956
<h3><a name="client_lmtp_tls"> TLS support in the LMTP delivery agent </a>
959
<p> The <a href="smtp.8.html">smtp(8)</a> and <a href="lmtp.8.html">lmtp(8)</a> delivery agents are implemented by a
960
single dual-purpose program. Specifically, all the TLS features
961
described below apply
962
equally to SMTP and LMTP, after replacing the "smtp_" prefix of the each
963
parameter name with "lmtp_".
965
<p> The Postfix LMTP delivery agent can communicate with LMTP servers
967
on UNIX-domain sockets. When server certificate verification is enabled
968
and the server is listening on a UNIX-domain socket, the $<a href="postconf.5.html#myhostname">myhostname</a>
969
parameter is used to set the TLS verification <i>nexthop</i> and
970
<i>hostname</i>. Note, opportunistic encryption of LMTP traffic over
971
UNIX-domain sockets is futile. TLS is only useful in this context when
972
it is mandatory, typically to allow at least one of the server or the
973
client to authenticate the other. The "null" cipher grade may be
974
appropriate in this context, when available on both client and server.
975
The "null" ciphers provide authentication without encryption. </p>
977
<h3><a name="client_cert_key">Client-side certificate and private
978
key configuration </a> </h3>
980
<p> Do not configure Postfix SMTP client certificates unless you <b>must</b>
982
client TLS certificates to one or more servers. Client certificates are
983
not usually needed, and can cause problems in configurations that work
984
well without them. The recommended setting is to let the defaults stand: </p>
988
<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> =
989
<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> =
990
<a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> =
991
<a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> =
993
<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> =
994
<a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a> =
998
<p> The best way to use the default settings is to comment out the above
999
parameters in <a href="postconf.5.html">main.cf</a> if present. </p>
1001
<p> During TLS startup negotiation the Postfix SMTP client may present
1002
a certificate to the remote SMTP server. The Netscape client is
1003
rather clever here and lets the user select between only those
1004
certificates that match CA certificates offered by the remote SMTP
1005
server. As the Postfix SMTP client uses the "SSL_connect()" function
1006
from the OpenSSL package, this is not possible and we have to choose
1007
just one certificate. So for now the default is to use _no_
1008
certificate and key unless one is explicitly specified here. </p>
1010
<p> RSA, DSA and ECDSA (Postfix ≥ 2.6) certificates are supported.
1011
You can configure all three at the same time, in which case the
1012
cipher used determines which certificate is presented. </p>
1014
<p> It is possible for the Postfix SMTP client to use the same
1015
key/certificate pair as the Postfix SMTP server. If a certificate
1016
is to be presented, it must be in "PEM" format. The private key
1017
must not be encrypted, meaning: it must be accessible without
1018
password. Both parts (certificate and private key) may be in the
1021
<p> To enable remote SMTP servers to verify the Postfix SMTP client
1022
certificate, the issuing CA certificates must be made available to the
1023
server. You should include the required certificates in the client
1024
certificate file, the client certificate first, then the issuing
1025
CA(s) (bottom-up order). </p>
1027
<p> Example: the certificate for "client.example.com" was issued by
1028
"intermediate CA" which itself has a certificate issued by "root CA".
1029
Create the client.pem file with: </p>
1033
% <b>cat client_cert.pem intermediate_CA.pem > client.pem </b>
1037
<p> A Postfix SMTP client certificate supplied here must be usable
1038
as SSL client certificate and hence pass the "openssl verify -purpose
1039
sslclient ..." test. </p>
1041
<p> A server that trusts the root CA has a local copy of the root
1042
CA certificate, so it is not necessary to include the root CA
1043
certificate here. Leaving it out of the "client.pem" file reduces
1044
the overhead of the TLS exchange. </p>
1046
<p> If you want the Postfix SMTP client to accept remote SMTP server
1047
certificates issued by these CAs, append the root certificate to
1048
$<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> or install it in the $<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> directory. </p>
1050
<p> RSA key and certificate examples: </p>
1054
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
1055
<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> = /etc/postfix/client.pem
1056
<a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> = $<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>
1060
<p> Their DSA counterparts: </p>
1064
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
1065
<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> = /etc/postfix/client-dsa.pem
1066
<a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> = $<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>
1070
<p> Their ECDSA counterparts (Postfix ≥ 2.6 + OpenSSL ≥ 0.9.9): </p>
1074
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
1075
<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> = /etc/postfix/client-ecdsa.pem
1076
<a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a> = $<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>
1080
<p> To verify a remote SMTP server certificate, the Postfix SMTP
1081
client needs to trust the certificates of the issuing certification
1082
authorities. These certificates in "pem" format can be stored in a
1083
single $<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> or in multiple files, one CA per file in
1084
the $<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> directory. If you use a directory, don't forget
1085
to create the necessary "hash" links with: </p>
1089
# <b>$OPENSSL_HOME/bin/c_rehash <i>/path/to/directory</i> </b>
1093
<p> The $<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> contains the CA certificates of one or more
1094
trusted CAs. The file is opened (with root privileges) before Postfix
1095
enters the optional chroot jail and so need not be accessible from inside the
1098
<p> Additional trusted CAs can be specified via the $<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a>
1099
directory, in which case the certificates are read (with $<a href="postconf.5.html#mail_owner">mail_owner</a>
1100
privileges) from the files in the directory when the information
1101
is needed. Thus, the $<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> directory needs to be accessible
1102
inside the optional chroot jail. </p>
1104
<p> The choice between $<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> and $<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> is
1105
a space/time tradeoff. If there are many trusted CAs, the cost of
1106
preloading them all into memory may not pay off in reduced access time
1107
when the certificate is needed. </p>
1113
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
1114
<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> = /etc/postfix/CAcert.pem
1115
<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> = /etc/postfix/certs
1119
<h3><a name="client_logging"> Client-side TLS activity logging </a> </h3>
1121
<p> To get additional information about Postfix SMTP client TLS
1122
activity you can increase the loglevel from 0..4. Each logging
1123
level also includes the information that is logged at a lower
1130
<tr> <td> 0 </td> <td> Disable logging of TLS activity.</td> </tr>
1132
<tr> <td> 1 </td> <td> Log TLS handshake and certificate information.
1135
<tr> <td> 2 </td> <td> Log levels during TLS negotiation. </td>
1138
<tr> <td> 3 </td> <td> Log hexadecimal and ASCII dump of TLS
1139
negotiation process </td> </tr>
1141
<tr> <td> 4 </td> <td> Log hexadecimal and ASCII dump of complete
1142
transmission after STARTTLS </td> </tr>
1152
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
1153
<a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> = 0
1157
<h3><a name="client_tls_cache">Client-side TLS session cache</a> </h3>
1159
<p> The remote SMTP server and the Postfix SMTP client negotiate a
1160
session, which takes some computer time and network bandwidth. By
1161
default, this session information is cached only in the <a href="smtp.8.html">smtp(8)</a>
1162
process actually using this session and is lost when the process
1163
terminates. To share the session information between multiple
1164
<a href="smtp.8.html">smtp(8)</a> processes, a persistent session cache can be used. You
1165
can specify any database type that can store objects of several
1166
kbytes and that supports the sequence operator. DBM databases are
1167
not suitable because they can only store small objects. The cache
1168
is maintained by the <a href="tlsmgr.8.html">tlsmgr(8)</a> process, so there is no problem with
1169
concurrent access. Session caching is highly recommended, because
1170
the cost of repeatedly negotiating TLS session keys is high. Future
1171
Postfix SMTP servers may limit the number of sessions that a client
1172
is allowed to negotiate per unit time.</p>
1179
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
1180
<a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> = btree:/var/lib/postfix/smtp_scache
1184
<p> Note: as of version 2.5, Postfix no longer uses root privileges
1185
when opening this file. The file should now be stored under the
1186
Postfix-owned <a href="postconf.5.html#data_directory">data_directory</a>. As a migration aid, an attempt to
1187
open the file under a non-Postfix directory is redirected to the
1188
Postfix-owned <a href="postconf.5.html#data_directory">data_directory</a>, and a warning is logged. </p>
1190
<p> Cached Postfix SMTP client session information expires after
1191
a certain amount of time. Postfix/TLS does not use the OpenSSL
1192
default of 300s, but a longer time of 3600s (=1 hour). <a href="http://tools.ietf.org/html/rfc2246">RFC 2246</a>
1193
recommends a maximum of 24 hours. </p>
1199
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
1200
<a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> = 3600s
1204
<h3><a name="client_tls_limits"> Client TLS limitations </a>
1207
<p> The security properties of TLS communication channels are
1208
application specific. While the TLS protocol can provide a confidential,
1209
tamper-resistant, mutually authenticated channel between client
1210
and server, not all of these security features are applicable to every
1213
<p> For example, while mutual TLS authentication between browsers and web
1214
servers is possible, it is not practical, or even useful, for web-servers
1215
that serve the public to verify the identity of every potential user. In
1216
practice, most HTTPS transactions are asymmetric: the browser verifies
1217
the HTTPS server's identity, but the user remains anonymous. Much of
1218
the security policy is up to the client. If the client chooses to not
1219
verify the server's name, the server is not aware of this. There are many
1220
interesting browser security topics, but we shall not dwell
1221
on them here. Rather, our goal is to understand the security features
1222
of TLS in conjunction with SMTP. </p>
1224
<p> An important SMTP-specific observation is that a public MX host is
1225
even more at the mercy of the SMTP client than is an HTTPS server. Not only
1226
can it not enforce due care in the client's use of TLS, but it cannot even
1227
enforce the use of TLS, because TLS support in SMTP clients is still the
1228
exception rather than the rule. One cannot, in practice, limit access to
1229
one's MX hosts to just TLS-enabled clients. Such a policy would result
1230
in a vast reduction in one's ability to communicate by email with the
1231
world at large. </p>
1233
<p> One may be tempted to try enforcing TLS for mail from specific
1234
sending organizations, but this, too, runs into obstacles. One such
1235
obstacle is that we don't know who is (allegedly) sending mail until
1236
we see the "MAIL FROM:" SMTP command, and at that point, if TLS
1237
is not already in use, a potentially sensitive sender address (and
1238
with SMTP PIPELINING one or more of the recipients) has (have) already been
1239
leaked in the clear. Another obstacle is that mail from the sender to
1240
the recipient may be forwarded, and the forwarding organization may not
1241
have any security arrangements with the final destination. Bounces also
1242
need to be protected. These can only be identified by the IP address and
1243
HELO name of the connecting client, and it is difficult to keep track
1244
of all the potential IP addresses or HELO names of the outbound email
1245
servers of the sending organization. </p>
1247
<p> Consequently, TLS security for mail delivery to public MX hosts is
1248
almost entirely the client's responsibility. The server is largely a
1249
passive enabler of TLS security, the rest is up to the client. While the
1250
server has a greater opportunity to mandate client security policy when
1251
it is a dedicated MSA that only handles outbound mail from trusted clients,
1252
below we focus on the client security policy. </p>
1254
<p> On the SMTP client, there are further complications. When delivering
1255
mail to a given domain, in contrast to HTTPS, one rarely uses the domain
1256
name directly as the target host of the SMTP session. More typically,
1257
one uses MX lookups - these are usually unauthenticated - to obtain the domain's SMTP server
1258
hostname(s). When, as is current practice, the client verifies the
1259
insecurely obtained MX hostname, it is subject to a DNS man-in-the-middle
