• Stars
    star
    104
  • Rank 330,604 (Top 7 %)
  • Language
    Python
  • License
    MIT License
  • Created about 6 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Daemon which provides TLS client policy for Postfix via socketmap, according to domain MTA-STS policy

postfix-mta-sts-resolver

Build Status Coverage PyPI - Downloads PyPI PyPI - Status PyPI - License postfix-mta-sts-resolver CodeQL

Daemon which provides TLS client policy for Postfix via socketmap, according to domain MTA-STS policy.

Current support of RFC 8461 is limited:

Server has configurable cache backend which allows to store cached STS policies in memory (internal), file (sqlite) or in Redis database (redis).

Requirements

  • Postfix 3.4+ (or Postfix 2.10+ if missing Postfix SNI feature is tolerable. In that case you have to set zone option require_sni to false in MTA-STS daemon config)
  • Python 3.5.3+ (see "Systems without Python 3.5+" below if you haven't one, or use Docker installation method)
  • aiodns
  • aiohttp
  • aiosqlite
  • redis-py
  • PyYAML
  • (optional) uvloop

All dependency packages installed automatically if this package is installed via pip.

Installation

Method 1. System-wide install from PyPI (recommended for humans)

Run:

sudo python3 -m pip install postfix-mta-sts-resolver[redis,sqlite]

If you don't need redis or sqlite support, you may omit one of them in square brackets. If you don't need any of them and you plan to use internal cache without persistence, you should also omit square brackets.

Package scripts shall be available in standard executable locations upon completion.

pip user install

All pip invocations can be run with --user option of pip installer. In this case superuser privileges are not required and package(s) are getting installed into user home directory. Usually, script executables will appear in ~/.local/bin.

Method 2. System-wide install from project source

Run in project directory:

sudo python3 -m pip install .[redis,sqlite]

If you don't need redis or sqlite support, you may omit one of them in square brackets. If you don't need any of them and you plan to use internal cache without persistence, you should also omit square brackets.

Package scripts shall be available in standard executable locations upon completion.

Method 3. Install into virtualenv

See "Building virtualenv"

Method 4. Docker

Run

docker volume create mta-sts-cache
docker run -d \
    --security-opt no-new-privileges \
    -v mta-sts-cache:/var/lib/mta-sts \
    -p 127.0.0.1:8461:8461 \
    --restart unless-stopped \
    --name postfix-mta-sts-resolver \
    yarmak/postfix-mta-sts-resolver

Daemon will be up and running, listening on local interface on port 8461. Default configuration baked into docker image uses SQLite for cache stored in persistent docker volume. You may override this configuration with your own config file by mapping it into container with option -v my_config.yml:/etc/mta-sta-daemon.yml.

Method 5. Snap Store

Get it from the Snap Store

sudo snap install postfix-mta-sts-resolver

NOTE: in snap layout mta-sta-daemon program is named postfix-mta-sts-resolver.daemon and mta-sts-query is named postfix-mta-sts-resolver.query.

Common installation notes

See also contrib/README.md for RHEL/OEL/Centos and FreeBSD notes.

See contrib/ for example of systemd unit file suitable to run daemon under systemd control.

Running

This package provides two executables available after installation in respective locations.

mta-sts-query

mta-sts-query is a command line tool which fetches and outputs domain MTA-STS policies. Intended to be used for debug purposes.

Synopsis:

$ mta-sts-query --help
usage: mta-sts-query [-h] [-v {debug,info,warn,error,fatal}]
                     domain [known_version]

positional arguments:
  domain                domain to fetch MTA-STS policy from
  known_version         latest known version (default: None)

optional arguments:
  -h, --help            show this help message and exit
  -v {debug,info,warn,error,fatal}, --verbosity {debug,info,warn,error,fatal}
                        logging verbosity (default: warn)

mta-sts-daemon

mta-sts-daemon is a daemon which provides external TLS policy for Postfix SMTP client via socketmap interface.

You may find useful systemd unit file to run daemon in contrib/.

Synopsis:

$ mta-sts-daemon --help
usage: mta-sts-daemon [-h] [-v {debug,info,warn,error,fatal}] [-c FILE]
                      [-l FILE] [--disable-uvloop]

optional arguments:
  -h, --help            show this help message and exit
  -v {debug,info,warn,error,fatal}, --verbosity {debug,info,warn,error,fatal}
                        logging verbosity (default: info)
  -c FILE, --config FILE
                        config file location (default: /etc/mta-sts-
                        daemon.yml)
  -l FILE, --logfile FILE
                        log file location (default: None)
  --disable-uvloop      do not use uvloop even if it is available (default:
                        False)

Seamless restart/upgrade/reload and load balancing

By default mta-sts-daemon allows its multiple instances to share same port (on Linux/FreeBSD/Windows). Therefore, restart or upgrade of daemon can be performed seamlessly. Set of unit files for systemd in contrib/ directory implements "reload" by mean of running backup instance when main instance is getting restarted.

Also on Linux and FreeBSD, load distributed across all processes (with SO_REUSEPORT and SO_REUSEPORT_LB respectively).

MTA-STS Daemon configuration

See configuration man page and config_examples/ directory. Default config location is: /etc/mta-sts-daemon.yml, but it can be overridden with command line option -c FILE.

All options is self-explanatory, only exception is strict_testing option. If set to true, STS policy will be enforced even if domain announces testing MTA-STS mode. Useful for premature incorporation of MTA-STS against domains hesitating to go enforce. Please use with caution.

Postfix configuration

SMTP client of your Postfix instance must be able to validate peer certificates. In order to achieve that, you have to ensure smtp_tls_CAfile or smtp_tls_CApath points to system CA bundle. Otherwise you'll get Unverified TLS connection even for peers with valid certificate, and delivery failures for MTA-STS-enabled destinations. Also note: even enabled tls_append_default_CA will not work alone if both smtp_tls_CAfile and smtp_tls_CApath are empty.

Once certificate validation is enabled and your Postfix log shows "Trusted TLS connection ... " for destinations with valid certificates signed by public CA, you may enable MTA-STS by adding following line to main.cf:

smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix

If your configuration already has some TLS policy maps, just add MTA-STS socketmap to list of configured maps accordingly to smtp_tls_policy_maps syntax. TLS policy tables are searched in the specified order until a match is found, so you may have table with local overrides of TLS policy prior to MTA-STS socketmap. This may be useful for skipping network lookup for well-known destinations or relaxing security for broken destinations, announcing MTA-STS support.

Reload Postfix after reconfiguration.

Warning: MTA-STS policy overrides DANE TLS authentication

Due to Postfix's limitations, a resolved MTA-STS policy overrides DANE TLS authentication (RFC 6698), because DANE is an internal feature of Postfix, and the postfix-mta-sts-resolver always responds with a (smtp_tls_policy_maps) lookup result secure for Secure server certificate verification.

  • The resulting behaviour is against RFC 8461, 2:

    However, MTA-STS is designed not to interfere with DANE deployments when the two overlap; in particular, senders who implement MTA-STS validation MUST NOT allow MTA-STS Policy validation to override a failing DANE validation.

    Domains implementing both MTA-STS and DANE probably want DANE to be preferred:

    • DANE allows strict binding of certificates; the policy can authorize only a certain certificate or certificates from a certain CA. With MTA-STS, a certificate from any trusted CA is automatically trusted; RFC 8461, 10.1:

      SMTP MTA-STS relies on certificate validation via PKIX-based TLS identity checking [RFC6125]. Attackers who are able to obtain a valid certificate for the targeted recipient mail service (e.g., by compromising a CA) are thus able to circumvent STS authentication.

    • Based on DNSSEC, DANE not vulnerable to downgrade attack that could prevent policy discovery. MTA-STS security considerations acknowledges this weakness in RFC 8461, 10.2:

      Since MTA-STS uses DNS TXT records for policy discovery, an attacker who is able to block DNS responses can suppress the discovery of an MTA-STS Policy, making the Policy Domain appear not to have an MTA-STS Policy.

