Commit b8665624 authored by Joshua Tauberer's avatar Joshua Tauberer

avoid mail.log warnings about untrusted certificates on outgoing mail, fixes #124

parent 6a512042
...@@ -31,7 +31,7 @@ source /etc/mailinabox.conf # load global vars ...@@ -31,7 +31,7 @@ source /etc/mailinabox.conf # load global vars
# Install packages. # Install packages.
apt_install postfix postgrey postfix-pcre apt_install postfix postgrey postfix-pcre ca-certificates
# Basic Settings # Basic Settings
...@@ -75,15 +75,27 @@ tools/editconf.py /etc/postfix/main.cf \ ...@@ -75,15 +75,27 @@ tools/editconf.py /etc/postfix/main.cf \
smtpd_tls_received_header=yes smtpd_tls_received_header=yes
# When connecting to remote SMTP servers, prefer TLS and use DANE if available. # When connecting to remote SMTP servers, prefer TLS and use DANE if available.
# Postfix queries for the TLSA record on the destination MX host. If no TLSA records are found, #
# Prefering ("opportunistic") TLS means Postfix will accept whatever SSL certificate the remote
# end provides, if the remote end offers STARTTLS during the connection. DANE takes this a
# step further:
#
# Postfix queries DNS for the TLSA record on the destination MX host. If no TLSA records are found,
# then opportunistic TLS is used. Otherwise the server certificate must match the TLSA records # then opportunistic TLS is used. Otherwise the server certificate must match the TLSA records
# or else the mail bounces. TLSA also requires DNSSEC on the MX host. Postfix doesn't do DNSSEC # or else the mail bounces. TLSA also requires DNSSEC on the MX host. Postfix doesn't do DNSSEC
# itself but assumes the system's nameserver does and reports DNSSEC status. Thus this also # itself but assumes the system's nameserver does and reports DNSSEC status. Thus this also
# relies on our local bind9 server being present and smtp_dns_support_level being set to dnssec # relies on our local bind9 server being present and smtp_dns_support_level being set to dnssec
# to use it. # to use it.
#
# The smtp_tls_CAfile is superflous, but it turns warnings in the logs about untrusted certs
# into notices about trusted certs. Since in these cases Postfix is doing opportunistic TLS,
# it does not care about whether the remote certificate is trusted. But, looking at the logs,
# it's nice to be able to see that the connection was in fact encrypted for the right party.
# The CA file is provided by the package ca-certificates.
tools/editconf.py /etc/postfix/main.cf \ tools/editconf.py /etc/postfix/main.cf \
smtp_tls_security_level=dane \ smtp_tls_security_level=dane \
smtp_dns_support_level=dnssec \ smtp_dns_support_level=dnssec \
smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt \
smtp_tls_loglevel=2 smtp_tls_loglevel=2
# Incoming Mail # Incoming Mail
...@@ -137,4 +149,4 @@ ufw_allow submission ...@@ -137,4 +149,4 @@ ufw_allow submission
# Restart services # Restart services
restart_service postfix restart_service postfix
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment