Postfix and “eMail made in Germany”

If you use Postfix as your MTA, one can (and should) enable transport encryption for outgoing connections using “smtp_tls_security_level=may” (or “smtp_use_tls=yes”, deprecated since Postfix 2.3). However, this does not enforce that…

  • encryption is always used for every site (supporting it). Enforcing this by setting “smtp_tls_security_level=encrypt” also is not an option because there are lots of sites which do not support transport encryption (like @me.com). I.e. if someone can perform a MitM attack, the attacker can “hide” the STARTTLS announcement of the server and thus the mail goes over the wire unencrypted.
  • the remote server which supports encryption is the “right” one (e.g., in case of DNS hijacking or MitM attacks). The problem is, that one cannot set “smtp_tls_security_level=verify” because there are lots of sites which have self-signed certificates or certificates where the domain name of the certificate does not match the MX server hostname or the mail-address domain name.

In order to enforce transport encryption for specific sites and avoid the problems described above one can use “smtp_tls_policy_maps” to specify that encryption is mandatory and that the “right” server is used. Insert “smtp_tls_policy_maps = hash:/etc/postfix/tls_policy” to /etc/postfix/main.cf, use the example content from below (or a the latest version) and run “postmap /etc/postfix/tls_policy” and reload postfix. It is also required that “smtp_tls_CApath” is set correctly so that the certificates can be checked against “trusted” root certificates; on Debian it can be set to “smtp_tls_CApath = /etc/ssl/certs/” and the package “ca-certificates” is required.

The main problem with this solution is, that you need to manually create a list of servers. I checked my logs and created this list for the most-used destination domains (I created a repository on GitHub in case someone wants to contribute: https://github.com/csware/postfix-tls-policy):

/etc/postfix/tls_policy:
# members of email made in germany
t-online.de secure match=.t-online.de
gmx.net secure match=.gmx.net
gmx.de secure match=.gmx.net
gmx.at secure match=.gmx.net
web.de secure match=.web.de
freenet.de secure match=.freenet.de
email.de secure match=.web.de
# other mail providers
gmail.com secure match=.google.com
googlemail.com secure match=.google.com
google.com secure match=.google.com
kabelmail.de secure match=.xworks.net
#hotmail,outlook: not all mx-servers support starttls
#hotmail.com secure match=.hotmail.com:.outlook.com
#outlook.com secure match=.hotmail.com:.outlook.com
#hotmail.de secure match=.hotmail.com:.outlook.com
#me.com does not support starttls at all
aol.com secure match=.aol.com
yahoo.com secure match=.yahoodns.net
yahoo.de secure match=.yahoodns.net
arcor.de secure match=.arcor.de
# universities
.hu-berlin.de secure match=.hu-berlin.de
.tu-clausthal.de secure match=.mx.srv.dfn.de:.tu-clausthal.de
# states of germany
#.bayern.de: mx has selfsigned cert
.bayern.de encrypt
.berlin.de secure match=.berlin.de
.hessen.de secure match=.hessen.de
.niedersachsen.de secure match=.niedersachsen.de

Update 2014-05-24: I’m running Postfix > 2.11.0 (and I’ve a DNSSEC capable dns server) so I’ve set “smtp_tls_security_level=dane” which is a bit better than “may”, because DANE/TLSA enabled sites are more secure and authenticated.