modoboa-installer icon indicating copy to clipboard operation
modoboa-installer copied to clipboard

Published 20 hours ago verified publisher icon modoboa

Enable SMTPS per RFC 8314

Open almereyda opened this issue 1 year ago • 6 comments

Impacted versions

all

Steps to reproduce

  1. Read RFC 8314
  2. Find the unconfigured SMTPS port in https://github.com/modoboa/modoboa-installer/blob/d05618e53d5b3864c668da59d446e8d516fcf6a2/modoboa_installer/scripts/files/postfix/master.cf.tpl#L30-L40

Expected behavior

master.cf

26,28c26,28
<   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
<   -o smtpd_helo_restrictions=
<   -o smtpd_sender_restrictions=reject_sender_login_mismatch
---
>   -o smtpd_client_restrictions=$mua_client_restrictions
>   -o smtpd_helo_restrictions=$mua_helo_restrictions
>   -o smtpd_sender_restrictions=$mua_sender_restrictions
31,38c31,39
< #smtps     inet  n       -       -       -       -       smtpd
< #  -o syslog_name=postfix/smtps
< #  -o smtpd_tls_wrappermode=yes
< #  -o smtpd_sasl_auth_enable=yes
< #  -o smtpd_reject_unlisted_recipient=no
< #  -o smtpd_client_restrictions=$mua_client_restrictions
< #  -o smtpd_helo_restrictions=$mua_helo_restrictions
< #  -o smtpd_sender_restrictions=$mua_sender_restrictions
---
> smtps     inet  n       -       -       -       -       smtpd
>   -o syslog_name=postfix/smtps
>   -o tls_preempt_cipherlist=yes
>   -o smtpd_tls_wrappermode=yes
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_reject_unlisted_recipient=no
>   -o smtpd_client_restrictions=$mua_client_restrictions
>   -o smtpd_helo_restrictions=$mua_helo_restrictions
>   -o smtpd_sender_restrictions=$mua_sender_restrictions
41c42,43
< #  -o milter_macro_daemon_name=ORIGINATING
---
>   -o milter_macro_daemon_name=ORIGINATING
>   -o smtpd_proxy_filter=inet:[127.0.0.1]:10026
153c155
<         -o local_header_rewrite_clients=
---
>         -o local_header_rewrite_clients=permit_mynetworks,permit_sasl_authenticated

main.cf, between ## Recipient restriction rules and ## Postscreen settings

# Sender restriction rules
smtpd_sender_restrictions =
    permit_mynetworks
    reject_non_fqdn_sender
    reject_unknown_sender_domain
    reject_unknown_reverse_client_hostname

# Relay restriction rules
smtpd_relay_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination

# Custom restriction classes
smtpd_restriction_classes =
    mua_sender_restrictions
    mua_client_restrictions
    mua_helo_restrictions

mua_client_restrictions =
    permit_sasl_authenticated
    reject

mua_sender_restrictions =
    permit_sasl_authenticated
    reject_sender_login_mismatch

mua_helo_restrictions =
    permit_mynetworks
    reject_invalid_hostname
#    reject_non_fqdn_hostname

We're running this configuration quite stable since a few years. It has not been audited for security.

Also note the commented reject_non_fqdn_hostname rule, which hasn't affected us badly, yet. Also smtpd_recipient_restrictions and smtpd_relay_restrictions from the commented smtps part in master.cf remain untouched, to mirror the given submission configuration.

There's more discussion in the thread at https://discord.com/channels/930814728928895078/1203376038793584720

almereyda avatar Jul 19 '24 01:07 almereyda

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jan 31 '25 23:01 stale[bot]

RFC 8314 has not been superseded.

almereyda avatar Feb 02 '25 15:02 almereyda

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Apr 25 '25 21:04 stale[bot]

This is now the default and won't go away to soon.

almereyda avatar Apr 26 '25 20:04 almereyda

@almereyda I tried to view the related discord discussion mentioned in your original issue, it appears to be gone, is there a back up, or reference elsewhere?

phizev avatar Jun 08 '25 19:06 phizev

In section "3.3. Implicit TLS for SMTP Submission" from RFC 8314 from 2018 it is the recommendation to transition to implicit TLS on the SMTPS / submission port:

The STARTTLS mechanism on port 587 is relatively widely deployed due to the situation with port 465 (discussed in Section 7.3). This differs from IMAP and POP services where Implicit TLS is more widely deployed on servers than STARTTLS. It is desirable to migrate core protocols used by MUA software to Implicit TLS over time, for consistency as well as for the additional reasons discussed in Appendix A.

The linked sections provide further details about the rationale behind this explicit port registration at the IANA for implicit TLS for SMTP.

This clears the double registration of the port 465 with TCP at https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=465, once for urd, the " URL Rendezvous Directory for SSM", and once for submissions, the "Message Submission over TLS protocol"

almereyda avatar Jun 09 '25 20:06 almereyda