self-hosted/Mailu
1
0
Fork 0
mirror of https://github.com/Mailu/Mailu.git synced 2025-11-23 22:04:47 +02:00
Code Issues Releases Activity

Introduce DEFER_ON_TLS_ERROR

Browse Source 
This will default to True and defer emails that fail even "loose"
validation of DANE or MTA-STS

It should work most of the time but if it doesn't and you would rather
see your emails delivered, you can turn it off.
This commit is contained in:
Florent Daigniere
2021-08-30 14:21:28 +02:00
parent 7c5dcfa025
commit a8142dabbe
4 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
core/postfix/conf/main.cf
View File

@@ -58,13 +58,17 @@ tls_ssl_options = NO_COMPRESSION, NO_TICKET
# 2. not all will have and up-to-date TLS stack.
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols =!SSLv2,!SSLv3
smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }}
smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('dane') }}
smtp_tls_dane_insecure_mx_policy = dane
smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map, socketmap:unix:/tmp/mta-sts.socket:postfix
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache
smtp_host_lookup = dns
smtp_dns_support_level = dnssec
delay_warning_time = 5m
smtp_tls_loglevel = 1
notify_classes = resource, software, delay
###############
# Virtual

2
core/postfix/mta-sts-daemon.yml
View File

@@ -6,5 +6,5 @@ cache:
options:
cache_size: 10000
default_zone:
strict_testing: false
strict_testing: {{ DEFER_ON_TLS_ERROR |default('true') }}
timeout: 4

1
core/postfix/start.py
View File

@@ -76,6 +76,7 @@ for map_file in glob.glob("/overrides/*.map"):
if os.path.exists("/overrides/mta-sts-daemon.yml"):
shutil.copyfile("/overrides/mta-sts-daemon.yml", "/etc/mta-sts-daemon.yml")
conf.jinja("/etc/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
if not os.path.exists("/etc/postfix/tls_policy.map.db"):
with open("/etc/postfix/tls_policy.map", "w") as f:

2
docs/configuration.rst
View File

@@ -73,7 +73,7 @@ mail in following format: ``[HOST]:PORT``.
By default postfix uses "opportunistic TLS" for outbound mail. This can be changed
by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is highly recommended
if you are using a relayhost that supports TLS.
if you are using a relayhost that supports TLS but discouraged otherwise. ``DEFER_ON_TLS_ERROR`` (default: True) controls whether incomplete policies (DANE without DNSSEC or "testing" MTA-STS policies) will be taken into account and whether emails will be defered if the additional checks enforced by those policies fail.
Similarily by default nginx uses "opportunistic TLS" for inbound mail. This can be changed
by setting ``INBOUND_TLS_ENFORCE`` to ``True``. Please note that this is forbidden for