      Resistance to downgrade attacks of this nature -- due to the ability to authoritatively determine "lack of a record" even for non-participating recipients -- is a feature of DANE, due to its use of DNSSEC for policy discovery.

  • The postfix-mta-sts-resolver does not intent to implement policy lookups for DANE, and responses other than secure with match= would not verify the TLS certificate as required by RFC 8461, 4,2.

If you wish to meet this requirement:

  • List a DANE policy resolver responding with dane-only (for Mandatory DANE) before postfix-mta-sts-resolver in smtp_tls_policy_maps lookup table list.

  • Alternatively, you could use a static lookup table for domains known to implement both MTA-STS & DANE, e.g.,

    smtp_tls_policy_maps = hash:/etc/postfix/tls_policy,socketmap:inet:127.0.0.1:8461:postfix
    

Operability check

Assuming default MTA-STA daemon configuration. Following command:

/usr/sbin/postmap -q dismail.de socketmap:inet:127.0.0.1:8461:postfix

should return something like:

secure match=mx1.dismail.de

Postfix log should show Verified TLS connection established to ... instead of Untrusted ... or Trusted TLS connection established to ... when mail is getting sent to MTA-STS-enabled domain.

Special cases of deployment

Systems without Python 3.5+

Some people may find convenient to install latest python from source into /opt directory. This way you can have separate python installation not interfering with system packages by any means. Download latest python source from python.org, unpack and run in unpacked source directory:

./configure --prefix=/opt --enable-optimizations && make -j $[ $(nproc) + 1 ] && make test && sudo make install

Python binaries will be available in /opt/bin, including pip3. You may install postfix-mta-sts-resolver using /opt/bin/pip3 without interference with any system packages:

sudo /opt/bin/pip3 install postfix-mta-sts-resolver[sqlite,redis]

Executable files of postfix-mta-sts-resolver will be available in /opt/bin/mta-sts-query and /opt/bin/mta-sts-daemon

Building virtualenv

Run make in project directory in order to build virtualenv. As result of it, new directory venv shall appear. venv contains interpreter and all required dependencies, i.e. encloses package with dependencies in separate environment. It is possible to specify alternative path where virtualenv directory shall be placed. Specify VENV variable for make command. Example:

make VENV=~/postfix-mta-sts-resolver

Such virtual environment can be moved to another machine of similar type (as far python interpreter is compatible with new environment). If virtualenv is placed into same location on new machine, application can be run this way:

venv/bin/mta-sts-daemon

Otherwise, some hacks required. First option - explicitly call virtualenv interpreter:

venv/bin/python venv/bin/mta-sts-daemon

Second option - specify new path in shebang of scripts installed in virtualenv. It is recommended to build virtualenv at same location which app shall occupy on target system.

Credits

Inspired by this forum thread.

More Repositories

1

opera-proxy

Standalone client for proxies of Opera VPN
Go
418
star
2

hola-proxy

Standalone Hola proxy client
Go
351
star
3

rsp

Rapid SSH Proxy
Python
278
star
4

dumbproxy

Dumbest HTTP proxy ever
Go
183
star
5

hisilicon-dvr-telnet

PoC materials for article https://habr.com/en/post/486856/
C
124
star
6

ss-replit

REPL for replit.com to run shadowsocks server with v2ray-plugin
Shell
99
star
7

windscribe-proxy

Standalone client for proxies of Windscribe browser extension
Go
91
star
8

linux-secureboot-kit

Tool for complete hardening of Linux boot chain with UEFI Secure Boot
Shell
65
star
9

nvidia-patch

This patch removes restriction on maximum number of simultaneous NVENC video encoding sessions imposed by Nvidia to consumer-grade GPUs.
Python
44
star
10

steady-tun

Secure TLS tunnel with pool of prepared upstream connections
Go
42
star
11

ssh-tarpit

SSH tarpit that slowly sends an endless banner
Python
32
star
12

bloom

An in-memory bloom filter with persistence and HTTP interface
C
32
star
13

nth-dump

nthLink API client
Go
31
star
14

php-storageless-sessions

Sessions handler which stores session data in HMAC-signed and encrypted cookies
PHP
30
star
15

