From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 1192C909FC for ; Thu, 9 Mar 2023 11:19:23 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id C80CB92B3 for ; Thu, 9 Mar 2023 11:18:52 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Thu, 9 Mar 2023 11:18:51 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id D7F504581C for ; Thu, 9 Mar 2023 11:18:50 +0100 (CET) From: Christoph Heiss To: pmg-devel@lists.proxmox.com Date: Thu, 9 Mar 2023 11:18:43 +0100 Message-Id: <20230309101846.192177-1-c.heiss@proxmox.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.081 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pmg-devel] [PATCH pmg-{api, gui, docs} 0/3] fix #2437: Add TLS inbound policy for sender domains X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Mar 2023 10:19:23 -0000 TL;DR: Implements the approach as laid out by Stoiko in the Bugzilla ticket [0]. A new API endpoint is added - /api2/json/config/tlsinboundpolicy. This is used to configure the newly introduced postfix map at /etc/pmg/tls_inbound_policy, specifying sender domains which get the `reject_plaintext_session` action [1] set, thus requiring TLS-encrypted sessions on inbound connections. On the GUI side, a new panel is added in Configuration -> Mail Proxy -> TLS, where the domains can be specified for this new policy. The documentation changes are quite terse, maybe I should expand a bit more on that topic? (Although the TLS destination policy is only lightly documented as well, as far as I could see.) Testing ------- Tested this to the best of my knowledge, by adding some domains as TLS inbound policy and using `curl` to send some simple mails: echo '' | curl -skv smtp:// -T - \ --mail-from foo@localhost.localdomain \ --mail-rcpt bar@localhost.localdomain .. where `localhost.localdomain` is on the new 'TLS Inboud Policy' list. This will now fail with: 450 4.7.1 Session encryption is required When additionally adding the `--ssl-reqd` option to curl (instructing it to require a TLS-encrypted session), the above command will succeed. (Also tested it with a domain not on the list, checking that no regressions are introduced.) [0] https://bugzilla.proxmox.com/show_bug.cgi?id=2437 [1] http://www.postfix.org/postconf.5.html#reject_plaintext_session --- pmg-api: Christoph Heiss (1): fix #2437: config: Add inbound TLS policy option src/Makefile | 1 + src/PMG/API2/Config.pm | 7 +++ src/PMG/API2/InboundTLSPolicy.pm | 127 +++++++++++++++++++++++++++++++++++++++ src/PMG/Config.pm | 56 +++++++++++++++++ src/templates/main.cf.in | 1 + 5 files changed, 192 insertions(+) pmg-gui: Christoph Heiss (1): fix #2437: proxy: Add 'TLS Inbound Policy' panel js/MailProxyTLSInboundPolicy.js | 93 +++++++++++++++++++++++++++++++++++++++++ js/MailProxyTLSPanel.js | 8 +++- js/Makefile | 1 + 3 files changed, 101 insertions(+), 1 deletion(-) pmg-docs: Christoph Heiss (1): pmgconfig: Explain new TLS inbound policy configuration pmgconfig.adoc | 8 ++++++++ 1 file changed, 8 insertions(+) -- 2.39.2