Changes

Page history
enforce mandatory verification in postfix configuration authored by anarcat's avatar anarcat 
Our previous configuration did not actually check the server's x509
certificate, which is a serious flaw. `encrypt` is nice because it
enforces *some* TLS, but is vulnerable to trivial active MITM attacks
by anyone with an OpenSSL installation.

Also expand the documentation on the security level stuff to clarify
why we might want to use it.
Hide whitespace changes
Inline Side-by-side
service/email.md
View page @ cad3b348
...@@ -215,7 +215,7 @@ following commands: ...@@ -215,7 +215,7 @@ following commands:
postconf -e smtp_sasl_password_maps=hash:/etc/postfix/sasl/passwd postconf -e smtp_sasl_password_maps=hash:/etc/postfix/sasl/passwd
postconf -e smtp_sasl_security_options= postconf -e smtp_sasl_security_options=
postconf -e relayhost=submission.torproject.org:submission postconf -e relayhost=submission.torproject.org:submission
postconf -e smtp_tls_security_level=encrypt postconf -e smtp_tls_security_level=secure
postfix reload postfix reload
The `/etc/postfix/sasl/passwd` file holds `hostname user:pass` The `/etc/postfix/sasl/passwd` file holds `hostname user:pass`
...@@ -233,10 +233,14 @@ Note that this method stores your plain text password on disk. Make ...@@ -233,10 +233,14 @@ Note that this method stores your plain text password on disk. Make
sure permissions on the file are limited and that you use full disk sure permissions on the file are limited and that you use full disk
encryption. encryption.
`may` can be used as a `security_level` if we are going to send mail You might already have another `security_level` configured for other
to other hosts which may not support security, but make sure that reasons, especially if that host already delivers mail to the internet
mails are encrypted when talking to the `relayhost`, for example at large (for example: [dane](http://www.postfix.org/TLS_README.html#client_tls_dane) or [may](http://www.postfix.org/TLS_README.html#client_tls_may)). In that case, do make
through a `smtp_tls_policy_maps`. sure that mails are encrypted when talking to the `relayhost`, for
example through a [`smtp_tls_policy_maps`](http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps). You want at least the
`verify` (if you trust DNS to return the right MX records) or `secure`
(if you don't). `dane` *can* work (for now) because we do support
DNSSEC, but that might change in the future.
If you want to use Tor's submission server *only* for mail sent from a If you want to use Tor's submission server *only* for mail sent from a
`@torproject.org` address, you'll need an [extra step](http://www.postfix.org/SASL_README.html#client_sasl_sender). This should `@torproject.org` address, you'll need an [extra step](http://www.postfix.org/SASL_README.html#client_sasl_sender). This should
... ...
......