hola-proxy-list

Fetches free proxy list via Hola browser extension API
Python
28
star
16

myip

Get your external IP address using multiple STUN servers
Makefile
26
star
17

ptw

Pooling TLS Wrapper
Python
22
star
18

pyknock

UDP port knocking suite with HMAC-PSK authentication.
Python
21
star
19

udpierce

Network wrapper which transports UDP packets over multiple TLS sessions
Go
20
star
20

quickcerts

Quick and easy X.509 certificate generator for SSL/TLS utilizing local PKI
Python
17
star
21

udp-over-tls-pool

Network wrapper which transports UDP packets over multiple TLS sessions
Python
16
star
22

chunk-nordic

Yet another TCP-over-HTTP(S) tunnel
Python
16
star
23

firefox-secure-proxy

Standalone wrapper for Firefox Private Network
Python
16
star
24

httptrap

Web-server which produces infinite chunked-encoded responses to slowdown malicious clients
Go
15
star
25

drb-client

Distributed Randomness Beacon client
Python
11
star
26

shadowsocks-platform.sh

Ready-to-use platform.sh deployment of shadowsocks with v2ray-plugin.
Shell
11
star
27

http-tarpit

Web-server which produces infinite chunked-encoded responses
Python
8
star
28

davclean

Backup cleaner from yandex.disk
Python
8
star
29

flight-recorder

Daemon which tracks system crashes and downtime duration
Python
7
star
30

skype-watch

Simple messages watcher for Skype
Python
6
star
31

docker-warp-proxy

Docker image to run Cloudflare Warp in proxy mode
Dockerfile
5
star
32

trusearch

Perform advanced search on unofficial rutracker.org (ex torrents.ru) XML database
Go
5
star
33

passcheck

Securely check list of passwords against HIBP password database
Go
5
star
34

ssh-honeypot

SSH honeypot. Collects used SSH passwords and issued commands into SQLite3 database.
Python
4
star
35

httpierce

Experimental shadowsocks plugin purposed to bypass captive portals of some mobile ISPs.
Go
4
star
36

cuckoo-filter-redis

Set of Lua stored functions implementing Cuckoo Filter backed by Redis.
Lua
4
star
37

particle-detector

webcam particle detector (prototype)
Python
4
star
38

djinni-profile-updater

Automatically updates your profile on djinni.co
Python
3
star
39

winping

Ping implementation which utilizes Windows ICMP API
Python
3
star
40

riak-bucket-export

Exports RIAK bucket to JSON file
Python
3
star
41

lua-trie

Trie implementation in pure Lua capable to build prefixes from iterable sequences
Lua
3
star
42

extip

Go package which retrieves external address IP using STUN servers
Go
3
star
43

python-cli-tool-boilerplate

Boilerplate of python3 package which provides command line tool
Python
3
star
44

workua-cv-updater

Tool which updates your CV on work.ua
Python
3
star
45

terse

Output randomly sampled lines from input stream or file
Go
3
star
46

ra

Simple sunrise and sunset calculator
Go
2
star
47

cfgfs

FUSE filesystem for wrapping configs from database to readable files
Python
2
star
48

qjson

Helper routines for JSON manipulation in Go
Go
2
star
49

imgopt

Multiprocessor image optimizer which keeps track on already optimized files using its hashes
Python
2
star
50

rabotaua-cv-updater

Tool which updates your CV on rabota.ua
Python
2
star
51

wayd

What Are You Doing? - low-effort time tracking
Shell
2
star
52

fbfeed2rss

Facebook feed to RSS gateway
Python
1
star
53

bson2csv

BSON to CSV converter written in C
C
1
star
54

transmission-resync-rutracker

rutracker plugin for transmission-resync
Makefile
1
star
55

httprobe

Simple tool to test HTTP requests
Makefile
1
star
56

go-sshd

Fork of https://src.whiteboxsystems.nl/Whitebox/go-sshd
Go
1
star