Enforce TLS with sender domain

sashavl

New Member
Oct 15, 2019
17
3
3
36
Hello,

i need to enforce TLS on incoming mails from specific domain, so i would like to ask you is it enough to add that domain in "TLS Domain policy" in web interface?

I understood that that is for outgoing mails?

Thank you.
 
i need to enforce TLS on incoming mails from specific domain, so i would like to ask you is it enough to add that domain in "TLS Domain policy" in web interface?
Hmm - what exactly is your usecase? (maybe there is a different approach you could take)

I understood that that is for outgoing mails?
This is correct - the domains entered there are added to the 'smtp_policy_maps' (and options prefixed with smtp_ affect the outbound connections)
see http://www.postfix.org/TLS_README.html and our reference documentation https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_mail_proxy_configuration

hmm - as far as getting this for inbound is concerned - this is not so easily done (or rather has quite a few drawbacks and pitfalls in my opinion):
* you can configure postfix to only accept TLS connections but this will break communication with quite a lot of mail-servers - from the postfix docs for that parameter:
Code:
smtpd_tls_security_level
...
 encrypt
              Mandatory TLS encryption: announce STARTTLS support to remote SMTP clients, and require that clients use TLS encryption. According to RFC 2487 this MUST NOT be applied in case of a publicly-referenced SMTP server. Instead, this option should be used only on dedi‐
              cated servers.

* you could configure a dedicated smtpd listener on another IP (or port) and get that sending domains, where you need TLS to send their mails there (through some DNS-hackery) - just like mail-submission on port 587 works

* what probably would also work - although it's probably also quite complex is implementing a custom policy-service and integrate it into postfix
(see e.g. the policy server/library section at http://www.postfix.org/addon.html)


Integrating and adapting the postfix-configuration for pmg happens via the templating system:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_service_configuration_templates

I hope this helps!
 
Hi,

Hmm - what exactly is your usecase?

Usecase is to be able to receive mails only via TLS from particular domain.

configure postfix to only accept TLS connections but this will break communication with quite a lot of mail-servers

Yes, that's exactly why i need to do it only for particular domain.

TLS is already enabled on incoming mails, as i see in logs... but as i understood it's "oportunistic" which means if server tries to send in plain text mail will be accepted. I need that connection to be rejected.

edit:

Just to add, i ve founded that "plaintext" connections can be blocked from particular domain in "senderaccess" maps/file, but i have no idea how to edit in Proxmox. Have read that docs in admin guide regarding that but still not clear for "senderaccess" file because that is not a policy. If i just add entry in Postfix dir i beleive is going to be rewritten very soon. Can you give me some directions on permanent edit of "senderaccess" file?

Thank you very much.
 
Last edited:
As said - enforcing it for all communication will prevent many mailservers from communicating with you (and is against an RFC according to the postfix docs)

the options I see for this use-case:
* to have those domains send the emails to you via a dedicated IP/Port and have that listening with TLS-only
* create a custom postfix policy service (or milter or smtp-proxy) doing the checks for those domains

and integrating those into the postfix configuration
 
Ok,

can i ask will "senderaccess" file be overwritten when proxmox recreate config file ? How to do it permanently?
 
/etc/postfix/senderaccess gets overwritten whenever PMG rewrites the config (this is part of the Mail Proxy Whitelist).

You can change the main.cf template to use another file for the 'check_sender_access' acl (or an additional one beforehand)

I hope this helps!
 
TLS is a requirement for many healthcare & financial services firms. So, if doctor wants to get email from hospital over known secure channel, hospital.com would send email to tls.doctor.com the PMG securing "tls.doctor.com" would configure postfix to only accept TLS connections.

Using this approach, everyone would know messages addressed to "tls.doctor.com" follow a secure channel.
 
Yea, will definitely think about that. Basic problem with that is that sender have to send you mail on another MX, otherwise you have to (mail) route locally to another connector (ip/port) with TLS (only).

Postfix can do what i need much easier with "check_sender_access" table, but not sure how to include additional lookup table for it (on Proxmox).

edit:

On Proxmox this is configuration:

smtpd_sender_restrictions = permit_mynetworks reject_non_fqdn_sender check_client_access cidr:/etc/postfix/clientaccess check_sender_access regexp:/etc/postfix/senderaccess check_recipient_access regexp:/etc/postfix/rcptaccess

If i copy templates from /var/lib/pmg/templates to /etc/pmg. and in main.cf change this line to:

smtpd_sender_restrictions = permit_mynetworks reject_non_fqdn_sender check_client_access cidr:/etc/postfix/clientaccess check_sender_access regexp:/etc/postfix/senderaccess regexp:/etc/postfix/senderaccess_custom check_recipient_access regexp:/etc/postfix/rcptaccess

and create file ofcourse, would this be enough? Shloud i do "postmap" on new file, or Proxmox will "detect it" and do it with "pmgconfig"?
 
Postfix can do what i need much easier with "check_sender_access" table,
Sounds nice - How have you set it up (it would help others in a similar situation)

f i copy templates from /var/lib/pmg/templates to /etc/pmg. and in main.cf change this line to:

smtpd_sender_restrictions = permit_mynetworks reject_non_fqdn_sender check_client_access cidr:/etc/postfix/clientaccess check_sender_access regexp:/etc/postfix/senderaccess regexp:/etc/postfix/senderaccess_custom check_recipient_access regexp:/etc/postfix/rcptaccess

and create file ofcourse, would this be enough? Shloud i do "postmap" on new file, or Proxmox will "detect it" and do it with "pmgconfig"?
Sounds about right - and you need to do the postmap manually.
 
Yes, seems working.

My suggestion to Proxmox team would be to allow us to put "custom" action for specific domain in "senderaccess" file directly from web interface, not just "OK" or "REJECT - as "whitelist/blacklist" do.

Thank you.
 
Yes, seems working.
nice - could you post an (anonymized) example - I did not see the option to make the result/response dependent of the TLS status?

My suggestion to Proxmox team would be to allow us to put "custom" action for specific domain in "senderaccess" file directly from web interface, not just "OK" or "REJECT - as "whitelist/blacklist" do.

Until now we left that out since there are 3 levels of black/whitelists (all with slightly different uses/semantics) and we try to not offer too many options in the GUI (and those users who know that they need that functionality can always use the CLI and the service configuration templates)
 
Example of how custom "senderaccess" table shloud look like?

Depends on the type of table which you use. For regexp:

/^.+@test\.com$/ reject_plaintext_session

For "hash", probably something like:

@example.com reject_plaintext_session

Also you can configure "plaintext_reject_code".
 
Well i really think mail security is going to be increasingly important, but as we elaborate turning TLS for all incoming mail is simply not acceptable - for now. It is very usefull to be able to turn on TLS explicitly for particular domains.

p.s would be very handy to be able to use forum user/pass for bugzilla :)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!