The high-level diagram shows how Postfix reports summaries to -domains that publish a TLSRPT policy. +
The high-level diagram below shows how TLS handshake success +and failure events from Postfix are collected and processed into +daily summary reports.
--
Postfix SMTP and
TLS -client engines--> ++ Postfix SMTP and TLS +client engines → -TLSRPT client
library ---> +TLSRPT client library +(linked into Postfix) → -TLSRPT summary
generator ---> +TLSRPT collector, +fetcher, and summary generator → + -Email or HTTP
delivery -Email or HTTP delivery +
When Postfix TLSRPT support is enabled (with "smtp_tlsrpt_enable -= yes"):
-The Postfix SMTP and TLS client engines will generate a @@ -89,17 +90,20 @@ client engines
They will pass those events to an in-process TLSRPT client library that sends data over a local socket to
-A TLSRPT report generator that produces daily summary -reports.
+A local TLSRPT collector that runs on each Postfix machine. +A TLSRPT fetcher gathers information from individual collectors, +and a central TLSRPT report generator produces daily summary reports. +
The TLSRPT client library and report generator are maintained -by sys4.
+The TLSRPT client library, and the infrastructure to collect, +fetch, and report TLSRPT information are maintained by sys4 at +https://github.com/sys4/libtlsrpt and +https://github.com/sys4/tlsrpt-reporter, respectively.
The Postfix implementation supports both DANE (Postfix built-in) -and MTA-STS (through an smtp_tls_policy_maps plug-in). -
+and MTA-STS (through an smtp_tls_policy_maps plug-in).The Postfix smtp(8) client process implements the SMTP client engine. With "smtp_tls_connection_reuse = no", the smtp(8) client @@ -116,11 +120,12 @@ code as described in the INSTALL document. Some modif be required if you build Postfix from a vendor-specific source package.
-The Postfix TLSRPT client builds on a TLSRPT client library -whose source code can be obtained from:
+The Postfix TLSRPT client builds on a TLSRPT library which may +be available as a built package (rpm, deb, etc.), or which you can +build from source code from:
- +
The library is typically installed as a header file in @@ -130,7 +135,7 @@ actual pathnames will depend on OS platform conventions.
In order to build Postfix with TLSRPT support, you will need to add compiler options -DUSE_TLSRPT (to build with TLSRPT -support), and -I (with the directory containing the tlsrpt.h +support) and -I (with the directory containing the tlsrpt.h header file), and you will need to add linker options to link with the TLSRPT client library, for example:
@@ -138,28 +143,28 @@ the TLSRPT client library, for example:make -f Makefile.init makefiles \ "CCARGS=-DUSE_TLSRPT -I/usr/local/include" \ - "AUXLIBS=-L/usr/local/lib -ltlsrpt" + "AUXLIBS=-L/usr/local/lib -Wl,-rpath,/usr/local/lib -ltlsrpt"+
(On Solaris systems you may need to use "-Wl,-R" instead +of "-Wl,-rpath".)
+Then, just run 'make'.
-Note: if your build command line already has CCARGS or AUXLIBS settings, then simply append the above settings to the existing CCARGS -or AUXLIBS values.
+or AUXLIBS values: --make -f Makefile.init makefiles \ - "CCARGS=existing settings... -DUSE_TLSRPT -I/usr/local/include" \ - "AUXLIBS=existing settings... -L/usr/local/lib -ltlsrpt" + "CCARGS=... -DUSE_TLSRPT -I/usr/local/include" \ + "AUXLIBS=... -L/usr/local/lib -Wl,-rpath,/usr/local/lib -ltlsrpt"
After installing Postfix TLSRPT support, you can enable TLSRPT @@ -168,27 +173,38 @@ support in main.cf like this:
-smtp_tlsrpt_enable = yes -smtp_tlsrpt_socket_name = /path/to/socket +smtp_tlsrpt_socket_name = path/to/socket
The smtp_tlsrpt_socket_name parameter specifies an absolute -pathname, or a pathname that is relative to $queue_directory.
