Bug 11898 (INTERNALSTARTTLS) - enforce STARTTLS and DANE validation for internal mail delivery
Summary: enforce STARTTLS and DANE validation for internal mail delivery
Status: CLOSED FIXED
Alias: INTERNALSTARTTLS
Product: Infrastructure
Classification: Unclassified
Component: Mail & Mailing Lists (show other bugs)
Version: unspecified
Hardware: all All
: - Unknown - Security
Assignee: Peter Müller
QA Contact: Michael Tremer
URL:
Keywords: Security
Depends on: 11896 11897 11934
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-04 18:38 UTC by Peter Müller
Modified: 2019-09-11 15:22 UTC (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Müller 2018-10-04 18:38:10 UTC 
Recently, we decided any internal mail traffic should be encrypted and validated by using DANE. After every server got a certificate and correspondending TLSA are set up, these tasks are left to me:
- update Postfix relay configuration
  (a) add path to server certificate and key file (both server and client side)
  (b) change encryption policy for mail delivery to DANE-only
- update Postfix configuration on mail01.ipfire.org
  (a) enforce DANE-only to internal systems
  (b) update needed directives

plaintext-diediedie... :-)
Comment 1 Peter Müller 2018-10-04 18:57:40 UTC 
- also make Postfix relay configurations listen on public interface if desired
Comment 2 Michael Tremer 2019-08-01 13:18:28 UTC 
What needs to be done here?
Comment 3 Peter Müller 2019-09-05 17:30:12 UTC 
We now have this in place everywhere.

I will edit the Postfix overlay configuation for all servers so they use DANE and disable TLS 1.3 for internal SMTP connections.
Comment 4 Peter Müller 2019-09-05 17:30:40 UTC 
Sorry, I meant disabling TLS 1.2 ... :-)