Results 1 to 7 of 7

Thread: How to Require TLS incoming/outgoing for one domain

  1. #1
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    712
    Rep Power
    7

    Default How to Require TLS incoming/outgoing for one domain

    Hi,

    One of our customers has made a policy decision that all email incoming and outgoing needs to be over a TLS encrypted channel. So they expect to send to us over TLS and expect us to send to them over TLS.

    Can anyone tell me exactly what I will need to configure to allow this.

    Our setup -
    MX records point to external ISP mail relay/spam filters
    ISP delivers mail to our mail server.

    Outgoing mail goes directly from our mail server

    They wish the configuration to require TLS - not to fall back to plain text if TLS cannot be established.

    I have seen wiki articles Postfix PCI Compliance in ZCS - Zimbra :: Wiki and Outgoing SMTP Authentication - Zimbra :: Wiki but I'm still confused

    Thanks in advance

  2. #2
    Join Date
    Feb 2010
    Location
    Richmond, Virginia, United States of America
    Posts
    35
    Rep Power
    5

    Default

    I am facing the same issue. The client is using Symantec Mail Security in front of a Tumbleweed Secure eMail Server. We need to be able to configure our server to deal with theirs by supporting

    "Routing of emails over point-to-point telecommunications circuits... shall support Secure SMTP over Transport Layer Security (TLS) RFC 3207. Bidirectional TLS email encryption must be tested and documented."

    Anyone have a HOWTO on this one?

    Thanks!

    --Eriks

  3. #3
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    712
    Rep Power
    7

    Default Configuring TLS for outgoing emails

    I will answer my own question - at least partially. I would still like to get some assurance that what I have done is correct thus far.


    ZIMBRA by default uses a TLS-enabled build of postfix. This makes the task very easy. It will by default accept TLS incoming connections with no further configuration. It is up to those sending you email to configure their system to send to you using TLS. I don't know if you can refuse to accept non TLS emails for a domain - if someone knows for sure, please chime in.


    Configuring postfix to request/require a TLS connection for outgoing email is done on a per-domain basis.

    For background see: Postfix TLS ReadMe

    For our purposes, there are a few simple steps to take to add/update the domains to use TLS for.

    1. On the zimbra server, login as root

    2. Create a file with a list of the domains and any required cipher strength

    Using a text editor, edit a file
    Code:
     /etc/zimbra_tls_policy
    (Note- this file is being placed outside of the /opt/zimbra tree to avoid losing it during an upgrade)

    Add one line to the file for each domain. For example, here is our initial file for testing purposes - see the TLS Policy Table information in the document referenced above for the meanings of the various settings in this example - and for other settings that are available.

    __________________________________________________ ______________
    Code:
    domain1.com		encrypt  protocols=SSLv3:TLSv1 
    domain2.com		encrypt  protocols=SSLv3:TLSv1 ciphers=high
    domain3.com	        may
    __________________________________________________ ______________

    Save the file.

    3. Create a hash table from the file. (Not sure if that is the correct terminology)

    As root, run the command,
    Code:
     /opt/zimbra/postfix/sbin/postmap /etc/zimbra_tls_policy


    This creates a file called /etc/zimbra_tls_policy.db

    (Note: postfix versions change with zimbra upgrades - but the postfix link should always point to the most recent version)

    4. Run the command,
    Code:
    su - zimbra 
    to become the zimbra superuser

    5. For the first time only, edit the postfix configuration file main.cf to make it aware of the TLS Policy File

    As the zimbra superuser, edit the file /opt/zimbra/postfix/conf/main.cf

    Check for the following two entries, and add/edit them to match the following

    Code:
    smtp_tls_policy_maps = hash:/etc/zimbra_tls_policy
    smtp_tls_note_starttls_offer = yes

    The first one tells postfix that there is a TLS Policy File to be used
    The second line tells zimbra to report in the log file (/var/log/zimbra.log) any hosts we connect to that offer TLS support, but that we have not yet configured for TLS usage. This allows collection of details of domains that we can enable TLS support for going forward. It will also allow us to see if a targeted domain is already configured to accept TLS before we turn it on on our end. This will avoid having email that gets deferred on our mail server because a TLS session could not be established. Log lines will look like the following. Note: in this particular case, the email was to domain1.com - but as they are hosted by google - it is the google server that reports the status

    Code:
    May  6 16:51:38 zimbra postfix/smtp[29442]: Host offered STARTTLS: [alt1.aspmx.l.google.com]


    Note: You MUST configure the recipient domain - regardless of who may host their email system.

    Save the file

    6. As the zimbra superuser, run the command, postfix reload

    to reload the hash table into the currently running postfix process.

    The next email going out to the domain should be over a TLS-encrypted connection.


    Note that if 'encrypt' is selected for a domain, and a TLS session cannot be created, the email will be deferred in the zimbra mail queue.


    Finally, as asked above. If anyone can tell if there is a way to require incoming emails from particular domains to only be accepted over TLS connections I would love to know. Or - if it is a requirement that the sender of those emails dictates the connection that would be good to know too.

  4. #4
    Join Date
    May 2009
    Posts
    6
    Rep Power
    6

    Default

    I just wanted to say thanks for writing this up. I have to do this myself in a few days and found your post during a little research. This sounds pretty straightforward now. Thanks again.

  5. #5
    Join Date
    Dec 2009
    Location
    Michigan
    Posts
    454
    Rep Power
    5

    Default

    Vincent.

    Did these instructions cause and adverse effects? I am being required, by a client, to do this as well and didn't want to break my production system.

    Thanks!

    Doug
    Ben Franklin quote:

    "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety."

  6. #6
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    712
    Rep Power
    7

    Default

    No. Not for my system anyway - other than I have not figured (or looked into for that matter) how to persist the main.cf changes through zimbra upgrades. I am just keeping a backup copy of main.cf, and adding the required changes as part of the upgrade process.

    This is all standard postfix functionality.

  7. #7
    Join Date
    Dec 2009
    Location
    Michigan
    Posts
    454
    Rep Power
    5

    Default

    Quote Originally Posted by liverpoolfcfan View Post
    No. Not for my system anyway - other than I have not figured (or looked into for that matter) how to persist the main.cf changes through zimbra upgrades. I am just keeping a backup copy of main.cf, and adding the required changes as part of the upgrade process.
    Thanks for the feedback, I'll be trying it out tonight.

    Doug
    Ben Franklin quote:

    "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety."

Similar Threads

  1. Replies: 7
    Last Post: 04-27-2009, 02:49 AM
  2. Replies: 20
    Last Post: 03-18-2008, 05:37 AM
  3. [SOLVED] Remove main domain!
    By zibra in forum Administrators
    Replies: 11
    Last Post: 09-27-2007, 08:50 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •