notification smtp use only TLSv1 and does not support TLSv1.1 + TLSv1.2

[xmichielx]

I am sending notifcation emails through my own Postfix mailserver which only allows TLSv1.2.
OPNsense only supports TLSv1 and not newer versions:

TLSv1.1 + TLSv1.2:

Mar  8 10:18:10 server postfix/smtpd[8048]: SSL_accept error from dhcp-077-249-000-044.chello.nl[77.249.0.44]: -1
Mar  8 10:18:10 server postfix/smtpd[8048]: warning: TLS library problem: error:1417D102:SSL routines:tls_process_client_hello:unsupported protocol:../ssl/statem/statem_srvr.c:974:
Mar  8 10:18:10 server postfix/smtpd[8048]: lost connection after STARTTLS from dhcp-077-249-000-044.chello.nl[77.249.0.44]
Mar  8 10:18:10 server postfix/smtpd[8048]: disconnect from dhcp-077-249-000-044.chello.nl[77.249.0.44] ehlo=1 starttls=0/1 commands=1/2


TLSv1:

Mar  8 10:18:35 server postfix/smtpd[8099]: Anonymous TLS connection established from dhcp-077-249-000-044.chello.nl[77.249.0.44]: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)

Is there a reason why newer and more secure TLS versions are not supported in the smtp client of OPNsense?

[NOYB]

Please be aware that that both SMTPS and STARTTLS are currently unsecure in the OPNsense implementation.
https://github.com/opnsense/core/issues/1983

Also please be aware that in general STARTTLS is unsecure for clients that merely request but do not require connection upgrade.
https://en.wikipedia.org/wiki/Opportunistic_TLS#Weaknesses_and_mitigations


Another thread on the email notifications subject:
https://forum.opnsense.org/index.php?topic=7165.msg

[bartjsmit]

Why do you need to encrypt notification emails over your own network? If you allow the firewall to relay, or use recipients that the Postfix MTA is authoritative for, you don't need to send authentication across the wire.

Bart...

[NOYB]

Why do you need to encrypt notification emails over your own network?

How are you making the determination that this is over their own network?

If you allow the firewall to relay, or use recipients that the Postfix MTA is authoritative for, you don't need to send authentication across the wire.

Authentication credentials is only one aspect of email security.  Security of the content is another.
Increased security of the content is one of the reasons some people operate their own email server.

[bartjsmit]

Authentication credentials is only one aspect of email security.  Security of the content is another.
Increased security of the content is one of the reasons some people operate their own email server.

Indeed they do, and me amongst them. I am merely pointing out possible cargo cult reflexes. Just because postfix supports TLS, doesn't mean you have to implement it. The documentation warns you against it: http://www.postfix.org/TLS_README.html second paragraph.

If you require push notification by SMTP, IMHO your best bet is to design this inside the firewall and use a VPN if your MUA device travels to the public side. Horses for courses.

Bart...

[NOYB]

Using the premise of number of errors introduce per 1000 lines of code then that should also be considered in comparison to alternatives.  Such as using VPN for instance.  There are no free lunches.

What's best for each of us isn't typically one size fits all.

[fabian]

Authentication credentials is only one aspect of email security.  Security of the content is another.
Increased security of the content is one of the reasons some people operate their own email server.

Alternatives do exist: S/MIME and GPG. A reason may exist why they are not widely used.
I could implement S/MIME if I have enough time but the receiver will have to support that too and this is where the issues start
It is a sad fact that this is too complex for many users - at least people using OPNsense should be able to configure a MUA.

Indeed they do, and me amongst them. I am merely pointing out possible cargo cult reflexes. Just because postfix supports TLS, doesn't mean you have to implement it. The documentation warns you against it: http://www.postfix.org/TLS_README.html second paragraph.

Postfix has three TLS options: No TLS, use if available and force TLS.  Because many mail servers out there do not support TLS, it is almost impossible to force it.

If you require push notification by SMTP, IMHO your best bet is to design this inside the firewall and use a VPN if your MUA device travels to the public side. Horses for courses.

If OpenSSL or LibreSSL is having such an issue, your VPN will not be any help.
OpenVPN uses one of those libraries as well as StrongSwan may do. Also other services like HAProxy, the web GUI and many other services will be affected.

[NOYB]

Postfix has three TLS options: No TLS, use if available and force TLS.  Because many mail servers out there do not support TLS, it is almost impossible to force it.

On submission port though we can enforce whatever we what.  Mine supports STARTTLS on port 587, with connection upgrade required, and SMTPS on 465.

If OpenSSL or LibreSSL is having such an issue, your VPN will not be any help.
OpenVPN uses one of those libraries as well as StrongSwan may do. Also other services like HAProxy, the web GUI and many other services will be affected.

Was going to mention that as well.  Thanks for covering it.

[xmichielx]

This got a little bit offtopic
I will watch the github issues