git.proxmox.com Git - pmg-api.git/commit

author	Stoiko Ivanov <s.ivanov@proxmox.com>
	Wed, 18 Mar 2020 10:23:44 +0000 (11:23 +0100)
committer	Thomas Lamprecht <t.lamprecht@proxmox.com>
	Tue, 24 Mar 2020 12:30:56 +0000 (13:30 +0100)
commit	644487e3d29ac87f520ff846ec64bba0ca4182c6
tree	6d9a92f050f61903e67c2e8b4ce38a4eb5ce00f3	tree
parent	8e3b0ef15c4dbaf3009932a9f9bb3189bcb7c1a9	commit \| diff

fix #1948: allow setting TLS policy for transports

As described in postfix TLS Readme [0] the key of the tls_policy table need
not be a destination domain - it can also contain an entry from the transport
table.

By adding a new format, which matches the current format of 'transport-domain'
and additionally the possible values for a smtp/lmtp next-hop (see `man smtp`)
users can now also set a stricter tls policy for their configured downstream
servers (e.g. to enforce TLS, or to disable it, if the downstream server's
TLS implementation is broken).

Tested locally by sending mails to a downstream server with policy 'may' set
(STARTTLS is used), and 'none' (mail goes unecrypted) - verified with tcpdump.

If a next-hop is provided it needs to be literally the same entry as present
in the transport table (w/o the 'smtp:' or 'lmtp:inet:' prefix) - i.e.
it is significant if the entry is enclosed in brackets, or if the (defacto
optional) 'ipv6:' prefix is present in the transport entry.

[0] http://www.postfix.org/TLS_README.html#client_tls_policy

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Reviewed-By: Dominik Csapak <d.csapak@proxmox.com>

src/PMG/API2/DestinationTLSPolicy.pm		diff \| blob \| blame \| history
src/PMG/Config.pm		diff \| blob \| blame \| history