Bug 44589 – relayhost with authentication only over TLS

Bug 44589 - relayhost with authentication only over TLS


Summary:	relayhost with authentication only over TLS

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Mail
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.2-0-errata
Assigned To:	Daniel Tröder
QA Contact:	Sönke Schwardt-Krummrich

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-05-12 15:39 CEST by Tobias Birkefeld
Modified:	2017-06-15 17:58 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	1: Cosmetic issue or missing function but workaround exists
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.023
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tobias Birkefeld

2017-05-12 15:39:40 CEST

If "mail/relayauth" is enabled you want to set postfix default of "mail/postfix/tls/client/level=encrypt".

The UCS default is:

smtp_tls_security_level = may

In this case it will be possible to send your user name + password unencrypted over the Internet.

"""
When TLS handshakes fail, the connection is retried with TLS disabled. This allows mail delivery to sites with non-interoperable TLS implementations.
"""

In a case where you use a smart-host of a provider with relay authentication, you want to ensure that your password is only send in an encrypted session. So in this case you have to manually set "mail/postfix/tls/client/level=encrypt".

I think this should be described clearly in the documentation [1]. The more effective way would be to set "mail/postfix/tls/client/level=encrypt" if "mail/relayauth" is enabled.

[1] https://docs.software-univention.de/manual-4.2.html#mail::serverconfig::relay

Comment 1 Daniel Tröder

2017-05-31 09:34:48 CEST

r79953:
* the default for mail/postfix/tls/client/level if unset has been changed to "may"
* set smtp_tls_security_level=encrypt if mail/relayauth is enabled
* add section to manual
r79954: add missing UCRV to ucr-registry

Package: univention-mail-postfix
Version: 11.0.1-4A~4.2.0.201705310933
Branch: ucs_4.2-0
Scope: errata4.2-0

Comment 2 Sönke Schwardt-Krummrich

2017-06-13 14:04:29 CEST

r80142 | Bug #44589: some tweaks for the mail section of the UCS manual
r80148 | Bug #44589: some tweaks for the mail section of the UCS manual

univention-mail-postfix (11.0.1-8):
r80143 | Bug #44589: updated UCR variable descriptions
r80147 | Bug #44589: updated UCR variable descriptions

Package: univention-mail-postfix
Version: 11.0.1-8A~4.2.0.201706131359
Branch: ucs_4.2-0
Scope: errata4.2-0


The UCR template will set smtp_tls_security_level=encrypt if
* mail/relayhost != ""
* mail/relayauth is True
* mail/postfix/tls/client/level != "none"

Otherwise, mail/postfix/tls/client/level is directly used.
The new default of mail/postfix/tls/client/level within the UCR template is "may". The UCR variable will no longer be set in 
univention-mail-postfix.postinst. There is no impact for existing installations.

Comment 3 Janek Walkenhorst

2017-06-15 17:58:17 CEST

<http://errata.software-univention.de/ucs/4.2/36.html>