+The smtp_tlsrpt_socket_name parameter specifies either an +absolute pathname, or a pathname that is relative to $queue_directory. +
-++Notes:
-Note: the recommended socket location is still to be determined. +
+ +
The recommended socket location is still to be determined. A good socket location would be under the Postfix queue directory, for example: "smtp_tlsrpt_socket_name = run/tlsrpt/tlsrpt.sock". The advantage of using a relative name is that it will work equally well whether or not Postfix chroot is turned on.
-
Regardless of whether Postfix chroot is enabled, the TLSRPT +receiver (tlsrpt_collectd) will need to be configured with +the socket's absolute pathname.
-Do not specify a location under a directory such as private -or public that is already used by Postfix programs. Only Postfix +
Do not specify a TLSRPT socket location under a Postfix socket +directory such as private or public. Only Postfix programs should create sockets there.
+ + +For details on how to run the TLSRPT collection and reporting +infrastructure, see the documentation at +https://github.com/sys4/tlsrpt-reporter. +
With TLSRPT support turned on, the Postfix TLSRPT client will @@ -268,19 +284,20 @@ have the details for why TLS authentication failed.
RFC 8460 Section 3 specifies that an MTA must not enforce TLS -security when sending failure reports via email. However, Postfix -currently has no way to request that TLS enforcement will be disabled -when submitting an email message.
+security when sending failure reports via email.Options:
Specify the "TLS-Required: no" message header,
-defined in RFC 8689, to reduce the TLS security level to "may"
-(that is, do not verify remote SMTP server certificates, and fall
-back to plaintext if TLS is unavailable).
This feature
-is available in Postfix 3.10 and later.
In an email report, specify the "TLS-Required: no"
+message header,
+defined in RFC 8689, to reduce the Postfix SMTP client TLS security
+level to "may" (that is, do not verify remote SMTP server
+certificates, and fall back to plaintext if TLS is unavailable).
+
This feature is available in Postfix 3.10 and later. If
+your outbound MTAs run an older version, you can use one of the
+options described below.
Do nothing. When TLS security enforcement is required but fails, a TLSRPT summary message will be delayed @@ -289,8 +306,9 @@ in the mail queue. Keep in mind that TLSRPT is not a real-time monitoring service; it takes on average 12 hours before a failure is reported through TLSRPT.
-Exclude the sender of TLSRPT summaries from TLS security -enforcement. +
On outbound MTAs that don't support the "TLS-Required: +no" header feature (such as Postfix 3.9 and earlier), disable +TLS security enforcement for the sender of TLSRPT summaries. Implement the configuration below on outbound MTA instances (replace noreply-smtp-tls-reporting@example.com with your actual report generator's sender address):
diff --git a/postfix/proto/TLSRPT_README.html b/postfix/proto/TLSRPT_README.html index 1d6820d4e..32a3fd9db 100644 --- a/postfix/proto/TLSRPT_README.html +++ b/postfix/proto/TLSRPT_README.html @@ -55,32 +55,33 @@ summaries of successful and failed SMTP over TLS connections to domain specified address. Instead of mailto:, a policy may specify an https: destination. -The high-level diagram shows how Postfix reports summaries to -domains that publish a TLSRPT policy. +
The high-level diagram below shows how TLS handshake success +and failure events from Postfix are collected and processed into +daily summary reports.
--
Postfix SMTP and
TLS -client engines--> ++ Postfix SMTP and TLS +client engines → -TLSRPT client
library ---> +TLSRPT client library +(linked into Postfix) → -TLSRPT summary
generator ---> +TLSRPT collector, +fetcher, and summary generator → + -Email or HTTP
delivery -Email or HTTP delivery +
When Postfix TLSRPT support is enabled (with "smtp_tlsrpt_enable -= yes"):
-The Postfix SMTP and TLS client engines will generate a @@ -89,17 +90,20 @@ client engines
They will pass those events to an in-process TLSRPT client library that sends data over a local socket to
-A TLSRPT report generator that produces daily summary -reports.
