From e8e6b9cd9d4c5ea0727daa2b00488327dde215b3 Mon Sep 17 00:00:00 2001 From: Esa Jokinen Date: Thu, 22 Dec 2022 10:28:58 +0200 Subject: [PATCH 1/2] Warn about overriding DANE (#67) --- README.md | 46 +++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 43 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index b1cbeb6..1eef4f5 100644 --- a/README.md +++ b/README.md @@ -3,10 +3,16 @@ postfix-mta-sts-resolver [![Build Status](https://travis-ci.org/Snawoot/postfix-mta-sts-resolver.svg?branch=master)](https://travis-ci.org/Snawoot/postfix-mta-sts-resolver) [![Coverage](https://img.shields.io/badge/coverage-97%25-4dc71f.svg)](https://travis-ci.org/Snawoot/postfix-mta-sts-resolver) [![PyPI - Downloads](https://img.shields.io/pypi/dm/postfix-mta-sts-resolver.svg?color=4dc71f&label=PyPI%20downloads)](https://pypistats.org/packages/postfix-mta-sts-resolver) [![PyPI](https://img.shields.io/pypi/v/postfix-mta-sts-resolver.svg)](https://pypi.org/project/postfix-mta-sts-resolver/) [![PyPI - Status](https://img.shields.io/pypi/status/postfix-mta-sts-resolver.svg)](https://pypi.org/project/postfix-mta-sts-resolver/) [![PyPI - License](https://img.shields.io/pypi/l/postfix-mta-sts-resolver.svg?color=4dc71f)](https://pypi.org/project/postfix-mta-sts-resolver/) [![postfix-mta-sts-resolver](https://snapcraft.io//postfix-mta-sts-resolver/badge.svg)](https://snapcraft.io/postfix-mta-sts-resolver) ![CodeQL](https://github.com/Snawoot/postfix-mta-sts-resolver/workflows/CodeQL/badge.svg) -Daemon which provides TLS client policy for Postfix via socketmap, according to domain MTA-STS policy. Current support of RFC8461 is limited - daemon lacks some minor features: +Daemon which provides TLS client policy for Postfix via socketmap, according to domain MTA-STS policy. -* Fetch error reporting -* Fetch ratelimit (but actual fetch rate partially restricted with `cache_grace` config option). +Current support of [RFC 8461](https://www.rfc-editor.org/rfc/rfc8461) is limited: + +* [MTA-STS policy overrides DANE TLS authentication](#warning-mta-sts-policy-overrides-dane-tls-authentication) against [RFC 8461, 2](https://www.rfc-editor.org/rfc/rfc8461#section-2). + +* Daemon lacks some minor features: + + * Fetch error reporting. + * Fetch ratelimit (but actual fetch rate partially restricted with `cache_grace` config option). Server has configurable cache backend which allows to store cached STS policies in memory (`internal`), file (`sqlite`) or in Redis database (`redis`). @@ -186,6 +192,40 @@ If your configuration already has some TLS policy maps, just add MTA-STS socketm Reload Postfix after reconfiguration. +### Warning: MTA-STS policy overrides DANE TLS authentication + +Due to Postfix's limitations, a resolved MTA-STS policy overrides DANE TLS authentication ([RFC 6698](https://www.rfc-editor.org/rfc/rfc6698)), because DANE is an internal feature of Postfix, and the postfix-mta-sts-resolver always responds with a ([`smtp_tls_policy_maps`](https://www.postfix.org/postconf.5.html#smtp_tls_policy_maps)) lookup result `secure` for [Secure server certificate verification](https://www.postfix.org/TLS_README.html#client_tls_secure). + + * The resulting behaviour is against [RFC 8461, 2](https://www.rfc-editor.org/rfc/rfc8461#section-2): + > However, MTA-STS is designed not to interfere with DANE deployments when the two overlap; in particular, senders who implement MTA-STS validation MUST NOT allow MTA-STS Policy validation to override a failing DANE validation. + + Domains implementing both MTA-STS and DANE probably want DANE to be preferred: + + * DANE allows strict binding of certificates; the policy can authorize only a certain certificate or certificates from a certain CA. With MTA-STS, a certificate from any trusted CA is automatically trusted; [RFC 8461, 10.1](https://www.rfc-editor.org/rfc/rfc8461#section-10.1): + + > SMTP MTA-STS relies on certificate validation via PKIX-based TLS identity checking [RFC6125]. Attackers who are able to obtain a + valid certificate for the targeted recipient mail service (e.g., by compromising a CA) are thus able to circumvent STS authentication. + + * Based on DNSSEC, DANE not vulnerable to downgrade attack that could prevent policy discovery. MTA-STS security considerations acknowledges this weakness in [RFC 8461, 10.2](https://www.rfc-editor.org/rfc/rfc8461#section-10.2): + + > Since MTA-STS uses DNS TXT records for policy discovery, an attacker who is able to block DNS responses can suppress the discovery of an + MTA-STS Policy, making the Policy Domain appear not to have an MTA-STS Policy. + + > Resistance to downgrade attacks of this nature -- due to the ability to authoritatively determine "lack of a record" even for non-participating recipients -- is a feature of DANE, due to its use of DNSSEC for policy discovery. + + * The postfix-mta-sts-resolver does not intent to implement policy lookups for DANE, and responses other than `secure` with `match=` would not verify the TLS certificate as required by [RFC 8461, 4,2](https://www.rfc-editor.org/rfc/rfc8461#section-4.2). + +If you wish to meet this requirement: + + * List a DANE policy resolver responding with `dane-only` (for [Mandatory DANE](https://www.postfix.org/TLS_README.html#client_tls_dane)) before postfix-mta-sts-resolver in `smtp_tls_policy_maps` lookup table list. + + * Alternatively, you could use a static lookup table for domains known to implement both MTA-STS & DANE, e.g., + + ``` + smtp_tls_policy_maps = hash:/etc/postfix/tls_policy,socketmap:inet:127.0.0.1:8461:postfix + ``` + + ## Operability check Assuming default MTA-STA daemon configuration. Following command: From d9cff187e2662554fcb9a58fdadbae34e701fee8 Mon Sep 17 00:00:00 2001 From: Esa Jokinen Date: Thu, 22 Dec 2022 10:37:18 +0200 Subject: [PATCH 2/2] mta-sts-daemon(1): notice overriding DANE --- man/mta-sts-daemon.1.adoc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/man/mta-sts-daemon.1.adoc b/man/mta-sts-daemon.1.adoc index 7656128..b8ef6ac 100644 --- a/man/mta-sts-daemon.1.adoc +++ b/man/mta-sts-daemon.1.adoc @@ -50,6 +50,11 @@ Reload Postfix. Then verify it works: */usr/sbin/postmap -q dismail.de socketmap:inet:127.0.0.1:8461:postfix* +This configuration overrides DANE TLS authentication. If you wish to meet the +requirement of RFC 8461, section 2, you should list a DANE policy resolver (or +a static lookup table for domains known to implement both MTA-STS & DANE) before +mta-sts-daemon in smtp_tls_policy_maps. + == See also *mta-sts-query*(1), *mta-sts-daemon.yml*(5)