1262
<p> If clients instead attempted to verify the recipient domain name,
1263
an SMTP server for multiple domains would need to
1264
list all its email domain names in its certificate, and generate a
1265
new certificate each time a new domain were added. At least some CAs set
1266
fairly low limits (20 for one prominent CA) on the number of names that
1267
server certificates can contain. This approach is not consistent with
1268
current practice and does not scale. </p>
1270
<p> It is regrettably the case that TLS <i>secure-channels</i>
1271
(fully authenticated and immune to man-in-the-middle attacks) impose
1272
constraints on the sending and receiving sites that preclude ubiquitous
1273
deployment. One needs to manually configure this type of security for
1274
each destination domain, and in many cases implement non-default TLS
1275
<a href="#client_tls_policy">policy table</a> entries for additional
1276
domains hosted at a common secured destination. With Postfix 2.3, we
1277
make secure-channel configurations substantially easier to configure,
1278
but they will never be the norm. For the generic domain with which you
1279
have made no specific security arrangements, this security level is not
1282
<p> Given that strong authentication is not generally possible, and that
1283
verifiable certificates cost time and money, many servers that implement
1284
TLS use self-signed certificates or private CAs. This further limits
1285
the applicability of verified TLS on the public Internet. </p>
1287
<p> Historical note: while the documentation of these issues and many of the
1288
related features are new with Postfix 2.3, the issue was well
1289
understood before Postfix 1.0, when Lutz Jänicke was designing
1290
the first unofficial Postfix TLS patch. See his original post <a
1291
href="http://www.imc.org/ietf-apps-tls/mail-archive/msg00304.html">http://www.imc.org/ietf-apps-tls/mail-archive/msg00304.html</a>
1292
and the first response <a
1293
href="http://www.imc.org/ietf-apps-tls/mail-archive/msg00305.html">http://www.imc.org/ietf-apps-tls/mail-archive/msg00305.html</a>.
1294
The problem is not even unique to SMTP or even TLS, similar issues exist
1295
for secure connections via aliases for HTTPS and Kerberos. SMTP merely
1296
uses indirect naming (via MX records) more frequently. </p>
1298
863
<h3><a name="client_tls_levels"> Configuring TLS in the SMTP/LMTP client </a>
1317
882
<dd><a href="#client_tls_secure">Secure-channel TLS.</a>
1320
<h3><a name="client_tls_none"> No TLS encryption </a>
885
<h4><a name="client_lmtp_tls"> TLS support in the LMTP delivery agent </a> </h4>
887
<p> The <a href="smtp.8.html">smtp(8)</a> and <a href="lmtp.8.html">lmtp(8)</a> delivery agents are implemented by a
888
single dual-purpose program. Specifically, all the TLS features
889
described below apply
890
equally to SMTP and LMTP, after replacing the "smtp_" prefix of the each
891
parameter name with "lmtp_".
893
<p> The Postfix LMTP delivery agent can communicate with LMTP servers
895
on UNIX-domain sockets. When server certificate verification is enabled
896
and the server is listening on a UNIX-domain socket, the $<a href="postconf.5.html#myhostname">myhostname</a>
897
parameter is used to set the TLS verification <i>nexthop</i> and
898
<i>hostname</i>. </p>
900
<p> NOTE: Opportunistic encryption of LMTP traffic over UNIX-domain
901
sockets or loopback TCP connections is futile. TLS is only useful
903
it is mandatory, typically to allow at least one of the server or the
904
client to authenticate the other. The "null" cipher grade may be
905
appropriate in this context, when available on both client and server.
906
The "null" ciphers provide authentication without encryption. </p>
908
<h4><a name="client_tls_none"> No TLS encryption </a> </h4>
1323
910
<p> At the "none" TLS security level, TLS encryption is
1324
disabled. This is the default security level. With Postfix 2.3 and later,
1325
it can be configured explicitly by setting "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = none". </p>
1327
<p> With Postfix 2.2 and earlier, or when <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> is set to
1328
its default (backwards compatible) empty value, the appropriate configuration
1329
settings are "<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> = no" and "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = no".
1330
With either approach, TLS is not used even if supported by the server.
1331
For LMTP, use the corresponding "lmtp_" parameters. </p>
1333
<p> Per destination settings may override this default setting, in which case
911
disabled. This is the default security level, and
912
can be configured explicitly by setting "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = none".
913
For LMTP, use the corresponding "lmtp_" parameter. </p>
915
<p> Per-destination settings may override this default setting, in which case
1334
916
TLS is used selectively, only with destinations explicitly configured
1337
919
<p> You can disable TLS for a subset of destinations, while leaving
1338
it enabled for the rest. With the Postfix 2.3 and later TLS <a
920
it enabled for the rest. With the Postfix TLS <a
1339
921
href="#client_tls_policy">policy table</a>, specify the "none"
1340
security level. With the obsolete <a href="#client_tls_obs">per-site</a>
1341
table, specify the "NONE" keyword. </p>
1343
<h3><a name="client_tls_may"> Opportunistic TLS </a>
924
<h4><a name="client_tls_may"> Opportunistic TLS </a> </h4>
1346
926
<p> At the "may" TLS security level, TLS encryption is <i>opportunistic</i>.
1347
927
The SMTP transaction is encrypted if the STARTTLS ESMTP feature
1348
928
is supported by the server. Otherwise, messages are sent in the clear.
1349
With Postfix 2.3 and later, opportunistic TLS can be configured by
1350
setting "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may".
929
Opportunistic TLS can be configured by setting "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may".
930
For LMTP, use the corresponding "lmtp_" parameter. </p>
1352
932
<p> Since sending in the clear is acceptable, demanding stronger
1353
933
than default TLS security mostly reduces inter-operability. If you
1520
<p> Postfix 2.2 syntax: </p>
1522
<p> <b>Note:</b> Avoid policy lookups with the bare hostname (for
1523
example, "example.net"). Instead,
1524
use the destination (for example, "[example.net]:587"), as the <a
1525
href="#client_tls_obs">per-site</a> table lookup key (a recipient domain
1526
or MX-enabled transport nexthop with no port suffix may look like a bare
1527
hostname, but is still a suitable <i>destination</i>). With Postfix 2.3
1529
do not use the obsolete <a href="#client_tls_obs">per-site</a> table;
1530
use the new <a href="#client_tls_policy">policy table</a> instead. </p>
1534
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
1535
<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> = hash:/etc/postfix/tls_per_site
1537
/etc/postfix/tls_per_site:
1538
[example.net]:587 MUST_NOPEERMATCH
1542
<h3><a name="client_tls_fprint"> Certificate fingerprint verification </a>
1545
<p> Certificate fingerprint verification is available with Postfix 2.5 and
1546
later. At this security level ("<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = fingerprint"),
1547
no trusted certificate authorities are used or required. The certificate
1548
trust chain, expiration date, ... are not checked. Instead, the
1549
<a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> parameter or the "match" attribute
1550
in the <a href="#client_tls_policy">policy</a> table lists the valid
1551
"fingerprints" of the remote SMTP server certificate. </p>
1061
<h4><a name="client_tls_fprint"> Certificate fingerprint verification </a> </h4>
1063
<p> Certificate fingerprint verification is available with Postfix
1064
2.5 and later. At this security level ("<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> =
1065
fingerprint"), no trusted certificate authorities are used or
1066
required. The certificate trust chain, expiration date, ... are
1067
not checked. Instead, the <a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> parameter
1068
or the "match" attribute in the <a href="#client_tls_policy">policy</a>
1069
table lists the remote SMTP server certificate fingerprint or
1070
public key fingerprint (Postfix 2.9 and later).
1553
1072
<p> If certificate fingerprints are exchanged securely, this is the
1554
strongest, and least scalable security level. The administrator needs to
1555
securely collect the fingerprints of the X.509 certificates of each peer
1556
server, store them into a local file, and update this local file
1557
whenever the peer server's public certificate
1558
changes. This may be feasible for an SMTP "VPN" connecting a small
1559
number of branch offices over the Internet, or for secure connections
1560
to a central mail hub. It works poorly if the remote SMTP server is
1562
third party, and its public certificate changes periodically without
1563
prior coordination with the verifying site. </p>
1073
strongest, and least scalable security level. The administrator needs
1074
to securely collect the fingerprints of the X.509 certificates of each
1075
peer server, store them into a local file, and update this local file
1076
whenever the peer server's public certificate changes. If public key
1077
fingerprints are used in place of fingerprints of the entire certificate,
1078
the fingerprints remain valid even after the certificate is renewed,
1079
<b>provided</b> that the same public/private keys are used to obtain
1080
the new certificate. </p>
1082
<p> Fingerprint verification may be feasible for an SMTP "VPN" connecting
1083
a small number of branch offices over the Internet, or for secure
1084
connections to a central mail hub. It works poorly if the remote SMTP
1085
server is managed by a third party, and its public certificate changes
1086
periodically without prior coordination with the verifying site. </p>
1565
1088
<p> The digest algorithm used to calculate the fingerprint is
1566
1089
selected by the <b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a></b> parameter. In the <a
1828
<p> Postfix 2.2.9 and later syntax: </p>
1830
<p> <b>Note:</b> Avoid policy lookups with the bare hostname (for
1831
example, "tls.example.com"). Instead, use the destination (for
1832
example, "[tls.example.com]") as the <a
1833
href="#client_tls_obs">per-site</a> table lookup key (a recipient domain
1834
or MX-enabled transport nexthop with no port suffix may look like a bare
1835
hostname, but is still a suitable <i>destination</i>). With Postfix 2.3
1837
do not use the obsolete <a href="#client_tls_obs">per-site</a> table;
1838
use the new <a href="#client_tls_policy">policy table</a> instead. </p>
1842
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
1843
<a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> = no
1844
<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> = /etc/postfix/CAfile.pem
1845
<a href="postconf.5.html#transport_maps">transport_maps</a> = hash:/etc/postfix/transport
1846
<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> = hash:/etc/postfix/tls_per_site
1848
/etc/postfix/transport:
1849
example.com <a href="smtp.8.html">smtp</a>:[tls.example.com]
1850
example.co.uk <a href="smtp.8.html">smtp</a>:[tls.example.com]
1851
example.co.jp <a href="smtp.8.html">smtp</a>:[tls.example.com]
1853
/etc/postfix/tls_per_site:
1854
[tls.example.com] MUST
1315
<h3><a name="client_logging"> Client-side TLS activity logging </a> </h3>
1317
<p> To get additional information about Postfix SMTP client TLS
1318
activity you can increase the loglevel from 0..4. Each logging
1319
level also includes the information that is logged at a lower
1326
<tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier
1327
releases. </th> </tr>
1329
<tr> <td valign="top"> 0 </td> <td valign="top"> Log only a summary
1330
message on TLS handshake completion — no logging of remote
1331
SMTP server certificate trust-chain verification errors if server
1332
certificate verification is not required. </td> <td valign="top">
1333
Disable logging of TLS activity.</td> </tr>
1335
<tr> <td valign="top"> 1 </td> <td valign="top"> Also log remote
1336
SMTP server trust-chain verification errors and peer certificate
1337
summary information. </td> <td valign="top"> Also log TLS handshake
1338
and certificate information. </td> </tr>
1340
<tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also
1341
log levels during TLS negotiation. </td> </tr>
1343
<tr> <td valign="top"> 3 </td> <td valign="top" colspan="2"> Also
1344
log hexadecimal and ASCII dump of TLS negotiation process. </td>
1347
<tr> <td valign="top"> 4 </td> <td valign="top" colspan="2"> Also
1348
log hexadecimal and ASCII dump of complete transmission after
1349
STARTTLS. </td> </tr>
1359
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
1360
<a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> = 0
1364
<h3><a name="client_cert_key">Client-side certificate and private
1365
key configuration </a> </h3>
1367
<p> Do not configure Postfix SMTP client certificates unless you <b>must</b>
1369
client TLS certificates to one or more servers. Client certificates are
1370
not usually needed, and can cause problems in configurations that work
1371
well without them. The recommended setting is to let the defaults stand: </p>
1375
<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> =
1376
<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> =
1377
<a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> =
1378
<a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> =
1380
<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> =
1381
<a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a> =
1385
<p> The best way to use the default settings is to comment out the above
1386
parameters in <a href="postconf.5.html">main.cf</a> if present. </p>
1388
<p> During TLS startup negotiation the Postfix SMTP client may present
1389
a certificate to the remote SMTP server. The Netscape client is
1390
rather clever here and lets the user select between only those
1391
certificates that match CA certificates offered by the remote SMTP
1392
server. As the Postfix SMTP client uses the "SSL_connect()" function
1393
from the OpenSSL package, this is not possible and we have to choose
1394
just one certificate. So for now the default is to use _no_
1395
certificate and key unless one is explicitly specified here. </p>
1397
<p> RSA, DSA and ECDSA (Postfix ≥ 2.6) certificates are supported.
1398
You can configure all three at the same time, in which case the
1399
cipher used determines which certificate is presented. </p>
1401
<p> It is possible for the Postfix SMTP client to use the same
1402
key/certificate pair as the Postfix SMTP server. If a certificate
1403
is to be presented, it must be in "PEM" format. The private key
1404
must not be encrypted, meaning: it must be accessible without
1405
password. Both parts (certificate and private key) may be in the
1408
<p> To enable remote SMTP servers to verify the Postfix SMTP client
1409
certificate, the issuing CA certificates must be made available to the
1410
server. You should include the required certificates in the client
1411
certificate file, the client certificate first, then the issuing
1412
CA(s) (bottom-up order). </p>
1414
<p> Example: the certificate for "client.example.com" was issued by
1415
"intermediate CA" which itself has a certificate issued by "root CA".
1416
Create the client.pem file with: </p>
1420
% <b>cat client_cert.pem intermediate_CA.pem > client.pem </b>
1424
<p> A Postfix SMTP client certificate supplied here must be usable
1425
as SSL client certificate and hence pass the "openssl verify -purpose
1426
sslclient ..." test. </p>
1428
<p> A server that trusts the root CA has a local copy of the root
1429
CA certificate, so it is not necessary to include the root CA
1430
certificate here. Leaving it out of the "client.pem" file reduces
1431
the overhead of the TLS exchange. </p>
1433
<p> If you want the Postfix SMTP client to accept remote SMTP server
1434
certificates issued by these CAs, append the root certificate to
1435
$<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> or install it in the $<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> directory. </p>
1437
<p> RSA key and certificate examples: </p>
1441
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
1442
<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> = /etc/postfix/client.pem
1443
<a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> = $<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>
1447
<p> Their DSA counterparts: </p>
1451
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
1452
<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> = /etc/postfix/client-dsa.pem
1453
<a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> = $<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>
1457
<p> Their ECDSA counterparts (Postfix ≥ 2.6 + OpenSSL ≥ 0.9.9): </p>
1461
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
1462
<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> = /etc/postfix/client-ecdsa.pem
1463
<a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a> = $<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>
1467
<p> To verify a remote SMTP server certificate, the Postfix SMTP
1468
client needs to trust the certificates of the issuing certification
1469
authorities. These certificates in "pem" format can be stored in a
1470
single $<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> or in multiple files, one CA per file in
1471
the $<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> directory. If you use a directory, don't forget
1472
to create the necessary "hash" links with: </p>
1476
# <b>$OPENSSL_HOME/bin/c_rehash <i>/path/to/directory</i> </b>
1480
<p> The $<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> contains the CA certificates of one or more
1481
trusted CAs. The file is opened (with root privileges) before Postfix
1482
enters the optional chroot jail and so need not be accessible from inside the
1485
<p> Additional trusted CAs can be specified via the $<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a>
1486
directory, in which case the certificates are read (with $<a href="postconf.5.html#mail_owner">mail_owner</a>
1487
privileges) from the files in the directory when the information
1488
is needed. Thus, the $<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> directory needs to be accessible
1489
inside the optional chroot jail. </p>
1491
<p> The choice between $<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> and $<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> is
1492
a space/time tradeoff. If there are many trusted CAs, the cost of
1493
preloading them all into memory may not pay off in reduced access time
1494
when the certificate is needed. </p>
1500
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
1501
<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> = /etc/postfix/CAcert.pem
1502
<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> = /etc/postfix/certs
1506
<h3><a name="client_tls_cache">Client-side TLS session cache</a> </h3>
1508
<p> The remote SMTP server and the Postfix SMTP client negotiate a
1509
session, which takes some computer time and network bandwidth. By
1510
default, this session information is cached only in the <a href="smtp.8.html">smtp(8)</a>
1511
process actually using this session and is lost when the process
1512
terminates. To share the session information between multiple
1513
<a href="smtp.8.html">smtp(8)</a> processes, a persistent session cache can be used. You
1514
can specify any database type that can store objects of several
1515
kbytes and that supports the sequence operator. DBM databases are
1516
not suitable because they can only store small objects. The cache
1517
is maintained by the <a href="tlsmgr.8.html">tlsmgr(8)</a> process, so there is no problem with
1518
concurrent access. Session caching is highly recommended, because
1519
the cost of repeatedly negotiating TLS session keys is high. Future
1520
Postfix SMTP servers may limit the number of sessions that a client
1521
is allowed to negotiate per unit time.</p>
1528
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
1529
<a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> = btree:/var/lib/postfix/smtp_scache
1533
<p> Note: as of version 2.5, Postfix no longer uses root privileges
1534
when opening this file. The file should now be stored under the
1535
Postfix-owned <a href="postconf.5.html#data_directory">data_directory</a>. As a migration aid, an attempt to
1536
open the file under a non-Postfix directory is redirected to the
1537
Postfix-owned <a href="postconf.5.html#data_directory">data_directory</a>, and a warning is logged. </p>
1539
<p> Cached Postfix SMTP client session information expires after
1540
a certain amount of time. Postfix/TLS does not use the OpenSSL
1541
default of 300s, but a longer time of 3600s (=1 hour). <a href="http://tools.ietf.org/html/rfc2246">RFC 2246</a>
1542
recommends a maximum of 24 hours. </p>
1548
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
1549
<a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> = 3600s
1553
<h3><a name="client_tls_limits"> Client TLS limitations </a>
1556
<p> The security properties of TLS communication channels are
1557
application specific. While the TLS protocol can provide a confidential,
1558
tamper-resistant, mutually authenticated channel between client
1559
and server, not all of these security features are applicable to every
1562
<p> For example, while mutual TLS authentication between browsers and web
1563
servers is possible, it is not practical, or even useful, for web-servers
1564
that serve the public to verify the identity of every potential user. In
1565
practice, most HTTPS transactions are asymmetric: the browser verifies
1566
the HTTPS server's identity, but the user remains anonymous. Much of
1567
the security policy is up to the client. If the client chooses to not
1568
verify the server's name, the server is not aware of this. There are many
1569
interesting browser security topics, but we shall not dwell
1570
on them here. Rather, our goal is to understand the security features
1571
of TLS in conjunction with SMTP. </p>
1573
<p> An important SMTP-specific observation is that a public MX host is
1574
even more at the mercy of the SMTP client than is an HTTPS server. Not only
1575
can it not enforce due care in the client's use of TLS, but it cannot even
1576
enforce the use of TLS, because TLS support in SMTP clients is still the
1577
exception rather than the rule. One cannot, in practice, limit access to
1578
one's MX hosts to just TLS-enabled clients. Such a policy would result
1579
in a vast reduction in one's ability to communicate by email with the
1580
world at large. </p>
1582
<p> One may be tempted to try enforcing TLS for mail from specific
1583
sending organizations, but this, too, runs into obstacles. One such
1584
obstacle is that we don't know who is (allegedly) sending mail until
1585
we see the "MAIL FROM:" SMTP command, and at that point, if TLS
1586
is not already in use, a potentially sensitive sender address (and
1587
with SMTP PIPELINING one or more of the recipients) has (have) already been
1588
leaked in the clear. Another obstacle is that mail from the sender to
1589
the recipient may be forwarded, and the forwarding organization may not
1590
have any security arrangements with the final destination. Bounces also
1591
need to be protected. These can only be identified by the IP address and
1592
HELO name of the connecting client, and it is difficult to keep track
1593
of all the potential IP addresses or HELO names of the outbound email
1594
servers of the sending organization. </p>
1596
<p> Consequently, TLS security for mail delivery to public MX hosts is
1597
almost entirely the client's responsibility. The server is largely a
1598
passive enabler of TLS security, the rest is up to the client. While the
1599
server has a greater opportunity to mandate client security policy when
1600
it is a dedicated MSA that only handles outbound mail from trusted clients,
1601
below we focus on the client security policy. </p>
1603
<p> On the SMTP client, there are further complications. When delivering
1604
mail to a given domain, in contrast to HTTPS, one rarely uses the domain
1605
name directly as the target host of the SMTP session. More typically,
1606
one uses MX lookups - these are usually unauthenticated - to obtain the domain's SMTP server
1607
hostname(s). When, as is current practice, the client verifies the
1608
insecurely obtained MX hostname, it is subject to a DNS man-in-the-middle
1611
<p> If clients instead attempted to verify the recipient domain name,
1612
an SMTP server for multiple domains would need to
1613
list all its email domain names in its certificate, and generate a
1614
new certificate each time a new domain were added. At least some CAs set
1615
fairly low limits (20 for one prominent CA) on the number of names that
1616
server certificates can contain. This approach is not consistent with
1617
current practice and does not scale. </p>
1619
<p> It is regrettably the case that TLS <i>secure-channels</i>
1620
(fully authenticated and immune to man-in-the-middle attacks) impose
1621
constraints on the sending and receiving sites that preclude ubiquitous
1622
deployment. One needs to manually configure this type of security for
1623
each destination domain, and in many cases implement non-default TLS
1624
<a href="#client_tls_policy">policy table</a> entries for additional
1625
domains hosted at a common secured destination. For these reasons
1626
secure-channel configurations
1627
will never be the norm. For the generic domain with which you
1628
have made no specific security arrangements, this security level is not
1631
<p> Given that strong authentication is not generally possible, and that
1632
verifiable certificates cost time and money, many servers that implement
1633
TLS use self-signed certificates or private CAs. This further limits
1634
the applicability of verified TLS on the public Internet. </p>
1636
<p> Historical note: while the documentation of these issues and many of the
1637
related features were new with Postfix 2.3, the issue was well
1638
understood before Postfix 1.0, when Lutz Jänicke was designing
1639
the first unofficial Postfix TLS patch. See his original post <a
1640
href="http://www.imc.org/ietf-apps-tls/mail-archive/msg00304.html">http://www.imc.org/ietf-apps-tls/mail-archive/msg00304.html</a>
1641
and the first response <a
1642
href="http://www.imc.org/ietf-apps-tls/mail-archive/msg00305.html">http://www.imc.org/ietf-apps-tls/mail-archive/msg00305.html</a>.
1643
The problem is not even unique to SMTP or even TLS, similar issues exist
1644
for secure connections via aliases for HTTPS and Kerberos. SMTP merely
1645
uses indirect naming (via MX records) more frequently. </p>
1858
1647
<h3> <a name="client_tls_policy"> TLS policy table </a>
1861
<p> The current TLS policy table was introduced with Postfix 2.3. For
1862
earlier releases, read the description of the obsolete Postfix 2.2 <a
1863
href="#client_tls_obs">per-site</a> table. </p>
1865
1650
<p> A small fraction of servers offer STARTTLS but the negotiation
1866
consistently fails. With Postfix 2.3, so long as encryption is not
1867
enforced, the delivery is immediately retried with TLS disabled. You no
1868
longer need to explicitly disable TLS for the problem destinations.
1869
As soon as their TLS software or configuration is repaired, encryption
1651
consistently fails. As long as encryption is not mandatory, the
1652
Postfix SMTP client retries the delivery immediately with TLS
1653
disabled, without any need to explicitly disable TLS for the problem
1872
<p> The new policy table is specified via the <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>
1656
<p> The policy table is specified via the <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>
1873
1657
parameter. This lists optional lookup tables with the Postfix SMTP client
1874
TLS security policy by next-hop destination. When $<a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>
1875
is not empty, the obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter is ignored
1876
(a warning is written to the logs if both parameter values are
1658
TLS security policy by next-hop destination. </p>
1879
1660
<p> The TLS policy table is indexed by the full next-hop destination,
1880
1661
which is either the recipient domain, or the verbatim next-hop
2022
1804
the "hostname" strategy for <a href="#client_tls_secure">secure-channel</a>
2023
1805
configurations in environments where DNS security is not assured. </p>
2025
<h3> <a name="client_tls_obs"> Obsolete per-site TLS policy support
2028
<p> This section describes an obsolete per-site TLS policy mechanism.
2029
Unlike the Postfix 2.3 <a href="#client_tls_policy">policy table</a>
2030
mechanism, this uses as a policy lookup key a potentially untrusted
2031
server hostname, and lacks control over what names can appear in
2032
server certificates. Because of this, the obsolete mechanism is
2033
typically vulnerable to false DNS hostname information in MX or
2034
CNAME records. These attacks can be eliminated only with great
2035
difficulty. The new <a href="#client_tls_policy">policy table</a>
2036
makes <a href="#client_tls_secure">secure-channel</a> configurations
2037
easier and provides more control over the cipher and protocol selection
2038
for sessions with mandatory encryption. </p>
2040
<p> Avoid policy lookups with the bare hostname. Instead, use the
2041
full destination nexthop (enclosed in [] with a possible ":port"
2042
suffix) as the per-site table lookup key (a recipient domain or
2043
MX-enabled transport nexthop with no port suffix may look like a bare
2044
hostname, but is still a suitable <i>destination</i>). With Postfix 2.3
2046
use of the obsolete approach documented here is strongly discouraged:
2047
use the new <a href="#client_tls_policy">policy table</a> instead. </p>
2049
<p> Starting with Postfix 2.3, the underlying TLS enforcement levels are
2050
common to the obsolete per-site table and the new policy table. The
2051
<a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> and <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
2052
parameters control the TLS ciphers and protocols for mandatory
2053
encryption regardless of which table is used. The
2054
<a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> parameter determines the match strategy
2055
for the obsolete "MUST" keyword in the same way as for the "verify"
2056
level in the new policy. </p>
2058
<p> With Postfix < 2.3, the obsolete <a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> parameter
2059
is also applied for opportunistic TLS sessions, and should be used with
2060
care, or not at all. Setting cipherlist restrictions that are incompatible
2061
with a remote SMTP server render that server unreachable, TLS handshakes
2062
are always attempted and always fail. </p>
2064
<p> When <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> is empty (default) and <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>
2065
is not empty, the per-site table is searched for a policy that matches
2066
the following information: </p>
2072
<dt> remote SMTP server hostname </dt> <dd> This is simply the DNS
2073
name of the server that the Postfix SMTP client connects to; this
2074
name may be obtained from other DNS lookups, such as MX lookups or
2075
CNAME lookups. Use of the hostname lookup key is discouraged; always
2076
use the next-hop destination instead. </dd>
2078
<dt> next-hop destination </dt> <dd> This is normally the domain portion
2079
of the recipient address, but it may be overridden by information from
2080
the <a href="transport.5.html">transport(5)</a> table, from the <a href="postconf.5.html#relayhost">relayhost</a> parameter setting, or from
2081
the <a href="postconf.5.html#relay_transport">relay_transport</a> setting. When it is not the recipient domain, the
2082
next-hop destination can have the Postfix-specific form "<tt>[name]</tt>",
2083
"<tt>[name]:port</tt>", "<tt>name</tt>" or "<tt>name:port</tt>". This is
2084
the recommended lookup key for per-site policy lookups (and incidentally
2085
for <a href="SASL_README.html#client_sasl">SASL password</a> lookups). </dd>
2091
<p> When both the hostname lookup and the next-hop lookup succeed,
2092
the host policy does not automatically override the next-hop policy.
