Bug 11898 (INTERNALSTARTTLS)

Summary: enforce STARTTLS and DANE validation for internal mail delivery
Product: Infrastructure Reporter: Peter Müller <peter.mueller>
Component: Mail & Mailing ListsAssignee: Peter Müller <peter.mueller>
Status: CLOSED FIXED QA Contact: Michael Tremer <michael.tremer>
Severity: Security    
Priority: - Unknown - CC: arne.fitzenreiter, michael.tremer, morlix
Version: unspecifiedKeywords: Security
Hardware: all   
OS: All   
See Also: https://bugzilla.ipfire.org/show_bug.cgi?id=11893
Bug Depends on: 11896, 11897, 11934    
Bug Blocks:    

Description Peter Müller 2018-10-04 18:38:10 UTC 
Recently, we decided any internal mail traffic should be encrypted and validated by using DANE. After every server got a certificate and correspondending TLSA are set up, these tasks are left to me:
- update Postfix relay configuration
  (a) add path to server certificate and key file (both server and client side)
  (b) change encryption policy for mail delivery to DANE-only
- update Postfix configuration on mail01.ipfire.org
  (a) enforce DANE-only to internal systems
  (b) update needed directives

plaintext-diediedie... :-)
Comment 1 Peter Müller 2018-10-04 18:57:40 UTC 
- also make Postfix relay configurations listen on public interface if desired
Comment 2 Michael Tremer 2019-08-01 13:18:28 UTC 
What needs to be done here?
Comment 3 Peter Müller 2019-09-05 17:30:12 UTC 
We now have this in place everywhere.

I will edit the Postfix overlay configuation for all servers so they use DANE and disable TLS 1.3 for internal SMTP connections.
Comment 4 Peter Müller 2019-09-05 17:30:40 UTC 
Sorry, I meant disabling TLS 1.2 ... :-)