From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 992D991AF8 for ; Mon, 20 Mar 2023 09:14:39 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 703092F6F7 for ; Mon, 20 Mar 2023 09:14:09 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Mon, 20 Mar 2023 09:14:08 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id E8F9F4583E for ; Mon, 20 Mar 2023 09:14:07 +0100 (CET) Date: Mon, 20 Mar 2023 09:14:06 +0100 From: Christoph Heiss To: Stoiko Ivanov Cc: pmg-devel@lists.proxmox.com Message-ID: <20230320081406.htnkpvbkq6xs3xtw@maui.proxmox.com> References: <20230309101846.192177-1-c.heiss@proxmox.com> <20230316132842.283a5276@rosa.proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230316132842.283a5276@rosa.proxmox.com> X-SPAM-LEVEL: Spam detection results: 0 AWL -0.074 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pmg-devel] [PATCH pmg-{api, gui, docs} 0/3] fix #2437: Add TLS inbound policy for sender domains X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Mar 2023 08:14:39 -0000 Thanks for the review on the whole series! On Thu, Mar 16, 2023 at 01:28:42PM +0100, Stoiko Ivanov wrote: > Thanks for tackling this!! > > Works as advertised in general - so I think the approach is fine > > One thing that seems odd to me (and sadly I don't have a good and short > answer) is that it's not a policy we're setting - it's a list of domains, > for which the singular policy (in this context) is that we accept mails > from them only via tls... I'm bad at naming as per usual :^) I agree that 'policy' might be the wrong word for that .. > > Inbound TLS Domains ? (at least mentions TLS, and explicitly mentioning > domains might be hint enough that you cannot enter an IP (or network) > there) > Reject Plaintext Domains? (probably only appeals to users who know > `postconf(5)` by heart) >From the two suggestions above I'd IMHO go with 'Inbound TLS Domains' - it mostly says what it does on the tin and is probably one of the better options in general. The latter - as you say - leans very much on postfix nomenclature and might be unclear to (some) users. If that's okay with you I'll rename it for v2 and than see how it looks. > > some comments inline (some as reply to the individual patches): > On Thu, 9 Mar 2023 11:18:43 +0100 > Christoph Heiss wrote: > > > [..] > > The documentation changes are quite terse, maybe I should expand a bit > > more on that topic? (Although the TLS destination policy is only lightly > > documented as well, as far as I could see.) > I personally am fine with terse documentation - however I always try to > refer to the authoritative source - in this case the relevant postfix > config parameter ([1]) - that way users who want to get more details > actually see what's going on under the hood). > You could rephrase the docs to mention that it sets > reject_plaintext_session for those domains during MAIL FROM) Ack, I'll add a link to the postfix config parameter and mention that it sets `reject_plaintext_session`. > > > > > > Testing > > ------- > > [..] > I use swaks (apt installable) quite extensively for such things - short of > smtputf8 support it should cover most use-cases - but thanks for the tip > with curl being able to speak smtp as well :) Haven't heard of or used swaks before, looks very useful - thanks for the tip as well! curl speaks ~every protocol that exists, so it was simply the first tool that came to my mind :) > > > > > 450 4.7.1 Session encryption is required > > > > When additionally adding the `--ssl-reqd` option to curl (instructing it > > to require a TLS-encrypted session), the above command will succeed. > > > > (Also tested it with a domain not on the list, checking that no > > regressions are introduced.) > > > > [0] https://bugzilla.proxmox.com/show_bug.cgi?id=2437 > > [1] http://www.postfix.org/postconf.5.html#reject_plaintext_session > > > > --- > > pmg-api: > > > > Christoph Heiss (1): > > fix #2437: config: Add inbound TLS policy option > > > > src/Makefile | 1 + > > src/PMG/API2/Config.pm | 7 +++ > > src/PMG/API2/InboundTLSPolicy.pm | 127 +++++++++++++++++++++++++++++++++++++++ > > src/PMG/Config.pm | 56 +++++++++++++++++ > > src/templates/main.cf.in | 1 + > > 5 files changed, 192 insertions(+) > > > > pmg-gui: > > > > Christoph Heiss (1): > > fix #2437: proxy: Add 'TLS Inbound Policy' panel > > > > js/MailProxyTLSInboundPolicy.js | 93 +++++++++++++++++++++++++++++++++++++++++ > > js/MailProxyTLSPanel.js | 8 +++- > > js/Makefile | 1 + > > 3 files changed, 101 insertions(+), 1 deletion(-) > > > > pmg-docs: > > > > Christoph Heiss (1): > > pmgconfig: Explain new TLS inbound policy configuration > > > > pmgconfig.adoc | 8 ++++++++ > > 1 file changed, 8 insertions(+) > > > > -- > > 2.39.2 > > > > > > > > _______________________________________________ > > pmg-devel mailing list > > pmg-devel@lists.proxmox.com > > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel > > > > >