This is a good idea, but I'm a little fuzzy on what the phrase "for all incoming and outbound e-mail" means. TLS should not be ''required'' for outbound email IMO, only when available (the "may" value in Postfix). The reason is that some mail servers either don't have TLS configured or have configured it improperly, and that would prevent messages from being delivered to them. See the [http://www.postfix.org/TLS_README.html#client_tls_encrypt Postfix doc on TLS]. Just thought I would point this out.

Sorry for being unclear. I meant opportunistic TLS to be correct, thus "may" as in Postfix-jargon.

So, incoming emails come two ways:

a) via redhat.com MX servers. We have 0 control there.
b) for lists they come into smtp-mm0[1-3] servers.

Outgoing emails all go via bastion01/02.

I'd be happy to look at a commit that enables tls for smtp outgoing on bastion and smtpd incoming on smtp-mm0[1-3] machines. The tricky part would be making sure postfix could read the needed ssl certs.

This isn't high on my priority list, so patches welcome. ;)

I will try to fix this.

Here is first draft of a patch. Feedback needed.

attachment
ticket_3639_patch1.0

One more thing. There is no /etc/pki/tls/private/postfix.pem at the moment. Simply didn't know what to add for smtpd_tls_cert_file. Anyway this will be fixed, when I find out which cert to use.

We may want to just use our ssl keys from the website side... look in the website module in puppet for path to those keys.

attachment
ticket_3639_patch2.0

I hope I found the right keys.
Kevin could you have a look at this.

Thats not the right one. ;)

It's called 'wildcard-2013.fedoraproject.org'. Do a 'git grep' for that in puppet. It should be under /etc/pki/tls/certs/ normally. We may have to also install it on bastion01/02 (as those are our email gateways).

Hopefully this will do the job.

attachment
ticket_3639_patch3.0

Ok when I was browsing puppet repo today, I realised that the job is not done yet since there is no wildcard certificate on bastions. So that makes me wonder do I have enough info to fix that in puppet repo?

Yeah, we will need to make sure the certs are installed on bastion01/02.

do a git grep for httpd::certificate in the puppet repo. We will need to add a call to that in manifests/services/gateway.pp most likely to get it installed on bastion.

Does that help?

I hope this patch will do the job. Though I am not certain if source paths of certs are right. Someone will need to have a look and give me some further infos because I am stuck at the moment.

attachment
ticket_3639_patch4.0

I rethought the situation a little bit and I think it is better (as in more logical) to have certificate and key declaration in modules/postfix/manifests/init.pp then in manifests/services/smtp-mm.pp. This way it is more obvious that postfix needs those two files.

attachment
ticket_3639_patch_5

For "modules/postfix/files/main.cf/main.cf.gateway" I would recommend to use "smtp_tls_CAfile = /etc/pki/tls/cert.pem" rather "smtp_tls_CApath = /etc/pki/tls/certs" - especially as there might be additional own CAs outside of the CA bundle. It might make sense to also add "smtp_tls_loglevel = 1" for additional logging.

At "modules/postfix/files/main.cf/main.cf.smtp-mm"...why is the "smtp_" stuff missing? Is there a special reason that only "smtpd_" is there? Are there are no outbound (e.g. non-VPN, external) e-mails from these servers? I also would recommend here "smtpd_tls_CApath = /etc/pki/tls/certs" instead of "smtpd_tls_CAfile = /etc/pki/tls/cert.pem" in case of own non-bundled CAs. Maybe adding "smtpd_tls_received_header = yes" and "smtpd_tls_loglevel = 1" as well?

Kevin will need to look at your proposals and if he is OK with them they will be added. I'm not that familiar with postfix to provide professional opinion.

I think roberts suggestions seem reasonable. Not sure we will want to keep the logging longer term, but should be good at first.

CAfile seems safer than a CApath, we do probibly want to enable smtp as well as smtpd (in fact thats more important, as incoming emails come via Red Hat MX, so encryption there isn't that important).

Added logging and smtp_* to main.cf.smtp-mm.

CAfile was used and so was 'smtpd_tls_received_header = yes'.

attachment
ticket_3639_patch_6

Is that OK that the owner of wildcard certificate and key is set to postfix in manifest? Or should it be root?

Technically it doesn't really matter, but in the end Postfix needs to be able to read certificate and key using the postfix user. A more hardened setup would be root:postfix and 0640 if needed.

Wow. This completely dropped thru the cracks. Sorry about that. ;(

So, the patch is against the old puppet module, we need to redo one against the ansible repo.

I'm not sure we want to put the wildcard certs on smtp-mm and bastion hosts.
We could look at letsencrypt for them perhaps? Or just get a cert with the right alternates for this.

Adding easyfix keyword too.

If letsencrypt turns out to be super easy, great... if not, we should just get a new host cert from digicert that has all the alternates for the hosts we are going to be using it on.

Discussed the letencrypt option on #fedora-admin and we come to the conclusion that using a certificate by them would mean taking a couple of things into consideration:

• One way for the auto certificate verification is for the Letencrypt client itself to create a temporary webserver listening on port 80 (also means server must be public facing)
• This would not be optimal if there's already a webserver on the SMTP server or if there are chances one would be needed in the future

I don't like the idea of opening port 80 on them... there isn't another web server there, but still...

So, I think we should just go for a regular host cert here with all the alternates added to it.

While we are requesting that, we need ansible work to enable things and install the certs once we have them.

Patch for main.cf to add TLS opportunistic encryption
tls.patch

Thank you very much.
The TLS certificate has just been requested too, so as soon as that comes in I'll ready the patch for post-freezebreak merge.

The certificates and patch from sparks have been put in place on the main smtp gateways into Fedora. From the logs email is being received and sent over ssl when possible.