+A local TLSRPT collector that runs on each Postfix machine. +A TLSRPT fetcher gathers information from individual collectors, +and a central TLSRPT report generator produces daily summary reports. +
The TLSRPT client library and report generator are maintained -by sys4.
+The TLSRPT client library, and the infrastructure to collect, +fetch, and report TLSRPT information are maintained by sys4 at +https://github.com/sys4/libtlsrpt and +https://github.com/sys4/tlsrpt-reporter, respectively.
The Postfix implementation supports both DANE (Postfix built-in) -and MTA-STS (through an smtp_tls_policy_maps plug-in). -
+and MTA-STS (through an smtp_tls_policy_maps plug-in).The Postfix smtp(8) client process implements the SMTP client engine. With "smtp_tls_connection_reuse = no", the smtp(8) client @@ -116,11 +120,12 @@ code as described in the INSTALL document. Some modification may be required if you build Postfix from a vendor-specific source package.
-The Postfix TLSRPT client builds on a TLSRPT client library -whose source code can be obtained from:
+The Postfix TLSRPT client builds on a TLSRPT library which may +be available as a built package (rpm, deb, etc.), or which you can +build from source code from:
-https://github.com/sys4/tlsrpt
+https://github.com/sys4/libtlsrpt
The library is typically installed as a header file in @@ -130,7 +135,7 @@ actual pathnames will depend on OS platform conventions.
In order to build Postfix with TLSRPT support, you will need to add compiler options -DUSE_TLSRPT (to build with TLSRPT -support), and -I (with the directory containing the tlsrpt.h +support) and -I (with the directory containing the tlsrpt.h header file), and you will need to add linker options to link with the TLSRPT client library, for example:
@@ -138,28 +143,28 @@ the TLSRPT client library, for example:make -f Makefile.init makefiles \ "CCARGS=-DUSE_TLSRPT -I/usr/local/include" \ - "AUXLIBS=-L/usr/local/lib -ltlsrpt" + "AUXLIBS=-L/usr/local/lib -Wl,-rpath,/usr/local/lib -ltlsrpt"+
(On Solaris systems you may need to use "-Wl,-R" instead +of "-Wl,-rpath".)
+Then, just run 'make'.
-Note: if your build command line already has CCARGS or AUXLIBS settings, then simply append the above settings to the existing CCARGS -or AUXLIBS values.
+or AUXLIBS values: --make -f Makefile.init makefiles \ - "CCARGS=existing settings... -DUSE_TLSRPT -I/usr/local/include" \ - "AUXLIBS=existing settings... -L/usr/local/lib -ltlsrpt" + "CCARGS=... -DUSE_TLSRPT -I/usr/local/include" \ + "AUXLIBS=... -L/usr/local/lib -Wl,-rpath,/usr/local/lib -ltlsrpt"
After installing Postfix TLSRPT support, you can enable TLSRPT @@ -168,27 +173,38 @@ support in main.cf like this:
-smtp_tlsrpt_enable = yes -smtp_tlsrpt_socket_name = /path/to/socket +smtp_tlsrpt_socket_name = path/to/socket
The smtp_tlsrpt_socket_name parameter specifies an absolute -pathname, or a pathname that is relative to $queue_directory.
+The smtp_tlsrpt_socket_name parameter specifies either an +absolute pathname, or a pathname that is relative to $queue_directory. +
-++Notes:
-Note: the recommended socket location is still to be determined. +
+ +
The recommended socket location is still to be determined. A good socket location would be under the Postfix queue directory, for example: "smtp_tlsrpt_socket_name = run/tlsrpt/tlsrpt.sock". The advantage of using a relative name is that it will work equally well whether or not Postfix chroot is turned on.
