0

I'm trying to configure postifx smtp_tls_policy_maps so that i can set per user outgoing emails must be encrypted.

One example is the email provider mailbox.org. As one can infer from the job offers, the company also relies on the open source components dovecot and postfix.

If ‘simple’ SSL/TLS connections aren’t secure enough for you, you can select more imposing security levels here:

encrypt: Regular secure e-mail encryption via SSL/TLS, but insecure plaintext is forbidden. dane-only: E-mails are only sent to providers whose SSL certificate is verified by valid DANE records.
verify: E-mails are only sent to providers whose SSL certificates have been manually added to our database.

https://kb.mailbox.org/display/BMBOKBEN/Ensuring+E-Mails+are+Sent+Securely

What could be a possible solution? From the TLS manual of postfix I unfortunately can't figure out

Improve this question

1 Answer 1

Reset to default
1

Got it myself! This is my configration now in this case LDAP specific but can easily rewritten for mysql backends.
Because there is no "per-sender map" version for Postfix SMTP client parameters i needed a "workaround" by using transport maps.

/etc/postfix/main.cf

sender_dependent_default_transport_maps = ldap:/etc/postfix/ldap/transport_maps.cf

I created a forceenc service with specific options for enforcing tls. Furthermore i added a smtp_delivery_status_filter to overwrite soft-fails for TLS handshake fails with hard-fails. This way the user gets a undelivered mail returned to sender instantly.

/etc/postfix/master.cf

forceenc  unix  -       -       y       -       -       smtp
    -o smtp_tls_loglevel=1
    -o smtp_tls_security_level=encrypt
    -o syslog_name=forceenc
    -o smtp_delivery_status_filter=pcre:/etc/postfix/smtp_dsn_filter

/etc/postfix/smtp_dsn_filter

/^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/
        5$1
/^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/
        5$1
/^4.7.5(.*)/
        5.7.5$1

This is my ldap specific configuration for transport map lookups.

/etc/postfix/ldap/transport_maps.cf

server_host      = ldaps://ldap.example.com
bind             = yes
start_tls        = no
version          = 3
bind_dn          = cn=root,dc=ldap,dc=example,dc=com
bind_pw          = THE_LDAP_ROOT_PASS
search_base      = ou=people,dc=ldap,dc=example,dc=com
scope            = sub
# simple user select filter
query_filter     = (&(mail=%s)(mailEnabled=TRUE)(objectClass=person))
# an custom schema which returns "forceenc:"
result_attribute = transportMap
debuglevel       = 0

For further reading i recommend this thread.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .