257
257
SMTP server configurations will not accidentally run with no
258
258
certificates. </p>
260
<p> Both RSA and DSA certificates are supported. Typically you will
260
<p> RSA, DSA and ECDSA (Postfix ≥ 2.6) certificates are supported.
261
262
only have RSA certificates issued by a commercial CA. In addition,
262
263
the tools supplied with OpenSSL will by default issue RSA certificates.
263
You can have both at the same time, in which case the cipher used
264
You can configure all three at the same time, in which case the cipher used
264
265
determines which certificate is presented. For Netscape and OpenSSL
265
266
clients without special cipher choices, the RSA certificate is
268
<p> In order for remote SMTP clients to check the Postfix SMTP
269
server certificates, the CA certificate (in case of a certificate
270
chain, all CA certificates) must be available. You should add any
271
intermediate CA certificates to the server certificate: the server
272
certificate first, then the intermediate CA(s). </p>
269
<p> To enable a remote SMTP client to verify the Postfix SMTP server
270
certificate, the issuing CA certificates must be made available to the
271
client. You should include the required certificates in the server
272
certificate file, the server certificate first, then the issuing
273
CA(s) (bottom-up order). </p>
274
275
<p> Example: the certificate for "server.example.com" was issued by
275
276
"intermediate CA" which itself has a certificate issued by "root
317
<p> Postfix 2.3 and later, TLS without certificates for servers serving
318
exclusively anonymous-cipher capable clients: </p>
318
<p> Their ECDSA counterparts (Postfix ≥ 2.6 + OpenSSL ≥ 0.9.9): </p>
322
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
323
# Most clients will not be ECDSA capable, so you will likely also need
324
# an RSA or DSA certificate and private key.
326
<a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a> = /etc/postfix/server-ecdsa.pem
327
<a href="postconf.5.html#smtpd_tls_eckey_file">smtpd_tls_eckey_file</a> = $<a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a>
331
<p> TLS without certificates for servers serving exclusively
332
anonymous-cipher capable clients: </p>
349
363
accessible inside the optional chroot jail. </p>
351
365
<p> When you configure the Postfix SMTP server to request <a
352
href="#server_vrfy_client">client certificates</a>, any CA certificates
353
in $<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> are sent to the client, in order to allow it to
354
choose an identity signed by a CA you trust. If no $<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>
366
href="#server_vrfy_client">client certificates</a>, the DNs of certificate
367
authorities in $<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> are sent to the client, in order to allow
368
it to choose an identity signed by a CA you trust. If no $<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>
355
369
is specified, no preferred CA list is sent, and the client is free to
356
370
choose an identity signed by any CA. Many clients use a fixed identity
357
371
regardless of the preferred CA list and you may be able to reduce TLS
746
760
encryption is not enforced. Use of this control on public MX hosts is
747
761
strongly discouraged. </p>
749
<p> With mandatory TLS encryption, the Postfix SMTP server will by
750
default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption
751
is optional. This is controlled by the <a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a>
752
configuration parameter. </p>
754
763
<p> The Postfix SMTP server supports 5 distinct cipher security levels
755
764
as specified by the <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> configuration parameter,
756
765
which determines the cipher grade with mandatory TLS encryption. The
757
766
default value is "medium" which is essentially 128-bit encryption or better.
758
767
With opportunistic TLS encryption, the minimum accepted cipher grade is
759
always "export". </p>
768
typically "export". The corresponding <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a> parameter
769
(Postfix ≥ 2.6) controls the cipher grade used with opportunistic
761
<p> By default anonymous ciphers are allowed, and automatically disabled
762
when client certificates are requested. If clients are expected to always
763
verify the server certificate you may want to exclude anonymous ciphers
764
by setting "<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> = aNULL".
765
One can't force a client to check the server certificate, so excluding
772
<p> By default anonymous ciphers are enabled. They are automatically
773
disabled when remote SMTP client certificates are requested. If
774
clients are expected to always verify the Postfix SMTP
775
server certificate you may want to disable anonymous ciphers
776
by setting "<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> = aNULL" or
777
"<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> = aNULL", as appropriate. One can't force
778
a remote SMTP client to check the server certificate, so excluding
766
779
anonymous ciphers is generally unnecessary. </p>
768
<p> For a server that is not a public Internet MX host, Postfix 2.3
781
<p> The "<a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>" configuration parameter (Postfix ≥
782
2.6) provides control over the minimum cipher grade for opportunistic
784
Postfix < 2.6, the minimum opportunistic TLS cipher grade is always
787
<p> With mandatory TLS encryption, the Postfix SMTP server will by
788
default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption
789
is optional. The mandatory TLS protocol list is specified via the
790
<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> configuration parameter. The
791
corresponding <a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> parameter (Postfix ≥ 2.6)
792
controls the SSL/TLS protocols used with opportunistic TLS. </p>
794
<p> For a server that is not a public Internet MX host, Postfix (≥ 2.3)
769
795
supports configurations with no <a href="#server_cert_key">server
770
796
certificates</a> that use <b>only</b> the anonymous ciphers. This is
771
797
enabled by explicitly setting "<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = none"
772
and not specifying an <a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>. </p>
798
and not specifying an <a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a> or <a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a>. </p>
774
<p> Example: (MSA that requires TLS with high grade ciphers) </p>
800
<p> Example, MSA that requires TLSv1, not SSLv2 or SSLv3, with high grade
850
886
<li><a href="#client_tls_limits"> Client TLS limitations </a>
852
<li><a href="#client_tls_levels"> Client TLS security levels </a>
854
<li><a href="#client_tls_none"> Disabling TLS in the SMTP/LMTP client</a>
856
<li><a href="#client_tls_may"> Enabling TLS in the SMTP/LMTP client </a>
858
<li><a href="#client_tls_encrypt"> Mandating TLS encryption </a>
860
<li><a href="#client_tls_fprint"> Certificate fingerprint verification </a>
862
<li><a href="#client_tls_verify"> Mandating server certificate verification </a>
864
<li><a href="#client_tls_secure"> Secure server certificate verification </a>
888
<li><a href="#client_tls_levels"> Configuring TLS in the SMTP/LMTP client </a>
866
890
<li><a href="#client_tls_policy"> Per-destination TLS policy </a>
932
959
just one certificate. So for now the default is to use _no_
933
960
certificate and key unless one is explicitly specified here. </p>
935
<p> Both RSA and DSA certificates are supported. You can have both
936
at the same time, in which case the cipher used determines which
937
certificate is presented. </p>
962
<p> RSA, DSA and ECDSA (Postfix ≥ 2.6) certificates are supported.
963
You can configure all three at the same time, in which case the
964
cipher used determines which certificate is presented. </p>
939
966
<p> It is possible for the Postfix SMTP client to use the same
940
967
key/certificate pair as the Postfix SMTP server. If a certificate
943
970
password. Both parts (certificate and private key) may be in the
946
<p> In order for remote SMTP servers to verify the Postfix SMTP
947
client certificates, the CA certificate (in case of a certificate
948
chain, all CA certificates) must be available. You should add
949
these certificates to the client certificate, the client certificate
950
first, then the issuing CA(s). </p>
973
<p> To enable remote SMTP servers to verify the Postfix SMTP client
974
certificate, the issuing CA certificates must be made available to the
975
server. You should include the required certificates in the client
976
certificate file, the client certificate first, then the issuing
977
CA(s) (bottom-up order). </p>
952
979
<p> Example: the certificate for "client.example.com" was issued by
953
"intermediate CA" which itself has a certificate of "root CA".
980
"intermediate CA" which itself has a certificate issued by "root CA".
954
981
Create the client.pem file with: </p>
1022
<p> Their ECDSA counterparts (Postfix ≥ 2.6 + OpenSSL ≥ 0.9.9): </p>
1026
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
1027
<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> = /etc/postfix/client-ecdsa.pem
1028
<a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a> = $<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>
995
1032
<p> To verify a remote SMTP server certificate, the Postfix SMTP
996
1033
client needs to trust the certificates of the issuing certification
997
1034
authorities. These certificates in "pem" format can be stored in a
1210
1247
for secure connections via aliases for HTTPS and Kerberos. SMTP merely
1211
1248
uses indirect naming (via MX records) more frequently. </p>
1213
<h3><a name="client_tls_levels"> Client TLS security levels </a>
1250
<h3><a name="client_tls_levels"> Configuring TLS in the SMTP/LMTP client </a>
1216
<p> The TLS security levels listed below are described in more detail
1217
in the sections that follow.</p>
1253
<p> Similar to the Postfix SMTP server, the Postfix SMTP/LMTP client
1254
implements multiple TLS security levels. These levels are described
1255
in more detail in the sections that follow.</p>
1220
1258
<dt><b>none</b></dt>
1264
1302
setting "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may".
