From: Christoph Heiss <c.heiss@proxmox.com>
To: pmg-devel@lists.proxmox.com
Subject: [pmg-devel] [PATCH pmg-{api, gui, docs} 0/3] fix #2437: Add TLS inbound policy for sender domains
Date: Thu, 9 Mar 2023 11:18:43 +0100 [thread overview]
Message-ID: <20230309101846.192177-1-c.heiss@proxmox.com> (raw)
TL;DR: Implements the approach as laid out by Stoiko in the Bugzilla
ticket [0].
A new API endpoint is added - /api2/json/config/tlsinboundpolicy. This
is used to configure the newly introduced postfix map at
/etc/pmg/tls_inbound_policy, specifying sender domains which get the
`reject_plaintext_session` action [1] set, thus requiring TLS-encrypted
sessions on inbound connections.
On the GUI side, a new panel is added in Configuration -> Mail Proxy ->
TLS, where the domains can be specified for this new policy.
The documentation changes are quite terse, maybe I should expand a bit
more on that topic? (Although the TLS destination policy is only lightly
documented as well, as far as I could see.)
Testing
-------
Tested this to the best of my knowledge, by adding some domains as TLS
inbound policy and using `curl` to send some simple mails:
echo '' | curl -skv smtp://<host> -T - \
--mail-from foo@localhost.localdomain \
--mail-rcpt bar@localhost.localdomain
.. where `localhost.localdomain` is on the new 'TLS Inboud Policy' list.
This will now fail with:
450 4.7.1 Session encryption is required
When additionally adding the `--ssl-reqd` option to curl (instructing it
to require a TLS-encrypted session), the above command will succeed.
(Also tested it with a domain not on the list, checking that no
regressions are introduced.)
[0] https://bugzilla.proxmox.com/show_bug.cgi?id=2437
[1] http://www.postfix.org/postconf.5.html#reject_plaintext_session
---
pmg-api:
Christoph Heiss (1):
fix #2437: config: Add inbound TLS policy option
src/Makefile | 1 +
src/PMG/API2/Config.pm | 7 +++
src/PMG/API2/InboundTLSPolicy.pm | 127 +++++++++++++++++++++++++++++++++++++++
src/PMG/Config.pm | 56 +++++++++++++++++
src/templates/main.cf.in | 1 +
5 files changed, 192 insertions(+)
pmg-gui:
Christoph Heiss (1):
fix #2437: proxy: Add 'TLS Inbound Policy' panel
js/MailProxyTLSInboundPolicy.js | 93 +++++++++++++++++++++++++++++++++++++++++
js/MailProxyTLSPanel.js | 8 +++-
js/Makefile | 1 +
3 files changed, 101 insertions(+), 1 deletion(-)
pmg-docs:
Christoph Heiss (1):
pmgconfig: Explain new TLS inbound policy configuration
pmgconfig.adoc | 8 ++++++++
1 file changed, 8 insertions(+)
--
2.39.2
next reply other threads:[~2023-03-09 10:19 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-09 10:18 Christoph Heiss [this message]
2023-03-09 10:18 ` [pmg-devel] [PATCH pmg-api 1/3] fix #2437: config: Add inbound TLS policy option Christoph Heiss
2023-03-16 12:50 ` Stoiko Ivanov
2023-03-20 8:21 ` Christoph Heiss
2023-03-09 10:18 ` [pmg-devel] [PATCH pmg-gui 2/3] fix #2437: proxy: Add 'TLS Inbound Policy' panel Christoph Heiss
2023-03-16 12:32 ` Stoiko Ivanov
2023-03-20 8:36 ` Christoph Heiss
2023-03-20 8:42 ` Stoiko Ivanov
2023-03-09 10:18 ` [pmg-devel] [PATCH pmg-docs 3/3] pmgconfig: Explain new TLS inbound policy configuration Christoph Heiss
2023-03-16 12:28 ` [pmg-devel] [PATCH pmg-{api, gui, docs} 0/3] fix #2437: Add TLS inbound policy for sender domains Stoiko Ivanov
2023-03-20 8:14 ` Christoph Heiss
2023-03-20 8:36 ` Stoiko Ivanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230309101846.192177-1-c.heiss@proxmox.com \
--to=c.heiss@proxmox.com \
--cc=pmg-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.