From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 01FD6909DC for ; Thu, 16 Mar 2023 13:29:16 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 998514380 for ; Thu, 16 Mar 2023 13:28:45 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Thu, 16 Mar 2023 13:28:44 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 43A53438B3 for ; Thu, 16 Mar 2023 13:28:44 +0100 (CET) Date: Thu, 16 Mar 2023 13:28:42 +0100 From: Stoiko Ivanov To: Christoph Heiss Cc: pmg-devel@lists.proxmox.com Message-ID: <20230316132842.283a5276@rosa.proxmox.com> In-Reply-To: <20230309101846.192177-1-c.heiss@proxmox.com> References: <20230309101846.192177-1-c.heiss@proxmox.com> X-Mailer: Claws Mail 4.1.1 (GTK 3.24.24; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.144 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pmg-devel] [PATCH pmg-{api, gui, docs} 0/3] fix #2437: Add TLS inbound policy for sender domains X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Mar 2023 12:29:16 -0000 Thanks for tackling this!! Works as advertised in general - so I think the approach is fine One thing that seems odd to me (and sadly I don't have a good and short answer) is that it's not a policy we're setting - it's a list of domains, for which the singular policy (in this context) is that we accept mails from them only via tls... Inbound TLS Domains ? (at least mentions TLS, and explicitly mentioning domains might be hint enough that you cannot enter an IP (or network) there) Reject Plaintext Domains? (probably only appeals to users who know `postconf(5)` by heart) some comments inline (some as reply to the individual patches): On Thu, 9 Mar 2023 11:18:43 +0100 Christoph Heiss wrote: > TL;DR: Implements the approach as laid out by Stoiko in the Bugzilla > ticket [0]. > > A new API endpoint is added - /api2/json/config/tlsinboundpolicy. This > is used to configure the newly introduced postfix map at > /etc/pmg/tls_inbound_policy, specifying sender domains which get the > `reject_plaintext_session` action [1] set, thus requiring TLS-encrypted > sessions on inbound connections. > > On the GUI side, a new panel is added in Configuration -> Mail Proxy -> > TLS, where the domains can be specified for this new policy. > > The documentation changes are quite terse, maybe I should expand a bit > more on that topic? (Although the TLS destination policy is only lightly > documented as well, as far as I could see.) I personally am fine with terse documentation - however I always try to refer to the authoritative source - in this case the relevant postfix config parameter ([1]) - that way users who want to get more details actually see what's going on under the hood). You could rephrase the docs to mention that it sets reject_plaintext_session for those domains during MAIL FROM) > > Testing > ------- > Tested this to the best of my knowledge, by adding some domains as TLS > inbound policy and using `curl` to send some simple mails: > > echo '' | curl -skv smtp:// -T - \ > --mail-from foo@localhost.localdomain \ > --mail-rcpt bar@localhost.localdomain > > .. where `localhost.localdomain` is on the new 'TLS Inboud Policy' list. > This will now fail with: I use swaks (apt installable) quite extensively for such things - short of smtputf8 support it should cover most use-cases - but thanks for the tip with curl being able to speak smtp as well :) > > 450 4.7.1 Session encryption is required > > When additionally adding the `--ssl-reqd` option to curl (instructing it > to require a TLS-encrypted session), the above command will succeed. > > (Also tested it with a domain not on the list, checking that no > regressions are introduced.) > > [0] https://bugzilla.proxmox.com/show_bug.cgi?id=2437 > [1] http://www.postfix.org/postconf.5.html#reject_plaintext_session > > --- > pmg-api: > > Christoph Heiss (1): > fix #2437: config: Add inbound TLS policy option > > src/Makefile | 1 + > src/PMG/API2/Config.pm | 7 +++ > src/PMG/API2/InboundTLSPolicy.pm | 127 +++++++++++++++++++++++++++++++++++++++ > src/PMG/Config.pm | 56 +++++++++++++++++ > src/templates/main.cf.in | 1 + > 5 files changed, 192 insertions(+) > > pmg-gui: > > Christoph Heiss (1): > fix #2437: proxy: Add 'TLS Inbound Policy' panel > > js/MailProxyTLSInboundPolicy.js | 93 +++++++++++++++++++++++++++++++++++++++++ > js/MailProxyTLSPanel.js | 8 +++- > js/Makefile | 1 + > 3 files changed, 101 insertions(+), 1 deletion(-) > > pmg-docs: > > Christoph Heiss (1): > pmgconfig: Explain new TLS inbound policy configuration > > pmgconfig.adoc | 8 ++++++++ > 1 file changed, 8 insertions(+) > > -- > 2.39.2 > > > > _______________________________________________ > pmg-devel mailing list > pmg-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel > >