New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support requiring verified TLS certs on specific ports #2554
Conversation
Codecov Report
@@ Coverage Diff @@
## master #2554 +/- ##
==========================================
+ Coverage 58.72% 58.94% +0.21%
==========================================
Files 29 29
Lines 6401 6413 +12
Branches 1581 1585 +4
==========================================
+ Hits 3759 3780 +21
+ Misses 2642 2633 -9
Continue to review full report at Codecov.
|
@@ -15,6 +15,12 @@ | |||
; requestCert=true | |||
; requestOCSP=false | |||
|
|||
; rejectUnauthorized above requires verified TLS certs on EVERY TLS connection. When | |||
; rejectUnauthorized=false (default), you can require verified TLS certs on only the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't it be more secure to have this default to true?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, and unplugging the network cable would also be more secure. Neither one is very useful for MTA operators wanting to receive emails.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Typical connections that send mail to a MTA will not present a valid TLS client certificate. If you set rejectUnauthorized=true
, then you'll block the vast majority of mail. This is really an "edge case" feature, where you have clients that will authenticate to Haraka with a signed certificate instead of user/pass.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I shot a bit quickly and was only thinking about using Haraka as an outbound mail server. In this case it would only send emails to other MTAs that support TLS with this option, no?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Likely the best way to make this point is to refer you to your Haraka mail logs with grep. Here's a few of my connections:
# grep verified=false /var/log/maillog | wc -l
1165
# grep verified=true /var/log/maillog | wc -l
11
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this case it would only send emails to other MTAs that support TLS with this option, no?
Not quite. Haraka outbound would only be able to send mail to remote MTAs that present valid (is, verified by a CA that's included in the CAs that are bundled with Node.js) TLS certificates. This would be a higher than for inbound, but I think you'd still end up with lots of undelivered mail in your outbound queue.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe more secure default?
d296f94
to
6482a5d
Compare
Fixes #2543
This is largely the same as #2543 except:
requireAuthorized
instead ofauthorizationRequired
Checklist: