scconsult.com> wrote: > On 28 Nov 2018, at 15:47, Wolfgang Paul Rauchholz wrote: > > > Thanks for the taking this up. > > Concerning hardening TLS settings; can you recommend a read / web page > > that > > is suitable for a home email server? > > The TLS "readme" files in the Postfix distribution (and at > http://www.postfix.org/TLS_README.html and > http://www.postfix.org/FORWARD_SECRECY_README.html) cover what you need > to know. > > The short version: Postfix default TLS cipher and protocol settings are > fine, for releases after 2015. For older versions, you may need to set > smtpd_tls_protocols and smtpd_tls_mandatory_protocols to "!SSLv2, > !SSLv3" which is the default in currently supported versions. > > > Thanks in advance > > > > Here the podtconf -Mf output > > > > smtp inet n - n - - smtpd > > amavisfeed unix - - n - 2 lmtp > > -o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes > > -o disable_dns_lookups=yes -o max_use=20 > > submission inet n - n - - smtpd > > -o syslog_name=postfix/submission -o smtpd_sasl_auth_enable=yes > > -o > > > smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination > > -o milter_macro_daemon_name=ORIGINATING > > That's the 'submission' (port 587) daemon, which opens connections in > cleartext and supports the "STARTTLS" command to upgrade the connection > to TLS encryption (because your main config includes > "smtpd_tls_security_level = may"). To send mail through this daemon, you > MUST either be sending to a domain that Postfix is configured to accept > mail for (local, virtual, and relay domains) OR authenticate using SASL > first. Because of "smtpd_tls_auth_only = yes" in your main config, you > can only authenticate using SASL *after* using STARTTLS to negotiate a > TLS session. > > > smtps inet n - n - - smtpd > > -o syslog_name=postfix/smtps -o smtpd_sasl_auth_enable=yes > > -o > > > smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination > > -o milter_macro_daemon_name=ORIGINATING > > That's supposedly the 'smtps' (port 465) daemon, which *NORMALLY* would > have an additional configuration override directive: > > -o smtpd_tls_wrappermode=yes > > Which "wraps" the SMTP session in TLS encryption that is negotiated > immediately at connect time, rather than having clients connect in the > clear. As it stands, your 'submission' and 'smtps' daemons will behave > identically, except for listening on different ports and using different > syslog labels. There's no benefit in that, because any client using port > 465 will expect the smtps 'wrappermode' behavior and any using port 587 > will expect the configured cleartext/STARTTLS behavior. > > Because you are overriding the default smtpd_recipient_restrictions with > a restriction list which only permits mail from authenticated senders or > to recipients in local and relay-authorized domains, your attempt to > send mail to a gmail.com address was rejected. > > You were able to send through port 25 because by default, > smtpd_recipient_restrictions is empty (giving an implicit 'DUNNO' > result) and smtpd_relay_restrictions starts with 'permit_mynetworks'. > This lets the mail through because you are connection from the loopback, > which is included in your mynetworks setting. > > I hope this helps. Good luck! > > -- > Bill Cole > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo and many *@billmail.scconsult.com addresses) > Available For Hire: https://linkedin.com/in/billcole > -- Wolfgang Rauchholz
