Difference between revisions of "King0770-Notes-smtp tls policy maps"

(Created page with "{{Unsupported}}|{{ZCS 8.7}}|{{ZCS 9.0}} {{WIP}} <strong>The contents of this article are not yet complete and should be considered highly experimental.</strong> By default,...")
 
 
(7 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
{{WIP}}
 
{{WIP}}
  
<strong>The contents of this article are not yet complete and should be considered highly experimental.</strong>  
+
<strong>The contents of this article are not yet complete and should be considered highly experimental.</strong> <br>
 +
<strong>Changes to the zmconfigd.cf file will NOT survive upgrades.</strong><br>
  
 
By default, Zimbra has never modified smtp_tls_policy_maps, so adding smtp_tls_policy_maps would be considered a custom change. However, using the zimbra account, you could add the following to the /opt/zimbra/conf/zmconfigd.cf file; right above the <strong>RESTART mta</strong> line.
 
By default, Zimbra has never modified smtp_tls_policy_maps, so adding smtp_tls_policy_maps would be considered a custom change. However, using the zimbra account, you could add the following to the /opt/zimbra/conf/zmconfigd.cf file; right above the <strong>RESTART mta</strong> line.
<pre><code>
+
<code><pre>
 
POSTCONF smtp_tls_policy_maps        lmdb:/opt/zimbra/conf/tls_policy
 
POSTCONF smtp_tls_policy_maps        lmdb:/opt/zimbra/conf/tls_policy
</code></pre>
+
</pre></code>
  
 
Then restart the MTA to pick up the changes.  
 
Then restart the MTA to pick up the changes.  
<pre><code>
+
<code><pre>
 
zmmtactl restart
 
zmmtactl restart
</code></pre>
+
</pre></code>
  
 
Then check it as the zimbra user...
 
Then check it as the zimbra user...
<pre><code>
+
<code><pre>
postconf | grep smtp_tls_policy_maps
+
postconf grep smtp_tls_policy_maps
 
smtp_tls_policy_maps = lmdb:/opt/zimbra/conf/tls_policy      <<== Should see this
 
smtp_tls_policy_maps = lmdb:/opt/zimbra/conf/tls_policy      <<== Should see this
</code></pre>
+
</pre></code>
  
Make sure to run postmap against the /opt/zimbra/conf/tls_policy file; use "lmdb" not "hash"
+
Make sure to run postmap against the /opt/zimbra/conf/tls_policy file; use <strong>"lmdb"</strong> not "hash"
<pre><code>
+
<code><pre>
 
postmap /opt/zimbra/conf/tls_policy
 
postmap /opt/zimbra/conf/tls_policy
</code></pre>
+
</pre></code>
  
Changes to the zmconfigd.cf will NOT survive upgrades.<br>
+
Make sure to double check the <strong>smtp_tls_security_level</strong> setting as well
 +
<code><pre>
 +
postconf | grep smtp_tls_security_level
 +
</pre></code>
 +
Possible smtp_tls_security_level options<br>
 +
<strong>may</strong> TLS? good. no TLS? good.<br>
 +
<strong>encrypt</strong> accept any invalid server certificate, demands encryption.<br>
 +
<strong>verify</strong> accept trusted server certificate (do I trust the CA? does the CN match the MX?), demands encryption.<br>
 +
<strong>secure</strong> only accept trusted certificate if CN/SAN matches the recipient domain - and ignore insecure (MX) information for validation.<br>
  
 
Notable RFE: https://bugzilla.zimbra.com/show_bug.cgi?id=108691  
 
Notable RFE: https://bugzilla.zimbra.com/show_bug.cgi?id=108691  
  
 
Additional Info: http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps
 
Additional Info: http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps
 +
 +
[[Category:Community Sandbox]]
 +
[[Category:Command Line Interface]]
 +
[[Category:MTA]]
 +
[[Category:King0770-Notes]]

Latest revision as of 22:33, 5 December 2018

|ZCS 8.7 Article ZCS 8.7 |ZCS 9.0 Article ZCS 9.0


The contents of this article are not yet complete and should be considered highly experimental.
Changes to the zmconfigd.cf file will NOT survive upgrades.

By default, Zimbra has never modified smtp_tls_policy_maps, so adding smtp_tls_policy_maps would be considered a custom change. However, using the zimbra account, you could add the following to the /opt/zimbra/conf/zmconfigd.cf file; right above the RESTART mta line.

POSTCONF smtp_tls_policy_maps        lmdb:/opt/zimbra/conf/tls_policy

Then restart the MTA to pick up the changes.

zmmtactl restart

Then check it as the zimbra user...

postconf grep smtp_tls_policy_maps
smtp_tls_policy_maps = lmdb:/opt/zimbra/conf/tls_policy      <<== Should see this

Make sure to run postmap against the /opt/zimbra/conf/tls_policy file; use "lmdb" not "hash"

postmap /opt/zimbra/conf/tls_policy

Make sure to double check the smtp_tls_security_level setting as well

postconf | grep smtp_tls_security_level

Possible smtp_tls_security_level options
may TLS? good. no TLS? good.
encrypt accept any invalid server certificate, demands encryption.
verify accept trusted server certificate (do I trust the CA? does the CN match the MX?), demands encryption.
secure only accept trusted certificate if CN/SAN matches the recipient domain - and ignore insecure (MX) information for validation.

Notable RFE: https://bugzilla.zimbra.com/show_bug.cgi?id=108691

Additional Info: http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps

Jump to: navigation, search