Bug 44589 - relayhost with authentication only over TLS
relayhost with authentication only over TLS
Product: UCS
Classification: Unclassified
Component: Mail
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-0-errata
Assigned To: Daniel Tröder
Sönke Schwardt-Krummrich
Depends on:
  Show dependency treegraph
Reported: 2017-05-12 15:39 CEST by Tobias Birkefeld
Modified: 2017-06-15 17:58 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 1: Cosmetic issue or missing function but workaround exists
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.023
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Birkefeld univentionstaff 2017-05-12 15:39:40 CEST
If "mail/relayauth" is enabled you want to set postfix default of "mail/postfix/tls/client/level=encrypt".

The UCS default is:

smtp_tls_security_level = may

In this case it will be possible to send your user name + password unencrypted over the Internet.

When TLS handshakes fail, the connection is retried with TLS disabled. This allows mail delivery to sites with non-interoperable TLS implementations.

In a case where you use a smart-host of a provider with relay authentication, you want to ensure that your password is only send in an encrypted session. So in this case you have to manually set "mail/postfix/tls/client/level=encrypt".

I think this should be described clearly in the documentation [1]. The more effective way would be to set "mail/postfix/tls/client/level=encrypt" if "mail/relayauth" is enabled.

[1] https://docs.software-univention.de/manual-4.2.html#mail::serverconfig::relay
Comment 1 Daniel Tröder univentionstaff 2017-05-31 09:34:48 CEST
* the default for mail/postfix/tls/client/level if unset has been changed to "may"
* set smtp_tls_security_level=encrypt if mail/relayauth is enabled
* add section to manual
r79954: add missing UCRV to ucr-registry

Package: univention-mail-postfix
Version: 11.0.1-4A~
Branch: ucs_4.2-0
Scope: errata4.2-0
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2017-06-13 14:04:29 CEST
r80142 | Bug #44589: some tweaks for the mail section of the UCS manual
r80148 | Bug #44589: some tweaks for the mail section of the UCS manual

univention-mail-postfix (11.0.1-8):
r80143 | Bug #44589: updated UCR variable descriptions
r80147 | Bug #44589: updated UCR variable descriptions

Package: univention-mail-postfix
Version: 11.0.1-8A~
Branch: ucs_4.2-0
Scope: errata4.2-0

The UCR template will set smtp_tls_security_level=encrypt if
* mail/relayhost != ""
* mail/relayauth is True
* mail/postfix/tls/client/level != "none"

Otherwise, mail/postfix/tls/client/level is directly used.
The new default of mail/postfix/tls/client/level within the UCR template is "may". The UCR variable will no longer be set in 
univention-mail-postfix.postinst. There is no impact for existing installations.
Comment 3 Janek Walkenhorst univentionstaff 2017-06-15 17:58:17 CEST