SMTP TLS Policy Pro/Ent only

CipherMail uses Postfix (MTA) for sending and receiving email. The default client TLS policy will connect to external SMTP servers via TLS if the other SMTP server supports TLS. This is knows as opportunistic TLS. With opportunistic TLS, a TLS connection will be setup even if the certificate of the other SMTP server is not trusted. Using TLS, even if the connection is not trusted, is better than not using TLS at all.

Tip

The main difference between TLS and S/MIME or PGP is that TLS only encrypts the communication channel and not the email itself. With TLS, if the email is stored on a mail server, it will be stored in plain text. With full message encryption like S/MIME or PGP, the email itself will be encrypted. However, S/MIME or PGP do not encrypt the communication channel. The meta information, like sender and recipients will therefore not be encrypted. It’s therefore advised to combine S/MIME or PGP with TLS.

Connecting to an SMTP server without TLS or without validating the certificate, can result in a “man in the middle” attack. If a connection to an external SMTP server should only be setup if the connection is trusted, an SMTP TLS policy for that domain should be configured.

To create a TLS policy for a domain, use the following procedure:

  1. Login to CipherMail admin GUI

  2. Open ” MTA lookup tables” page (Admin ‣ MTA ‣ Lookup tables)

  3. Click Add lookup table to open the “Add MTA lookup table” page

  4. Set “Map Type” to “hash”

  5. Set “Name” to “tls-policy”

  6. For every external domain for which a TLS policy should be configured, add a TLS policy line similar to:

    example.com:25 verify

    See below for an explanation of policy lines

  7. Click Add to add the new lookup table

  8. Open “MTA config file” page (Admin ‣ MTA ‣ Config, then click MTA config file)

  9. Add the following lines to the end of postfix config file:

    smtp_tls_policy_maps = hash:${maps_d_dir}/hash-tls-policy.map

  10. Click Apply

Policy line

A TLS policy line configures how a TLS connection to a specific domain will be validated. A policy line has the following structure:

DOMAIN POLICY

Where DOMAIN is the domain name of the external SMTP server and POLICY is the TLS policy to use.

Note

The gateway uses Postfix for the SMTP server and client. For all details and more extensive documentation of the TLS policy used by Postfix, see the Postfix documentation http://www.postfix.org/TLS_README.html

DOMAIN

The domain is the fully qualified domain name of external mail domain. The policy will be used if an email is sent to that domain irrespective of the hostname of the MX records. If the domain is surrounded by [], the policy will only be used if a connection is established to a server with that hostname.

Example:

Suppose the TLS policy is the following:

ciphermail.com verify
[tls.example.com] verify match=alternative.com

And suppose the MX record for ciphermail.com is:

ciphermail.com IN MX 10 mail.ciphermail.com

And the following transport rule was added:

other.com  smtp:[tls.example.com]

If an email is sent to info@ciphermail.com, the email will be delivered to mail.ciphermail.com only if the TLS certificate used by mail.ciphermail.com is trusted and has the correct domain domain name.

If an email is sent to info@other.com, the mail will be delivered to the SMTP server tls.example.com (because there was a transport rule). Because the TLS policy line for tls.example.com is surrounded by [], the explicit TLS policy for tls.example.com will be used. Because of the additional match rule, the TLS connection will only be established if the TLS certificate was issued to alternative.com.

Examples

Only allow TLS for incoming and outgoing

If the gateway is configured as a store and forward server between the internal email server and a relay server, it might be good to only allow incoming and outgoing TLS connections. If a server tries to send an email without starting a TLS connection first, the gateway will not accept the email. If the gateway tries to connect to an external SMTP server which does not support TLS, the gateway will refuse to deliver the email.

Warning

It’s advised not to enforce TLS for all incoming and outgoing connections for a mail server which should handle email for the Internet because not all SMTP servers support TLS.

Enforce incoming TLS

To enforce TLS for all incoming connections, use the following procedure:

  1. Login to CipherMail admin GUI

  2. Open “MTA config file” page (Admin ‣ MTA ‣ Config, then click MTA config file)

  3. Change smtpd_tls_security_level = may to smtpd_tls_security_level = encrypt

  4. Click Apply

Incoming email will now only be accepted if the connection is TLS encrypted.

Enforce outgoing TLS

If all SMTP connections will be TLS enforced, we need to add an exception for the internal SMTP connection to 127.0.0.1 because the internal SMTP connection should not be TLS enforced.

  1. Add a new lookup table (Admin ‣ MTA ‣ Lookup table, then click Add lookup table)

  2. Set Map Type to hash, name to tls-policy and set content to:

    [127.0.0.1]:10025 none

  3. Click Apply

Configure postfix config:

  1. Open “MTA config file” page (Admin ‣ MTA ‣ Config, then click MTA config file)

  2. Change smtp_tls_security_level = may to smtp_tls_security_level = encrypt

  3. Add the following lines to the config file:

    # override TLS settings for some hosts
smtp_tls_policy_maps = hash:${maps_d_dir}/hash-tls-policy.map

  4. Click Apply