From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <s.ivanov@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id DDA3F91FCD
 for <pmg-devel@lists.proxmox.com>; Mon, 20 Mar 2023 22:02:00 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id B965A8CF2
 for <pmg-devel@lists.proxmox.com>; Mon, 20 Mar 2023 22:01:30 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pmg-devel@lists.proxmox.com>; Mon, 20 Mar 2023 22:01:28 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id A077C45A88
 for <pmg-devel@lists.proxmox.com>; Mon, 20 Mar 2023 22:01:28 +0100 (CET)
Date: Mon, 20 Mar 2023 22:01:24 +0100
From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: Christoph Heiss <c.heiss@proxmox.com>
Cc: pmg-devel@lists.proxmox.com
Message-ID: <20230320220124.650aceca@rosa.proxmox.com>
In-Reply-To: <20230320103548.382757-1-c.heiss@proxmox.com>
References: <20230320103548.382757-1-c.heiss@proxmox.com>
X-Mailer: Claws Mail 4.1.1 (GTK 3.24.24; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.141 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: [pmg-devel] applied-series:  [PATCH v2 pmg-{api, gui,
 docs} 0/4] fix #2437: Add TLS enforcment option for inbound domains
X-BeenThere: pmg-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Mail Gateway development discussion
 <pmg-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pmg-devel>, 
 <mailto:pmg-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pmg-devel/>
List-Post: <mailto:pmg-devel@lists.proxmox.com>
List-Help: <mailto:pmg-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel>, 
 <mailto:pmg-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Mon, 20 Mar 2023 21:02:00 -0000

Thanks for the rework! 
tested a bit more and applied it with a small rephrase on the docs-commit
and a follow-up for (hopefully) better error-handling on wrong entries in
the API for tls_inbound_domains and tls_policy.



On Mon, 20 Mar 2023 11:35:44 +0100
Christoph Heiss <c.heiss@proxmox.com> wrote:

> TL;DR: Implements the approach as laid out by Stoiko in the Bugzilla
> ticket [0].
> 
> A new API endpoint is added - /api2/json/config/tlsinbounddomains. This
> is used to configure the newly introduced postfix map at
> /etc/pmg/tls_inbound_domains, specifying sender domains which get the
> `reject_plaintext_session` action [1] set, thus requiring TLS-encrypted
> sessions on inbound connections.
> 
> On the GUI side, a new panel is added in Configuration -> Mail Proxy ->
> TLS, where the domains for which this should be enforced can be specified.
> 
> Testing
> -------
> Tested this to the best of my knowledge, by adding some domains using
> the UI and using `curl` to send some simple mails:
> 
>   echo '' | curl -skv smtp://<host> -T - \
>     --mail-from foo@localhost.localdomain \
>     --mail-rcpt bar@localhost.localdomain
> 
> .. where `localhost.localdomain` is on the new 'TLS Inbound Domains' list.
> This will now fail with:
> 
>   450 4.7.1 Session encryption is required
> 
> When additionally adding the `--ssl-reqd` option to curl (instructing it
> to require a TLS-encrypted session), the above command will succeed.
> 
> (Also tested it with a domain not on the list, checking that no
> regressions are introduced.)
> 
> [0] https://bugzilla.proxmox.com/show_bug.cgi?id=2437
> [1] http://www.postfix.org/postconf.5.html#reject_plaintext_session
> 
> v1: https://lists.proxmox.com/pipermail/pmg-devel/2023-March/002296.html
> 
> ---
> pmg-api:
> 
> Christoph Heiss (2):
>       fix #2437: config: Add new tls_inbound_domains postfix map
>       fix #2437: api: Add endpoint for managing tls_inbound_domains entries
> 
>  src/Makefile                      |   1 +
>  src/PMG/API2/Config.pm            |   7 +++
>  src/PMG/API2/InboundTLSDomains.pm | 127 ++++++++++++++++++++++++++++++++++++++
>  src/PMG/Cluster.pm                |   1 +
>  src/PMG/Config.pm                 |  56 +++++++++++++++++
>  src/templates/main.cf.in          |   1 +
>  6 files changed, 193 insertions(+)
> 
> pmg-gui:
> 
> Christoph Heiss (1):
>       fix #2437: proxy: Add 'TLS Inbound Domains' panel
> 
>  js/MailProxyTLSInboundDomains.js | 93 ++++++++++++++++++++++++++++++++++++++++
>  js/MailProxyTLSPanel.js          |  8 +++-
>  js/Makefile                      |  1 +
>  3 files changed, 101 insertions(+), 1 deletion(-)
> 
> pmg-docs:
> 
> Christoph Heiss (1):
>       pmgconfig: Explain new TLS inbound domains configuration
> 
>  pmgconfig.adoc | 11 +++++++++++
>  1 file changed, 11 insertions(+)
> --
> 2.39.2
> 
> 
> 
> _______________________________________________
> pmg-devel mailing list
> pmg-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
> 
>