1266
1304
<p> Since sending in the clear is acceptable, demanding stronger
1267
than default TLS security merely reduces inter-operability. For
1268
this reason, Postfix 2.3 and later ignore the <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>
1269
and <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> parameters at the "may"
1270
security level: all protocols are allowed, and "export" grade or
1271
better ciphers are used. </p>
1305
than default TLS security mostly reduces inter-operability. If you
1306
must restrict TLS protocol or cipher selection even with opportunistic
1307
TLS, the "<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>" and "<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a>" configuration
1308
parameters (Postfix ≥ 2.6) provide control over the protocols
1310
used with opportunistic TLS. With earlier releases the opportunistic TLS
1311
cipher grade is always "export" and no protocols are disabled. </p>
1273
1313
<p> With Postfix 2.2 and earlier, or when <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> is
1274
1314
set to its default (backwards compatible) empty value, the appropriate
1820
1860
additional attributes are supported at this level. </dd>
1822
1862
<dt><b>may</b></dt> <dd><a href="#client_tls_may">Opportunistic TLS</a>.
1823
No additional attributes are supported at this level. </dd>
1863
The optional "ciphers", "exclude" and "protocols" attributes
1864
(available for opportunistic TLS with Postfix ≥ 2.6) override the
1865
"<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>", "<a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a>" and "<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a>"
1866
configuration parameters. </dd>
1825
<dt><b>encrypt</b></dt> <dd><a href="#client_tls_encrypt">Mandatory
1826
encryption</a>. Mail is delivered only if the remote SMTP
1827
server offers STARTTLS and the TLS handshake succeeds. At this
1828
level and higher the optional "ciphers" attribute overrides the
1868
<dt><b>encrypt</b></dt> <dd><a href="#client_tls_encrypt"> Mandatory encryption</a>.
1869
Mail is delivered only if the remote SMTP server offers STARTTLS
1870
and the TLS handshake succeeds. At this level and higher, the optional
1871
"protocols" attribute overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
1872
parameter, the optional "ciphers" attribute overrides the
1829
1873
<a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> parameter, and the optional
1830
"protocols" attribute
1831
overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> parameter. </dd>
1874
"exclude" attribute (Postfix ≥ 2.6) overrides the <a href="postconf.5.html">main.cf</a>
1875
<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> parameter. </dd>
1833
1877
<dt><b>fingerprint</b></dt> <dd><a href="#client_tls_fprint">Certificate
1834
1878
fingerprint verification.</a> Available with Postfix 2.5 and
1881
1925
multiple match strategies, or multiple protocols, these must be
1882
1926
separated by colons. </p>
1928
<li> <p> The "exclude" attribute (Postfix ≥ 2.6) is used to disable
1929
ciphers that cause handshake failures with a specific mandatory TLS
1930
destination, without disabling the ciphers for all mandatory destinations.
1931
Alternatively, you can exclude ciphers that cause issues with multiple
1932
remote servers in <a href="postconf.5.html">main.cf</a>, and selectively enable them on a per-destination
1933
basis in the policy table by setting a shorter or empty exclusion list. The
1934
per-destination "exclude" list preempts both the opportunistic and
1935
mandatory security level exclusions, so that all excluded ciphers
1936
can be enabled for known-good destinations. For non-mandatory TLS
1937
destinations that exhibit cipher-specific problems, Postfix will fall
1938
back to plain-text delivery. If plain-text is not acceptable make TLS
1939
mandatory and exclude the problem ciphers. </p>
2193
2252
and TLS session cache space, if certificates are ignored, there is
2194
2253
little point in requesting them. </p>
2255
<p> The "<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>" configuration parameter (Postfix ≥ 2.6)
2256
provides control over the minimum cipher grade for opportunistic TLS. With
2257
Postfix < 2.6, the minimum opportunistic TLS cipher grade is always
2260
<p> With mandatory TLS encryption, the Postfix SMTP client will by
2261
default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption
2262
is optional. The mandatory TLS protocol list is specified via the
2263
<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> configuration parameter. The corresponding
2264
<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> parameter (Postfix ≥ 2.6) controls
2265
the SSL/TLS protocols used with opportunistic TLS. </p>
2196
2267
<p> Example: </p>