Project

General

Profile

Enhancement #674

MTA-STS

Added by Marc Dequènes about 1 month ago. Updated 26 days ago.

Status:
Resolved
Priority:
Normal
Category:
Service :: Mail
Start date:
2019-09-12
Due date:
% Done:

100%

Estimated time:
Patch Available:
Confirmed:
No
Branch:
Entity:
DuckCorp
Security:
Yes
Help Needed:

Description

Let's use MTA-STS (RFC 8461) to enforce using TLS to talk to our mail servers.

History

#1

Updated by Marc Dequènes about 1 month ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 50

Added MTA-STS policy which can be setup via Ansible.

Now we need to check the status for incoming mails.

#2

Updated by Marc Dequènes about 1 month ago

Found an interesting resolver, but Debian packaging seems blocked; pingued Benjamin.

#3

Updated by Marc Dequènes about 1 month ago

  • % Done changed from 50 to 90

I had no reply and that's going to take time anyway so I created a role to install postfix-mta-sts-resolver using pip in a virtualenv.

All is in place now and manual tests were ok; I'm monitoring the logs to see how it goes.

#4

Updated by Marc Dequènes about 1 month ago

We need to secure lists.duckcorp.org too.

#5

Updated by Marc Dequènes about 1 month ago

  • % Done changed from 90 to 70

despite my tests (I guess due to delay to be taken into account) the enforcing policy caused problems because of our custom CA; switched to testing until solved.

#6

Updated by Marc Dequènes about 1 month ago

  • % Done changed from 70 to 80

SMTP certs are now using Let's Encrypt certs using DNS challenge. I was able to enforce the MTA-STS policy again.

As we do not generate the cert ourselves I was forced to disable TLSA. I saw some projects around this and need to look at it.

I also need to replace the DH generation.

#7

Updated by Marc Dequènes about 1 month ago

Well well well.

Sep 19 22:12:07 Orfeo postfix/smtp[20358]: Verified TLS connection established to gmail-smtp-in.l.google.com[64.233.167.27]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256

#8

Updated by Marc Dequènes about 1 month ago

  • % Done changed from 80 to 90
  • Security set to Yes

All MX types are now using Let's Encrypt.

I cleaned-up the obsolete certs from our custom CA and reenabled TLSA for the remaining services.

The DH is now generated.

I created #675 for the TLSA part as using Let's Encrypt for website also had the same effect, so it's not directly related to MTA-STS.

Continuing to monitor, no problems so far.

#9

Updated by Marc Dequènes about 1 month ago

Postfix needs to be restarted when the cert is regenerated. I should into LE hooks.

#10

Updated by Marc Dequènes 26 days ago

  • Status changed from In Progress to Resolved
  • % Done changed from 90 to 100

The hook was created and works fine.

There was no problem during the week, thus closing.

Also available in: Atom PDF