A lightweight and highly performant MTA-STS + DANE/TLSA resolver and TLS policy socketmap server for Postfix that complies to the standards and prioritizes DANE where possible.
The socketmap listener auto-detects HTTP and exposes /metrics on the same Unix/TCP socket, including Go runtime metrics and counters for dane, dane-only, and secure (MTA-STS) results. You can also set server.metrics-address for a separate HTTP-only metrics endpoint that does not expose the socketmap protocol.
-
Simultaneously checks for MTA-STS and DANE for a queried domain.
-
For DANE:
- Check each MX record (all servers in parallel), if one supports DANE. The DNS responses must be authorized (
adflag set). - Verify TLSA records for correctness and supported parameters, only then the
dane-onlypolicy (Mandatory DANE) will be returned. - In case of unsupported parameters or malformed TLSA records,
dane(Opportunistic DANE) is returned. - In those edge cases, Postfix will try to enforce DANE if the TLSA records are usable. If they are not (despite valid DNSSEC signatures, e. g. malformed record set by the legitimate domain administrator or unsupported parameters), it will fall back to mandatory but unauthenticated TLS (thus
encryptat worst). - If the TLSA records are usable but invalid (e. g. key fingerprint mismatch), the mail will be deferred (for both
daneanddane-only), even if there is a valid MTA-STS policy (in conformance with RFC 8461, 2).
- Check each MX record (all servers in parallel), if one supports DANE. The DNS responses must be authorized (
-
For MTA-STS:
- Check for an existing MTA-STS record over DNS, and if found, fetch the policy via HTTPS.
- DANE is authoritative when fresh and usable. MTA-STS is only used when fresh DANE state explicitly proves that no DANE policy is available.
- Temporary DANE failures do not downgrade to MTA-STS. TLSA records must be explicitly and verifiably not available for MTA-STS to overrule DANE.
- MTA-STS and DANE state are cached independently, so a later refreshed DANE result immediately overrides a still-fresh MTA-STS policy.
- If there is no TLSA record available for at least one MX record, so that the DANE query returns an empty policy, then the MTA-STS policy will take effect and result in a
securepolicy and explicitly enforce amatch=with the policy-provided MX hostnames.
-
DANE and MTA-STS branches are cached by
minimum TTL of all DNSSEC/DANE queriesand MTA-STSmax_ageseconds respectively. The served result is derived from the fresh branch state on every cache hit, with mandatory DANE (dane-only) taking precedence.
It is recommended to still set the default TLS policy to dane (Opportunistic DANE) in Postfix (see below).
List of repositories serving prebuilt and packaged versions of postfix-tlspol:
Installation with Docker simplifies setup, as it contains its own properly configured DNS resolver, Unbound. The image itself is only about 8 MB (compressed).
docker volume create postfix-tlspol-data
docker run -d \
-v postfix-tlspol-data:/data \
-p 127.0.0.1:8642:8642 \
--restart unless-stopped \
--name postfix-tlspol \
zuplu/postfix-tlspol:latest
Jump to Postfix configuration to integrate the socketmap server.
To update the image, stop and remove the container, and run the docker run ... command again.
To disable prefetching, pass -e TLSPOL_PREFETCH=0 to the above command.
git clone https://github.com/Zuplu/postfix-tlspol
cd postfix-tlspol
scripts/build.sh
Press d for Docker when prompted or select it if a terminal UI appears.
These requirements only apply if you use the non-Docker variant for installation, i. e. as a systemd service unit.
- Postfix
- Go (latest)
- DNSSEC-validating DNS server (preferably on localhost)
git clone https://github.com/Zuplu/postfix-tlspol
cd postfix-tlspol
scripts/build.sh
Press s for systemd when prompted or select it if a terminal UI appears.
Edit /etc/postfix-tlspol/config.yaml as needed. After any change, a restart is required:
service postfix-tlspol restart
In /etc/postfix/main.cf:
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
smtp_tls_dane_insecure_mx_policy = dane
smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8642:QUERY
Explanation for smtp_tls_dane_insecure_mx_policy
This bug has been fixed in Postfix stable release 3.10.0, as well as in Postfix legacy releases 3.9.2, 3.8.8, 3.7.13, and 3.6.17 and all subsequent newer releases. You do not need to manually set this, if you use one of these or more recent versions.
Explicitly setting smtp_tls_dane_insecure_mx_policy to dane is a workaround for a bug that only matters in case you change the recommended default smtp_tls_security_level to something different than dane.
postfix-tlspol returns dane (opportunistic DANE) only for domains where dane-only (mandatory DANE) is not possible (because the MX lookup is unsigned, but the MX server itself supports DANE). Not setting this would render dane ineffective and only honor dane-only, if your smtp_tls_security_level is not dane. So even when postfix-tlspol explicitly requests opportunistic DANE for a domain, Postfix would ignore it before the fix.
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8642:QUERYwithTLSRPT
Note the QUERYwithTLSRPT that enables TLSRPT support for Postfix 3.10+.
After changing the Postfix configuration, do:
postfix reload
You can update postfix-tlspol (both the Docker container and the systemd service variant), by simply doing:
git pull
scripts/build.sh
Warning: Configuring is only available for the standalone/systemd installation. The Docker version is autoconfigured.
Configuration example for /etc/postfix-tlspol/config.yaml:
server:
# server:port to listen as a socketmap server
# or unix:/run/postfix-tlspol/tlspol.sock for Unix Domain Socket
address: 127.0.0.1:8642
# optional HTTP-only metrics endpoint, e.g. 127.0.0.1:9642
# or unix:/run/postfix-tlspol/metrics.sock
# unset by default because /metrics is also autodetected on the socketmap listener
#metrics-address:
# socket file permissions if Unix Domain Sockets are used
socket-permissions: 0666
# prefetch when TTL is about to expire (default true)
prefetch: true
# cache file (default /var/lib/postfix-tlspol/cache.db)
cache-file: /var/lib/postfix-tlspol/cache.db
dns:
# must support DNSSEC, uses /etc/resolv.conf if unset
#address: 127.0.0.53:53
Prefetching is enabled by default, and postfix-tlspol tries to keep its cache fresh.