2093
Instead, precedence is given to either the more specific or the
2094
more secure per-site policy as described below. </p>
2096
<p> The <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table uses a simple "<i>name whitespace
2097
value</i>" format. Specify host names or next-hop destinations on
2098
the left-hand side; no wildcards are allowed. On the right hand
2099
side specify one of the following keywords: </p>
2105
<dt> NONE </dt> <dd> No TLS. This overrides a less specific "MAY" lookup
2106
result from the alternate host or next-hop lookup key, and overrides
2107
the global <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
2110
<dt> MAY </dt> <dd> Opportunistic TLS. This has less precedence than
2111
a more specific result (including "NONE") from the alternate host or
2112
next-hop lookup key, and has less precedence than the more specific global
2113
"<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" or "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes". </dd>
2115
<dt> MUST_NOPEERMATCH </dt> <dd> Mandatory TLS encryption. This
2116
overrides a less secure "NONE" or a less specific "MAY" lookup result
2117
from the alternate host or next-hop lookup key, and overrides the global
2118
<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> settings.
2121
<dt> MUST </dt> <dd> Mandatory server certificate verification.
2122
This overrides a less secure "NONE" and "MUST_NOPEERMATCH" or a
2123
less specific "MAY" lookup result from the alternate host or next-hop
2124
lookup key, and overrides the global <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>
2125
and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> settings. </dd>
2131
<p> The precedences between global (<a href="postconf.5.html">main.cf</a>) and per-site TLS
2132
policies can be summarized as follows: </p>
2136
<li> <p> When neither the remote SMTP server hostname nor the
2137
next-hop destination are found in the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table, the
2138
policy is based on <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> and
2139
<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>. Note: "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" and
2140
"<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes" imply "<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> = yes". </p>
2142
<li> <p> When both hostname and next-hop destination lookups produce
2143
a result, the more specific per-site policy (NONE, MUST, etc)
2144
overrides the less specific one (MAY), and the more secure per-site
2145
policy (MUST, etc) overrides the less secure one (NONE). </p>
2147
<li> <p> After the per-site policy lookups are combined, the result
2148
generally overrides the global policy. The exception is the less
2149
specific "MAY" per-site policy, which is overruled by the more
2150
specific global "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" with server certificate
2151
verification as specified with the <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
2156
<h3> <a name="client_tls_harden"> Closing a DNS loophole with
2157
obsolete per-site TLS policies </a> </h3>
2159
<p> For a general discussion of TLS security for SMTP see <a
2160
href="#client_tls_limits">TLS limitations</a> above. What follows applies
2161
only to Postfix 2.2.9 and subsequent Postfix 2.2 patch levels. Do
2162
not use this approach with Postfix 2.3
2163
and later; instead see the instructions under <a
2164
href="#client_tls_secure">secure</a> server certificate verification. </p>
2166
<p> As long as no secure DNS lookup mechanism is available, false
2167
hostnames in MX or CNAME responses can change Postfix's notion of the
2168
server hostname that is used for TLS policy lookup and server certificate
2169
verification. Even with a perfect match between the server hostname and
2170
the server certificate, there is no guarantee that Postfix is connected
2171
to the right server. To avoid this loophole, take all of the following
2176
<li> <p> Use a dedicated message delivery transport (for example,
2177
"securetls") as illustrated below. </p>
2179
<li> <p> Eliminate MX lookups. Specify local <a href="transport.5.html">transport(5)</a> table
2180
entries for sensitive domains with explicit securetls:[<i>mailhost</i>]
2181
or securetls:[<i>mailhost</i>]:<i>port</i> destinations (you can
2182
assure security of this table unlike DNS). This prevents false
2183
hostname information in DNS MX records from changing Postfix's
2184
notion of the server hostname that is used for TLS policy lookup
2185
and server certificate verification. The "securetls" transport is
2186
configured to enforce TLS with peername verification, and to disable
2187
the SMTP connection cache which could interfere with enforcement
2188
of <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> policies. </p>
2190
<li> <p> Disallow CNAME hostname overrides. In <a href="postconf.5.html">main.cf</a>, specify
2191
"<a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> = no". This prevents false hostname
2192
information in DNS CNAME records from changing the server hostname
2193
that Postfix uses for TLS policy lookup and server certificate
2194
verification. This feature requires Postfix 2.2.9 or later. The
2195
default value is "no" starting with Postfix 2.3. </p>
2201
<p> We give the <a href="postconf.5.html#default_transport">non-default</a>
2202
"securetls" transport an explicit <a href="master.5.html">master.cf</a> process limit, so that we
2203
don't raise its process limit when raising $<a href="postconf.5.html#default_process_limit">default_process_limit</a>. The
2204
total process limit for *all* transports should stay somewhat under 1024
2205
(the typical select() file descriptor limit); otherwise transports may
2206
be throttled under steady high load, compounding congestion. It is not
2207
uncommon at high volume sites to set the default process limit to 500
2210
<p> We also default the "securetls" transport TLS security level to
2211
<a href="#client_tls_verify">MUST</a>, obviating the need for <a
2212
href="#client_tls_obs">per-site</a> table entries for secure-channel
2217
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
2218
<a href="postconf.5.html#transport_maps">transport_maps</a> = hash:/etc/postfix/transport
2220
/etc/postfix/transport:
2221
example.com securetls:[tls.example.com]
2223
/etc/postfix/<a href="master.5.html">master.cf</a>:
2224
securetls unix - - n - 100 smtp
2225
-o <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>=yes
2226
-o <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>=yes
2230
1807
<h3> <a name="client_tls_discover"> Discovering servers that support