Mail Domains and TLS

Policy Options

none - No TLS

Mail delivery over unencrypted connections.

may - Opportunistic TLS

The SMTP transaction is encrypted if the STARTTLS ESMTP feature is supported by the server. Otherwise, messages are sent in the clear. Certificates are not checked.

encrypt - Mandatory TLS encryption

The SMTP transaction is aborted unless the STARTTLS ESMTP feature is supported by the remote SMTP server. If no suitable servers are found, the message will be deferred. Certificates are not checked.

At this security level and higher, the smtp_tls_mandatory_protocols and smtp_tls_mandatory_ciphers configuration parameters determine the list of sufficiently secure SSL protocol versions and the minimum cipher strength.

dane - Opportunistic DANE TLS

If a remote SMTP server has “usable” DANE TLSA records, the server connection will be authenticated. When DANE authentication fails, there is no fallback to unauthenticated or plaintext delivery.

If the remote server has “unusable” DANE TLSA records, the Postfix SMTP client will fallback to mandatory unauthenticated TLS (encrypt).

dane-only - Mandatory DANE TLS

If “usable” TLSA records are present these are used to authenticate the remote SMTP server. Otherwise, or when server certificate verification fails, delivery via the server in question fails and will be retried later.

fingerprint - Certificate fingerprint verification

At the fingerprint security level, no trusted Certification Authorities are used or required. The certificate trust chain, expiration date, etc., are not checked. Instead, the smtp_tls_fingerprint_cert_match parameter or the “match” attribute in the policy table lists the remote SMTP server certificate fingerprint or public key fingerprint.

verify - Mandatory server certificate verification

Server certificate is valid (not expired or revoked, and signed by a trusted Certification Authority) and the server certificate name (CN or SubjectAltName) matches the servers hostname as obtained by DNS MX records or other means (e.g. transport_map).

secure - Secure-channel TLS

DNS forgery resistant server certificate verification. Not sure, but they way I understand it, the certificates SubjectAltName or CN must match with the server name, as configured in a local transport_map or tls_policy_map. In this case there is no need for a (potentially insecure) DNS query to obtain server names by MX records.

TLS Policies Map

Domain

Provider

Policy

_default

_

dane

alainwolf.ch

Hostpoint.ch

verify

alainwolf.net

urown.net

dane-only

audioasyl.net

Nocloud

encrypt

digitalocean.com

Google

verify

eat.ch

P

encrypt

epost.ch

Post CH AG

verify

fuerdich.ch

Cyon.net

encrypt

gmail.com

Google

verify

gmx.at

1&1

dane-only

gmx.ch

1&1

dane-only

gmx.de

1&1

dane-only

hotmail.ch

Microsoft

encrypt

hotmail.com

Microsoft

encrypt

init7.net

Init7

none

koch18.org

Hostpoint

verify

lede-project.org

lede-project

verify

lists.torproject.org

torproject.org

dane-only

morganschmid.ch

Hostpoint

verify

nongnu.org

Gnu

verify

notime.ch

Google

verify

notime.eu

Google

verify

nzz.ch

Microsoft

verify

restkultur.ch

Blankton

encrypt

torproject.org

torproject.org

dane-only

veloplus.ch

Google

verify

web.de

1&1

dane-only

Provider Templates

“secure” policies for often used providers may be defined to be used as kind of templates.

This can be achieved by combining the two postfix lookup tables “transport maps” (see tranport(5)) with TLS policy maps.

Google

In file /etc/postfix/main.cf:

transport_maps = hash:/etc/postfix/transport
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

In file /etc/postfix/transport:

gmail.com       smtp:[64.233.166.26]
gmail.com       smtp:[173.194.221.26]
gmail.com       smtp:[74.125.68.26]
gmail.com       smtp:[64.233.188.27]
gmail.com       smtp:[74.125.28.27]

veloplus.ch     smtp:[66.102.1.27]

example.co.uk   smtp:[tls.example.com]
example.co.jp   smtp:[tls.example.com]

In file /etc/postfix/tls_policy:

gmail.com   secure match=mx.google.com
veloplus.ch secure match=mx.google.com


# gmail-smtp-in.l.google.com.
[64.233.166.26]     secure match=mx.google.com

# alt1.gmail-smtp-in.l.google.com.
[173.194.221.26]    secure match=mx.google.com

# alt2.gmail-smtp-in.l.google.com.
[74.125.68.26]      secure match=mx.google.com

# alt3.gmail-smtp-in.l.google.com
[64.233.188.27]     secure match=mx.google.com

# alt4.gmail-smtp-in.l.google.com.
[74.125.28.27]      secure match=mx.google.com

# aspmx.l.google.com
[66.102.1.27]       secure match=mx.google.com

# alt1.aspmx.l.google.com.
[173.194.221.26]    secure match=mx.google.com

# alt2.aspmx.l.google.com.
[74.125.68.27]      secure match=mx.google.com

# aspmx2.googlemail.com.
[173.194.221.27]    secure match=mx.google.com

# aspmx3.googlemail.com.
[74.125.68.27]      secure match=mx.google.com

Microsoft

Hostpoint

In file /etc/postfix/tls_policy:

# mx1.mail.hostpoint.ch.
[217.26.49.138]     secure match=*.mail.hostpoint.ch

# mx2.mail.hostpoint.ch.
[217.26.49.139]     secure match=*.mail.hostpoint.ch

# mx.hostpoint.ch.
[217.26.48.124]

# antargus.adm.hostpoint.ch.
[54.229.223.246]