Re: policy server, TLS only exeptions and restrictions
Stefan Bauer skrev den 2019-01-04 14:44: master.cf [1] (snippet): finance unix - - n - - smtp smtp_tls_policy_maps=hash:/etc/postfix/tls/finance add -o before smtp_tls
Re: policy server, TLS only exeptions and restrictions
great idea, but recipient verification is not something, remote servers like.really like. Am Freitag, 4. Januar 2019 schrieb Viktor Dukhovni < postfix-us...@dukhovni.org>: >> On Jan 4, 2019, at 9:10 AM, Matus UHLAR - fantomas wrote: >> >> this looks to me that you search for connection between smtpd_recipient_restrictions >> and smtp_tls_policy_maps, and there is none. >> >> the "check_policy_service private/policy" communicates via unix socket >> private/policy (apparetly in postfix directory) to external program that >> tells smtpd what to do. >> >> if you want your policy server to return dunno for sending domain >> "remote-site.de", your policy server must look to the /etc/postfix/tls/finance >> table for the remote-site.de domain. >> >> the policy server doesn't look to your "smtp_tls_policy_maps" settings, >> usually it does not read postfix configuration at all. > > This is where recipient verification has an advantage over a policy > service. For SASL authenticated users, who can relay outbound, the > OP could replace the policy service with a recipient verification > callout: > >smtpd_relay_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > reject_unauth_destination > >smtpd_recipient_restrictions > permit_auth_destination, > reject_unverified_recipient > > This *is* sensitive to outbound TLS policy, because recipient > verification uses outbound SMTP connections to probe for TLS > support, and will fail where TLS is mandated and not available. > > Of course static configuration that are reflected in both the > policy service and the SMTP TLS policy yield more predictable, > if not always up to date behaviour. > > -- > Viktor. > >
Re: policy server, TLS only exeptions and restrictions
> On Jan 4, 2019, at 9:10 AM, Matus UHLAR - fantomas wrote: > > this looks to me that you search for connection between > smtpd_recipient_restrictions > and smtp_tls_policy_maps, and there is none. > > the "check_policy_service private/policy" communicates via unix socket > private/policy (apparetly in postfix directory) to external program that > tells smtpd what to do. > > if you want your policy server to return dunno for sending domain > "remote-site.de", your policy server must look to the /etc/postfix/tls/finance > table for the remote-site.de domain. > > the policy server doesn't look to your "smtp_tls_policy_maps" settings, > usually it does not read postfix configuration at all. This is where recipient verification has an advantage over a policy service. For SASL authenticated users, who can relay outbound, the OP could replace the policy service with a recipient verification callout: smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_recipient_restrictions permit_auth_destination, reject_unverified_recipient This *is* sensitive to outbound TLS policy, because recipient verification uses outbound SMTP connections to probe for TLS support, and will fail where TLS is mandated and not available. Of course static configuration that are reflected in both the policy service and the SMTP TLS policy yield more predictable, if not always up to date behaviour. -- Viktor.
Re: policy server, TLS only exeptions and restrictions
Understood. Thank you. Am Fr., 4. Jan. 2019 um 15:11 Uhr schrieb Matus UHLAR - fantomas < uh...@fantomas.sk>: > On 04.01.19 14:44, Stefan Bauer wrote: > >we have enforced TLS to all remote sites and have appropriate tls policy > >server, that checks if TLS is avail before accepting mails. That works as > >expected. we also only accept users with auth. > > > >smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated > >reject_unauth_destination > > > >smtpd_recipient_restrictions = check_policy_service unix:private/policy > > > >policy server returns dunno or defer... > > > >Now the problem: > > > >for some destinations, we are aware, that TLS fails, so we skip checking > >and set "may" policy for specific users/destinations. However this > settings > >seems to have no effect anymore, when we enable check_policy_service. > > > >master.cf (snippet): > >finance unix - - n - - smtp > >smtp_tls_policy_maps=hash:/etc/postfix/tls/finance > > > >tls/finance: > >remote-site.de may > > > >policy server responds with defer and custom smtp_tls_policy_maps are > >ignored. > > > >Howto work around this? > > this looks to me that you search for connection between > smtpd_recipient_restrictions > and smtp_tls_policy_maps, and there is none. > > the "check_policy_service private/policy" communicates via unix socket > private/policy (apparetly in postfix directory) to external program that > tells smtpd what to do. > > if you want your policy server to return dunno for sending domain > "remote-site.de", your policy server must look to the > /etc/postfix/tls/finance > table for the remote-site.de domain. > > the policy server doesn't look to your "smtp_tls_policy_maps" settings, > usually it does not read postfix configuration at all. > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Nothing is fool-proof to a talented fool. >
Re: policy server, TLS only exeptions and restrictions
On 04.01.19 14:44, Stefan Bauer wrote: we have enforced TLS to all remote sites and have appropriate tls policy server, that checks if TLS is avail before accepting mails. That works as expected. we also only accept users with auth. smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_recipient_restrictions = check_policy_service unix:private/policy policy server returns dunno or defer... Now the problem: for some destinations, we are aware, that TLS fails, so we skip checking and set "may" policy for specific users/destinations. However this settings seems to have no effect anymore, when we enable check_policy_service. master.cf (snippet): finance unix - - n - - smtp smtp_tls_policy_maps=hash:/etc/postfix/tls/finance tls/finance: remote-site.de may policy server responds with defer and custom smtp_tls_policy_maps are ignored. Howto work around this? this looks to me that you search for connection between smtpd_recipient_restrictions and smtp_tls_policy_maps, and there is none. the "check_policy_service private/policy" communicates via unix socket private/policy (apparetly in postfix directory) to external program that tells smtpd what to do. if you want your policy server to return dunno for sending domain "remote-site.de", your policy server must look to the /etc/postfix/tls/finance table for the remote-site.de domain. the policy server doesn't look to your "smtp_tls_policy_maps" settings, usually it does not read postfix configuration at all. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool.
policy server, TLS only exeptions and restrictions
Hi, we have enforced TLS to all remote sites and have appropriate tls policy server, that checks if TLS is avail before accepting mails. That works as expected. we also only accept users with auth. smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_recipient_restrictions = check_policy_service unix:private/policy policy server returns dunno or defer... Now the problem: for some destinations, we are aware, that TLS fails, so we skip checking and set "may" policy for specific users/destinations. However this settings seems to have no effect anymore, when we enable check_policy_service. master.cf (snippet): finance unix - - n - - smtp smtp_tls_policy_maps=hash:/etc/postfix/tls/finance tls/finance: remote-site.de may policy server responds with defer and custom smtp_tls_policy_maps are ignored. Howto work around this? thank you. Stefan