Project

General

Profile

Actions

tickets #40574

closed

Email: tls configuration for anna/elsa

Added by tampakrap over 5 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Email
Target version:
-
Start date:
2018-09-04
Due date:
% Done:

100%

Estimated time:

Description

anna/elsa send unencrypted mails. We need to
1) adjust the crtmgr hooks.sh script to send the certificates to the postfix ssl directory
2) adjust main.cf with proper tls configuration

Actions #1

Updated by pjessen over 5 years ago

  • Private changed from Yes to No

There is no need for a certificate for sending - just enable TLS. smtp_tls_security_level = may

Actions #2

Updated by tampakrap over 5 years ago

could you also explain me why please?

Actions #3

Updated by pjessen over 5 years ago

When the receiving side offers TLS, the sending side only needs to validate the certificate, but doesn't need a certificate itself.
Just like a browser accessing an https site.

Actions #4

Updated by tampakrap over 5 years ago

anna/elsa are also relayhosts

Actions #5

Updated by pjessen over 5 years ago

tampakrap wrote:

anna/elsa are also relayhosts

But only for internal mails? Yes, if you want to encrypt that too, they will need certificates.

and updating the senders with smtp_tls_security_level = may

Actions #6

Updated by lrupp about 4 years ago

  • Subject changed from tls configuration for anna/elsa to Email: tls configuration for anna/elsa
Actions #7

Updated by lrupp about 4 years ago

  • Category changed from Servers hosted in NBG to Email
Actions #8

Updated by pjessen almost 4 years ago

I have enabled opportunistic TLS on anna and elsa, don't know why it took me so long. We had messages queueing up due to outlook.com requiring TLS, which is actually against the standing recommendation. Oh well.

# 20200331 pjessen https://progress.opensuse.org/issues/40574
#smtp_use_tls = no
#smtp_enforce_tls = no
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
Actions #9

Updated by pjessen almost 4 years ago

  • Status changed from New to Resolved
  • Assignee set to pjessen
  • % Done changed from 0 to 100

Since 1 April, we have delivered 1'282'586 mails via TLS, seems to be working fine :-)
Personally I see no reason for using TLS for our internal relaying, but if anyone disagrees, feel free to re-open.

Actions

Also available in: Atom PDF