-
-
Notifications
You must be signed in to change notification settings - Fork 790
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make smtp_tls_policy_maps easily configurable #1902
Conversation
Thanks for submitting this pull request. bors try Note: if this build fails, read this. |
tryBuild succeeded: |
bors try |
tryBuild failed: |
encrypt means "ensure we have some confidentiality" whereas secure means "ensure we have confidentiality while talking to the right peer" (protects against passive or/and active MITM attacks)
I have found a list of the top100 email destinations online and ran them through a script to ensure that all of their MX servers had valid configuration... this is the result
9228127
to
0b16291
Compare
bors retry |
tryBuild succeeded: |
During the last project meeting, you told us you could make a script available you used for testing? When testing I receive errors. I set the I can see the following in the logs. Do you see the same when you test the PR?
Maybe the postmap command did not run? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See in-line comments. I will check that my comments are correct, but it looks like you create a lmdb db instead of hash db because you did not specify the type in the postmap command.
wait. alpine removed support for hash. See this PR #1918 |
It should now be fine. bors try |
tryBuild succeeded: |
Yes sorry... this PR predates #1918 and I didn't realize that it required the same changes... |
Sure; here it is; ensure you run it from a host with a valid rDNS record. #!/usr/bin/env python3
#
# check whether all the domains in the list have MX servers
#that can do STARTTLS with valid certificates
#
# I've used the top100 list from https://www.gmass.co/domains
#
# nextgens ~ 2021
from smtplib import SMTP
import ssl
import dns.resolver
import sys
sslctx = ssl.create_default_context()
sslctx.check_hostname = True
sslctx.verify_mode = ssl.CERT_REQUIRED
with open("list.txt","r") as f:
with open("ok.txt","w") as ok:
with open("err.txt","w") as err:
for domain in f:
domain = domain.strip()
try:
for mx in dns.resolver.query(domain, 'MX'):
mx_host = mx.to_text().split(' ')[1][:-1]
with SMTP(mx_host) as smtp:
#smtp.set_debuglevel(2)
smtp.ehlo()
smtp.starttls(context=sslctx)
smtp.ehlo()
ok.write(f'{domain}\tsecure\n')
except Exception as e:
err.write(f'{domain}{e}\n')
You've now fixed the issue (was alpine removing support for BDB)... I wouldn't anticipate anything to work when you are sending mails to @havedane.net though: this PR is about web/PKIX support (hosts that have a certificate signed by a recognized CA), not DANE. It does make configuring DANE for select destinations easier (by providing an easy to override tls_policy.map) but won't do it for you. |
Thank you for providing the script and the clarification on DANE. I will have to do more reading on this subject to get a real understanding of it. I will do some testing when I have time (possibly today) and will then approve the PR. |
To put it in simple words: postfix as configured by mailu without the PR will do opportunistic encryption: it will use TLS to provide protection against a passive attacker. With this PR, it will also provide protection against an active attacker (by verifying/validating the TLS certificate) for select domains. We should probably discuss what's worth having on the list: it could be much bigger; the only thing we need to trust is that they won't fail at maintaining valid TLS certificates going forward. |
181321a
to
0b16291
Compare
29e0341
to
65a27b1
Compare
bors try |
tryBuild succeeded: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lgtm
bors r+ |
Build succeeded: |
The alpine postfix package seems to have removed support for btree and hash map type. Mailu#1918 The tls_policy.map stuff has been introduced in Mailu#1902 and it has been merged without fixing this before (Mailu#1902)
What type of PR?
Feature
What does this PR do?
We should probably discuss what's on the list by default. I have found a top100 list online, ran it through a script to check all the records and found 90 destinations we could use.
Related issue(s)
Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.