How to Require TLS incoming/outgoing for one domain
One of our customers has made a policy decision that all email incoming and outgoing needs to be over a TLS encrypted channel. So they expect to send to us over TLS and expect us to send to them over TLS.
Can anyone tell me exactly what I will need to configure to allow this.
Our setup -
MX records point to external ISP mail relay/spam filters
ISP delivers mail to our mail server.
Outgoing mail goes directly from our mail server
They wish the configuration to require TLS - not to fall back to plain text if TLS cannot be established.
I have seen wiki articles Postfix PCI Compliance in ZCS - Zimbra :: Wiki and Outgoing SMTP Authentication - Zimbra :: Wiki but I'm still confused
Thanks in advance
Configuring TLS for outgoing emails
I will answer my own question - at least partially. I would still like to get some assurance that what I have done is correct thus far.
ZIMBRA by default uses a TLS-enabled build of postfix. This makes the task very easy. It will by default accept TLS incoming connections with no further configuration. It is up to those sending you email to configure their system to send to you using TLS. I don't know if you can refuse to accept non TLS emails for a domain - if someone knows for sure, please chime in.
Configuring postfix to request/require a TLS connection for outgoing email is done on a per-domain basis.
For background see: Postfix TLS ReadMe
For our purposes, there are a few simple steps to take to add/update the domains to use TLS for.
1. On the zimbra server, login as root
2. Create a file with a list of the domains and any required cipher strength
Using a text editor, edit a file
(Note- this file is being placed outside of the /opt/zimbra tree to avoid losing it during an upgrade)
Add one line to the file for each domain. For example, here is our initial file for testing purposes - see the TLS Policy Table information in the document referenced above for the meanings of the various settings in this example - and for other settings that are available.
domain1.com encrypt protocols=SSLv3:TLSv1
domain2.com encrypt protocols=SSLv3:TLSv1 ciphers=high
Save the file.
3. Create a hash table from the file. (Not sure if that is the correct terminology)
As root, run the command,
This creates a file called /etc/zimbra_tls_policy.db
(Note: postfix versions change with zimbra upgrades - but the postfix link should always point to the most recent version)
4. Run the command, to become the zimbra superuser
5. For the first time only, edit the postfix configuration file main.cf to make it aware of the TLS Policy File
As the zimbra superuser, edit the file /opt/zimbra/postfix/conf/main.cf
Check for the following two entries, and add/edit them to match the following
smtp_tls_policy_maps = hash:/etc/zimbra_tls_policy
smtp_tls_note_starttls_offer = yes
The first one tells postfix that there is a TLS Policy File to be used
The second line tells zimbra to report in the log file (/var/log/zimbra.log) any hosts we connect to that offer TLS support, but that we have not yet configured for TLS usage. This allows collection of details of domains that we can enable TLS support for going forward. It will also allow us to see if a targeted domain is already configured to accept TLS before we turn it on on our end. This will avoid having email that gets deferred on our mail server because a TLS session could not be established. Log lines will look like the following. Note: in this particular case, the email was to domain1.com - but as they are hosted by google - it is the google server that reports the status
May 6 16:51:38 zimbra postfix/smtp: Host offered STARTTLS: [alt1.aspmx.l.google.com]
Note: You MUST configure the recipient domain - regardless of who may host their email system.
Save the file
6. As the zimbra superuser, run the command, postfix reload
to reload the hash table into the currently running postfix process.
The next email going out to the domain should be over a TLS-encrypted connection.
Note that if 'encrypt' is selected for a domain, and a TLS session cannot be created, the email will be deferred in the zimbra mail queue.
Finally, as asked above. If anyone can tell if there is a way to require incoming emails from particular domains to only be accepted over TLS connections I would love to know. Or - if it is a requirement that the sender of those emails dictates the connection that would be good to know too.