Difference between revisions of "King0770-Notes-smtp tls policy maps"

Line 29: Line 29:
 
postconf | grep smtp_tls_security_level
 
postconf | grep smtp_tls_security_level
 
</pre></code>
 
</pre></code>
smtp_tls_security_level options<br>
+
Possible smtp_tls_security_level options<br>
<strong>may</strong> TLS? good. no TLS? good.
+
<strong>may</strong> TLS? good. no TLS? good.<br>
<strong>encrypt</strong> accept any invalid server certificate, demands encryption.
+
<strong>encrypt</strong> accept any invalid server certificate, demands encryption.<br>
<strong>verify</strong> accept trusted server certificate (do I trust the CA? does the CN match the MX?), demands encryption.
+
<strong>verify</strong> accept trusted server certificate (do I trust the CA? does the CN match the MX?), demands encryption.<br>
<strong>secure</strong> only accept trusted certificate if CN/SAN matches the recipient domain - and ignore insecure (MX) information for validation.
+
<strong>secure</strong> only accept trusted certificate if CN/SAN matches the recipient domain - and ignore insecure (MX) information for validation.<br>
  
  

Revision as of 20:15, 5 December 2017

|ZCS 8.7 Article ZCS 8.7 |ZCS 9.0 Article ZCS 9.0


The contents of this article are not yet complete and should be considered highly experimental.

By default, Zimbra has never modified smtp_tls_policy_maps, so adding smtp_tls_policy_maps would be considered a custom change. However, using the zimbra account, you could add the following to the /opt/zimbra/conf/zmconfigd.cf file; right above the RESTART mta line.

POSTCONF smtp_tls_policy_maps        lmdb:/opt/zimbra/conf/tls_policy

Then restart the MTA to pick up the changes.

zmmtactl restart

Then check it as the zimbra user...

postconf | grep smtp_tls_policy_maps
smtp_tls_policy_maps = lmdb:/opt/zimbra/conf/tls_policy      <<== Should see this

Make sure to run postmap against the /opt/zimbra/conf/tls_policy file; use "lmdb" not "hash"

postmap /opt/zimbra/conf/tls_policy

Make sure to double check the smtp_tls_security_level setting as well

postconf | grep smtp_tls_security_level

Possible smtp_tls_security_level options
may TLS? good. no TLS? good.
encrypt accept any invalid server certificate, demands encryption.
verify accept trusted server certificate (do I trust the CA? does the CN match the MX?), demands encryption.
secure only accept trusted certificate if CN/SAN matches the recipient domain - and ignore insecure (MX) information for validation.


Changes to the zmconfigd.cf will NOT survive upgrades.

Notable RFE: https://bugzilla.zimbra.com/show_bug.cgi?id=108691

Additional Info: http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps

Jump to: navigation, search