-
Regardless of whether Postfix chroot is enabled, the TLSRPT +receiver (tlsrpt_collectd) will need to be configured with +the socket's absolute pathname.
-Do not specify a location under a directory such as private -or public that is already used by Postfix programs. Only Postfix +
Do not specify a TLSRPT socket location under a Postfix socket +directory such as private or public. Only Postfix programs should create sockets there.
+For details on how to run the TLSRPT collection and reporting +infrastructure, see the documentation at +https://github.com/sys4/tlsrpt-reporter. +
With TLSRPT support turned on, the Postfix TLSRPT client will @@ -268,19 +284,20 @@ have the details for why TLS authentication failed.
RFC 8460 Section 3 specifies that an MTA must not enforce TLS -security when sending failure reports via email. However, Postfix -currently has no way to request that TLS enforcement will be disabled -when submitting an email message.
+security when sending failure reports via email.Options:
Specify the "TLS-Required: no" message header,
-defined in RFC 8689, to reduce the TLS security level to "may"
-(that is, do not verify remote SMTP server certificates, and fall
-back to plaintext if TLS is unavailable).
This feature
-is available in Postfix 3.10 and later.
In an email report, specify the "TLS-Required: no"
+message header,
+defined in RFC 8689, to reduce the Postfix SMTP client TLS security
+level to "may" (that is, do not verify remote SMTP server
+certificates, and fall back to plaintext if TLS is unavailable).
+
This feature is available in Postfix 3.10 and later. If
+your outbound MTAs run an older version, you can use one of the
+options described below.
Do nothing. When TLS security enforcement is required but fails, a TLSRPT summary message will be delayed @@ -289,8 +306,9 @@ in the mail queue. Keep in mind that TLSRPT is not a real-time monitoring service; it takes on average 12 hours before a failure is reported through TLSRPT.
-Exclude the sender of TLSRPT summaries from TLS security -enforcement. +
On outbound MTAs that don't support the "TLS-Required: +no" header feature (such as Postfix 3.9 and earlier), disable +TLS security enforcement for the sender of TLSRPT summaries. Implement the configuration below on outbound MTA instances (replace noreply-smtp-tls-reporting@example.com with your actual report generator's sender address):
diff --git a/postfix/proto/stop.double-proto-html b/postfix/proto/stop.double-proto-html index 9fb66ec65..911ed5145 100644 --- a/postfix/proto/stop.double-proto-html +++ b/postfix/proto/stop.double-proto-html @@ -363,3 +363,4 @@ Postfix Postfix legacy TLS Support Note the recommended socket location is still to be determined A good socket location would be under the Postfix queue directory for example smtp_tlsrpt_socket_name run tlsrpt tlsrpt sock The advantage of using a relative name is that with cipher ECDHE RSA AES256 GCM SHA384 256 256 bits TLSv1 2 with cipher ECDHE RSA AES256 GCM SHA384 256 256 bits + The recommended socket location is still to be determined A good socket location would be under the Postfix queue directory for example smtp_tlsrpt_socket_name run tlsrpt tlsrpt sock The advantage of using a relative name is that it diff --git a/postfix/proto/stop.spell-proto-html b/postfix/proto/stop.spell-proto-html index d52edef6a..1a487be5f 100644 --- a/postfix/proto/stop.spell-proto-html +++ b/postfix/proto/stop.spell-proto-html @@ -396,3 +396,4 @@ doctype dtd marc LP +collectd diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 7dbf579b8..e52be6f07 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20250127" +#define MAIL_RELEASE_DATE "20250131" #define MAIL_VERSION_NUMBER "3.10" #ifdef SNAPSHOT diff --git a/postfix/src/tls/tlsrpt_wrapper.c b/postfix/src/tls/tlsrpt_wrapper.c index 11d06434d..b4ccdea4d 100644 --- a/postfix/src/tls/tlsrpt_wrapper.c +++ b/postfix/src/tls/tlsrpt_wrapper.c @@ -312,8 +312,15 @@ TLSRPT_WRAPPER *trw_create(const char *rpt_socket_name, const char *rpt_policy_string, int skip_reused_hs) { + const char myname[] = "trw_create"; TLSRPT_WRAPPER *trw; + if (msg_verbose > 1) + msg_info("%s(rpt_socket_name=%s, rpt_policy_domain=%s, " + "rpt_policy_string=%s, skip_reused_hs=%d)", + myname, rpt_socket_name, rpt_policy_domain, + rpt_policy_string, skip_reused_hs); + /* * memset() is not portable for pointer etc. types. */ @@ -338,6 +345,10 @@ TLSRPT_WRAPPER *trw_create(const char *rpt_socket_name, void trw_free(TLSRPT_WRAPPER *trw) { + if (msg_verbose > 1) + msg_info("trw_free: rpt_socket_name=%s, rpt_policy_domain=%s, ...", + trw->rpt_socket_name, trw->rpt_policy_domain); + /* Destroy fields set with trw_create(). */ myfree(trw->rpt_socket_name); myfree(trw->rpt_policy_domain); @@ -362,6 +373,19 @@ void trw_set_tls_policy(TLSRPT_WRAPPER *trw, const char *tls_policy_domain, const char *const * mx_host_patterns) { + const char myname[] = "trw_set_tls_policy"; + +#define STR_OR_NULL(s) ((s) ? (s) : "(Null)") +#define PSTR_OR_NULL(p) ((p) ? STR_OR_NULL(*p) : "(Null)") + + if (msg_verbose > 1) + msg_info("%s(tlsrpt_policy_type_t=%d, tls_policy_strings=%s..., " + "tls_policy_domain=%s, mx_host_patterns=%s...)", + myname, tls_policy_type, + PSTR_OR_NULL(tls_policy_strings), + STR_OR_NULL(tls_policy_domain), + PSTR_OR_NULL(mx_host_patterns)); + trw->tls_policy_type = tls_policy_type; MYFREE_IF_SET_AND_COPY(trw->tls_policy_domain, tls_policy_domain); if (tls_policy_type == TLSRPT_NO_POLICY_FOUND) { @@ -385,6 +409,11 @@ void trw_set_tcp_connection(TLSRPT_WRAPPER *trw, { const char myname[] = "trw_set_tcp_connection"; + if (msg_verbose > 1 && (snd_mta_addr || rcv_mta_name || rcv_mta_addr)) + msg_info("%s(snd_mta_addr=%s, rcv_mta_name=%s, rcv_mta_addr=%s)", + myname, STR_OR_NULL(snd_mta_addr), + STR_OR_NULL(rcv_mta_name), STR_OR_NULL(rcv_mta_addr)); + /* * Sanity check: usage errors are not a show stopper. */ @@ -405,6 +434,9 @@ void trw_set_ehlo_resp(TLSRPT_WRAPPER *trw, const char *rcv_mta_ehlo) { const char myname[] = "trw_set_ehlo_resp"; + if (msg_verbose > 1 && rcv_mta_ehlo) + msg_info("%s(rcv_mta_ehlo=%s)", myname, rcv_mta_ehlo); + /* * Sanity check: usage errors are not a show stopper. */ @@ -499,6 +531,11 @@ int trw_report_failure(TLSRPT_WRAPPER *trw, struct tlsrpt_connection_t *con; int res; + if (msg_verbose > 1) + msg_info("%s(failure_type=%d, additional_info=%s, failure_reason=%s)", + myname, failure_type, STR_OR_NULL(additional_info), + STR_OR_NULL(failure_reason)); + /* * Sanity check: usage errors are not a show stopper. */ @@ -579,6 +616,9 @@ int trw_report_success(TLSRPT_WRAPPER *trw) struct tlsrpt_connection_t *con; int res; + if (msg_verbose > 1) + msg_info("trw_report_success"); + /* * Sanity check: usage errors are not a show stopper. */