2

I have a postfix server which processes mails for several domains. The server is using TLS encryption if the client requests ist, but does currently not enforce it for compatibility reasons.

Now there's a new domain which this server should process mails for, where TLS should be enforced and where clients habe to authenticate using client certificates.

Is it possible to configure postfix for this scenario while not changing the setup for all other domains? If yes, how?

TomS
  • 175
  • 1
  • 1
  • 9
  • 2
    Asking for certificates and actually doing something with the information as part of (possibly conditional) smtpd_*_restrictions is intentionally separate. It sound like you want split up your service ports between optional and implicit (or at least mandatory) security though, to get yourself cleaner rulesets: Would be annoying to troubleshoot for a client to successfully setup TLS under a relaxed "plaintext would be okay as well" policy, only to then fail authentication because otherwise acceptable TLS versions are not valid when you actually depend on the signature indicating authorization. – anx Aug 09 '23 at 03:23

1 Answers1

1

This is not possible with a single smtpd instance, but you can configure multiple smtpd instances through master.cf, as you already should have one instance for handling incoming mail on port 25 and another for outbound mail on port 465 (implicit TLS per RFC 8314, 3) or 587 for submission with plain text & STARTTLS.

I would suggest configuring the port 587 for the legacy clients, as it already supports plain text and TLS is only available through STARTTLS, whereas on port 465 TLS handshake begins immediately – which goes perfectly with the requirements for your new domain.

Let's assume example.com is the legacy domain and example.net the protected one.

The key is to:

  1. use different myhostname configurations
  2. limit the allowed sender address(es) with smtpd_sender_restrictions=reject_unlisted_sender

In master.cf:

# Legacy access on submission port 587 for example.com
submission  inet  n  -  -  -  -  smtpd
  -o myhostname=example.com
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_restrictions=reject_unlisted_sender
  -o { smtpd_recipient_restrictions=
         reject_non_fqdn_recipient,
         reject_unknown_recipient_domain,
         permit_sasl_authenticated, reject }

# Client certificate required on port 465 for example.net
smtps inet  n  -  -  -  -  smtpd
  -o myhostname=example.net
  -o smtpd_tls_wrappermode=yes
  -o smtpd_tls_req_ccert=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_restrictions=reject_unlisted_sender
  -o { smtpd_recipient_restrictions=
         reject_non_fqdn_recipient,
         reject_unknown_recipient_domain,
         permit_sasl_authenticated, reject }

You could even enforce that certain users can only use certain addresses, which works with both configurations, e.g.,

  -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
  -o { smtpd_sender_restrictions =
         reject_unlisted_sender,
         reject_sender_login_mismatch }
Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129