Question about TLS policies

magenbrot

Active Member
Mar 1, 2018
27
8
43
45
Fürth
ovtec.it
Hi,

I want to use a specific tls policy for one recipient domain. So I've added it in

Configuration -> Mail Proxy -> TLS -> TLS Domain Policy -> Create
mydomain.org -> policy fingerprint

So, now where do I configure the TLS fingerprint? According to the postfix documentation the tls_policy entry has to look like this:
Code:
mydomain.org fingerprint
    match=DB:87:57:BC:CA:AC:02:58:92:9B:B9:4D:B9:CD:F5:73:B4:48:7D:D8

I can add the fingerprint manually in /etc/pmg/tls_policy and it works. But the GUI doesn't recognize this and gives a parser error afterwards.

Additionally I want to use the SHA1 algo as fingerprint digest. This is achieved by adding "smtp_tls_fingerprint_digest = sha1" to the main.cf. But this change is overwritten with the next update. Where do I put those custom configurations then?

Thanks! And best regards
Oli
 
I can add the fingerprint manually in /etc/pmg/tls_policy and it works. But the GUI doesn't recognize this and gives a parser error afterwards.

Can you send a screenshot of the error you're getting?
 
The current implementation in the GUI only allows for setting the policy - not any additional settings - e.g. for pinning the fingerprint like in your case.

As you wrote - you can override the postfix settings via the templating mechanism.
You can als add any valid configuration in `/etc/pmg/tls_policy` and run postmap afterwards, however you will not be able to edit this via GUI.

Hope this helps
 
oh, ok. Do you need a "Feature Request" in the bugtracker? I mean adding the feature for domain-specific TLS policies will direct the users to really use it ;)
 
Feel free to create one - https://bugzilla.proxmox.com - however currently it might not be on the very-high priority list.
I expect(ed) most people to be happy with the levels initially (and to not need certificate-pinning with the potential overhead for updating the fingerprints regularily) - but maybe more users need it (and for the fingerprint we would need a per-domain/per-host map).
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!