A lightweight and highly performant MTA-STS + DANE/TLSA resolver and TLS policy socketmap server for Postfix that complies to the standards and prioritizes DANE where possible.
-
Simultaneously checks for MTA-STS and DANE for a queried domain.
-
For DANE:
- Check each MX record (all servers in parallel), if one supports DANE. The DNS responses must be authorized (
adflag set). - Verify TLSA records for correctness and supported parameters, only then the
dane-onlypolicy (Mandatory DANE) will be returned. - In case of unsupported parameters or malformed TLSA records,
dane(Opportunistic DANE) is returned. - In those edge cases, Postfix will try to enforce DANE if the TLSA records are usable. If they are not (despite valid DNSSEC signatures, e. g. malformed record set by the legitimate domain administrator or unsupported parameters), it will fall back to mandatory but unauthenticated TLS (thus
encryptat worst). - If the TLSA records are usable but invalid (e. g. key fingerprint mismatch), the mail will be deferred (for both
daneanddane-only), even if there is a valid MTA-STS policy (in conformance with RFC 8461, 2).
- Check each MX record (all servers in parallel), if one supports DANE. The DNS responses must be authorized (
-
For MTA-STS:
- Check for an existing MTA-STS record over DNS, and if found, fetch the policy via HTTPS.
- If a response from the DANE query is available and not empty, the MTA-STS result is ignored.
- If the DANE check is not ready yet, the result will be hold back, until it is completed.
- DNS errors won't downgrade to MTA-STS, TLSA records must be explicitly and verifiably not available for MTA-STS to overrule DANE.
- If there is no TLSA record available for at least one MX record, so that the DANE query returns an empty policy, then the MTA-STS policy will take effect and result in a
securepolicy and explicitly enforce amatch=with the policy-provided MX hostnames.
-
The result is cached by
minimum TTL of all queriesormax_ageseconds, for DANE and MTA-STS respectively.
It is recommended to still set the default TLS policy to dane (Opportunistic DANE) in Postfix (see below).
List of repositories serving prebuilt and packaged versions of postfix-tlspol:
Installation with Docker simplifies setup, as it contains its own properly configured DNS resolver, Unbound. The image itself is only about 8 MB (compressed).
docker volume create postfix-tlspol-data
docker run -d \
-v postfix-tlspol-data:/data \
-p 127.0.0.1:8642:8642 \
--restart unless-stopped \
--name postfix-tlspol \
zuplu/postfix-tlspol:latest
Jump to Postfix configuration to integrate the socketmap server.
To update the image, stop and remove the container, and run the docker run ... command again.
To disable prefetching, pass -e TLSPOL_PREFETCH=0 to the above command.
git clone https://github.com/Zuplu/postfix-tlspol
cd postfix-tlspol
scripts/build.sh
Press d for Docker when prompted or select it if a terminal UI appears.
These requirements only apply if you use the non-Docker variant for installation, i. e. as a systemd service unit.
- Postfix
- Go (latest)
- DNSSEC-validating DNS server (preferably on localhost)
git clone https://github.com/Zuplu/postfix-tlspol
cd postfix-tlspol
scripts/build.sh
Press s for systemd when prompted or select it if a terminal UI appears.
Edit /etc/postfix-tlspol/config.yaml as needed. After any change, a restart is required:
service postfix-tlspol restart
In /etc/postfix/main.cf:
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
smtp_tls_dane_insecure_mx_policy = dane
smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8642:QUERY
Explanation for smtp_tls_dane_insecure_mx_policy
This bug has been fixed in Postfix stable release 3.10.0, as well as in Postfix legacy releases 3.9.2, 3.8.8, 3.7.13, and 3.6.17 and all subsequent newer releases. You do not need to manually set this, if you use one of these or more recent versions.
Explicitly setting smtp_tls_dane_insecure_mx_policy to dane is a workaround for a bug that only matters in case you change the recommended default smtp_tls_security_level to something different than dane.
postfix-tlspol returns dane (opportunistic DANE) only for domains where dane-only (mandatory DANE) is not possible (because the MX lookup is unsigned, but the MX server itself supports DANE). Not setting this would render dane ineffective and only honor dane-only, if your smtp_tls_security_level is not dane. So even when postfix-tlspol explicitly requests opportunistic DANE for a domain, Postfix would ignore it before the fix.
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8642:QUERYwithTLSRPT
Note the QUERYwithTLSRPT that enables TLSRPT support for Postfix 3.10+.
After changing the Postfix configuration, do:
postfix reload
You can update postfix-tlspol (both the Docker container and the systemd service variant), by simply doing:
git pull
scripts/build.sh
Warning: Configuring is only available for the standalone/systemd installation. The Docker version is autoconfigured.
Configuration example for /etc/postfix-tlspol/config.yaml:
server:
# server:port to listen as a socketmap server
# or unix:/run/postfix-tlspol/tlspol.sock for Unix Domain Socket
address: 127.0.0.1:8642
# prefetch when TTL is about to expire (default true)
prefetch: true
# cache file (default cache.db in working directory, i. e. /var/lib/postfix-tlspol)
cache-file: cache.db
dns:
# must support DNSSEC
address: 127.0.0.53:53
It is recommended to adjust your local DNS caching resolver to serve the original TTL response.
For example, in Unbound, configure the following:
cache-min-ttl: 10
cache-max-ttl: 240
serve-original-ttl: yes
This will serve the original TTL, but still skip the cache after 240 seconds, when a new query is made. (Note: Policies with TTL lower than 300 seconds are not elligible for prefetching.)
It ensures that when postfix-tlspol prefetches policies before the TTL actually expires, the DNS cache won't be used (otherwise it would only prefetch for the residual TTL time).
Prefetching will work without these settings, albeit slightly less efficiently.