Enable and recommend port 465 for mail submission instead of port 587 (fixes #1849)

Port 465 with "implicit" (i.e. always-on) TLS is a more secure approach than port 587 with explicit (i.e. optional and only on with STARTTLS). Although we reject credentials on port 587 without STARTTLS, by that point credentials have already been sent.

CHANGELOG.md

@@ -6,6 +6,7 @@ In Development
 
 Mail:
 
+* Sending mail is now possible on port 465 with the "SSL" or "TLS" option in mail clients, and this is now the recommended setting. Port 587 with STARTTLS remains available but should be avoided.
 * Roundcube's login cookie is updated to use a new encryption algorithm (AES-256-CBC instead of DES-EDE-CBC).
 
 DNS:

conf/fail2ban/jails.conf

@@ -38,6 +38,14 @@ logpath  = STORAGE_ROOT/owncloud/nextcloud.log
 maxretry = 20
 findtime = 120
 
+[miab-postfix465]
+enabled  = true
+port     = 465
+filter   = miab-postfix-submission
+logpath  = /var/log/mail.log
+maxretry = 20
+findtime = 30
+
 [miab-postfix587]
 enabled  = true
 port     = 587

conf/ios-profile.xml

@@ -53,7 +53,7 @@
       <key>OutgoingMailServerHostName</key>
       <string>PRIMARY_HOSTNAME</string>
       <key>OutgoingMailServerPortNumber</key>
-      <integer>587</integer>
+      <integer>465</integer>
       <key>OutgoingMailServerUseSSL</key>
       <true/>
       <key>OutgoingPasswordSameAsIncomingPassword</key>

conf/mozilla-autoconfig.xml

@@ -16,8 +16,8 @@
 
       <outgoingServer type="smtp">
          <hostname>PRIMARY_HOSTNAME</hostname>
-         <port>587</port>
-         <socketType>STARTTLS</socketType>
+         <port>465</port>
+         <socketType>SSL</socketType>
          <username>%EMAILADDRESS%</username>
          <authentication>password-cleartext</authentication>
          <addThisServer>true</addThisServer>

conf/zpush/backend_imap.php

@@ -49,7 +49,7 @@ define('IMAP_FROM_LDAP_FULLNAME', '#givenname #sn');
 define('IMAP_SMTP_METHOD', 'sendmail');
 
 global $imap_smtp_params;
-$imap_smtp_params = array('host' => 'ssl://127.0.0.1', 'port' => 587, 'auth' => true, 'username' => 'imap_username', 'password' => 'imap_password');
+$imap_smtp_params = array('host' => 'ssl://127.0.0.1', 'port' => 465, 'auth' => true, 'username' => 'imap_username', 'password' => 'imap_password');
 
 define('MAIL_MIMEPART_CRLF', "\r\n");
 define('IMAP_MEETING_USE_CALDAV', true);

management/status_checks.py

@@ -34,6 +34,7 @@ def get_services():
 		{ "name": "SSH Login (ssh)", "port": get_ssh_port(), "public": True, },
 		{ "name": "Public DNS (nsd4)", "port": 53, "public": True, },
 		{ "name": "Incoming Mail (SMTP/postfix)", "port": 25, "public": True, },
+		{ "name": "Outgoing Mail (SMTP 465/postfix)", "port": 465, "public": True, },
 		{ "name": "Outgoing Mail (SMTP 587/postfix)", "port": 587, "public": True, },
 		#{ "name": "Postfix/master", "port": 10587, "public": True, },
 		{ "name": "IMAPS (dovecot)", "port": 993, "public": True, },

management/templates/mail-guide.html

@@ -30,8 +30,8 @@
 					<tr><th>Mail server</th> <td>{{hostname}}</td>
 					<tr><th>IMAP Port</th> <td>993</td></tr>
 					<tr><th>IMAP Security</th> <td>SSL or TLS</td></tr>
-					<tr><th>SMTP Port</th> <td>587</td></tr>
-					<tr><th>SMTP Security</td> <td>STARTTLS <small>(&ldquo;always&rdquo; or &ldquo;required&rdquo;, if prompted)</small></td></tr>
+					<tr><th>SMTP Port</th> <td>465</td></tr>
+					<tr><th>SMTP Security</td> <td>SSL or TLS</td></tr>
 					<tr><th>Username:</th> <td>Your whole email address.</td></tr>
 					<tr><th>Password:</th> <td>Your mail password.</td></tr>
 					</table>

security.md

@@ -32,7 +32,7 @@ The box's administrator and its (non-administrative) mail users must sometimes c
 
 These services are protected by [TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security):
 
-* SMTP Submission (port 587). Mail users submit outbound mail through SMTP with STARTTLS on port 587.
+* SMTP Submission (ports 465/587). Mail users submit outbound mail through SMTP with TLS (port 465) or STARTTLS (port 587).
 * IMAP/POP (ports 993, 995). Mail users check for incoming mail through IMAP or POP over TLS.
 * HTTPS (port 443). Webmail, the Exchange/ActiveSync protocol, the administrative control panel, and any static hosted websites are accessed over HTTPS.
 
@@ -44,7 +44,7 @@ The services all follow these rules:
 
 Additionally:
 
-* SMTP Submission (port 587) will not accept user credentials without STARTTLS (true also of SMTP on port 25 in case of client misconfiguration), and the submission port won't accept mail without encryption. The minimum cipher key length is 128 bits. (The box is of course configured not to be an open relay. User credentials are required to send outbound mail.) ([source](setup/mail-postfix.sh))
+* SMTP Submission on port 587 will not accept user credentials without STARTTLS (true also of SMTP on port 25 in case of client misconfiguration), and the submission port won't accept mail without encryption. The minimum cipher key length is 128 bits. (The box is of course configured not to be an open relay. User credentials are required to send outbound mail.) ([source](setup/mail-postfix.sh))
 * HTTPS (port 443): The HTTPS Strict Transport Security header is set. A redirect from HTTP to HTTPS is offered. The [Qualys SSL Labs test](https://www.ssllabs.com/ssltest) should report an A+ grade. ([source 1](conf/nginx-ssl.conf), [source 2](conf/nginx.conf))
 
 ### Password Storage

setup/mail-postfix.sh

@@ -17,7 +17,7 @@
 # LMTP. Spamassassin then passes mail over to Dovecot for
 # storage in the user's mailbox.
 #
-# Postfix also listens on port 587 (SMTP+STARTLS) for
+# Postfix also listens on ports 465/587 (SMTPS, SMTP+STARTLS) for
 # connections from users who can authenticate and then sends
 # their email out to the outside world. Postfix queries Dovecot
 # to authenticate users.
@@ -71,7 +71,7 @@ tools/editconf.py /etc/postfix/main.cf \
 
 # ### Outgoing Mail
 
-# Enable the 'submission' port 587 smtpd server and tweak its settings.
+# Enable the 'submission' ports 465 and 587 and tweak their settings.
 #
 # * Enable authentication. It's disabled globally so that it is disabled on port 25,
 #   so we need to explicitly enable it here.
@@ -80,13 +80,19 @@ tools/editconf.py /etc/postfix/main.cf \
 #   OpenDKIM milter only. See dkim.sh.
 # * Even though we dont allow auth over non-TLS connections (smtpd_tls_auth_only below, and without auth the client cant
 #   send outbound mail), don't allow non-TLS mail submission on this port anyway to prevent accidental misconfiguration.
-#   Setting smtpd_tls_security_level=encrypt also triggers the use of the 'mandatory' settings below.
+#   Setting smtpd_tls_security_level=encrypt also triggers the use of the 'mandatory' settings below (but this is ignored with smtpd_tls_wrappermode=yes.)
 # * Give it a different name in syslog to distinguish it from the port 25 smtpd server.
 # * Add a new cleanup service specific to the submission service ('authclean')
 #   that filters out privacy-sensitive headers on mail being sent out by
 #   authenticated users.  By default Postfix also applies this to attached
 #   emails but we turn this off by setting nested_header_checks empty.
 tools/editconf.py /etc/postfix/master.cf -s -w \
+	"smtps=inet n       -       -       -       -       smtpd
+	  -o smtpd_tls_wrappermode=yes
+	  -o smtpd_sasl_auth_enable=yes
+	  -o syslog_name=postfix/submission
+	  -o smtpd_milters=inet:127.0.0.1:8891
+	  -o cleanup_service_name=authclean" \
 	"submission=inet n       -       -       -       -       smtpd
 	  -o smtpd_sasl_auth_enable=yes
 	  -o syslog_name=postfix/submission
@@ -100,14 +106,14 @@ tools/editconf.py /etc/postfix/master.cf -s -w \
 # Install the `outgoing_mail_header_filters` file required by the new 'authclean' service.
 cp conf/postfix_outgoing_mail_header_filters /etc/postfix/outgoing_mail_header_filters
 
-# Modify the `outgoing_mail_header_filters` file to use the local machine name and ip 
+# Modify the `outgoing_mail_header_filters` file to use the local machine name and ip
 # on the first received header line.  This may help reduce the spam score of email by
 # removing the 127.0.0.1 reference.
 sed -i "s/PRIMARY_HOSTNAME/$PRIMARY_HOSTNAME/" /etc/postfix/outgoing_mail_header_filters
 sed -i "s/PUBLIC_IP/$PUBLIC_IP/" /etc/postfix/outgoing_mail_header_filters
 
 # Enable TLS on incoming connections. It is not required on port 25, allowing for opportunistic
-# encryption. On port 587 it is mandatory (see above). Shared and non-shared settings are
+# encryption. On ports 465 and 587 it is mandatory (see above). Shared and non-shared settings are
 # given here. Shared settings include:
 # * Require TLS before a user is allowed to authenticate.
 # * Set the path to the server TLS certificate and 2048-bit DH parameters for old DH ciphers.
@@ -117,9 +123,6 @@ sed -i "s/PUBLIC_IP/$PUBLIC_IP/" /etc/postfix/outgoing_mail_header_filters
 #   won't fall back to cleartext. So we don't disable too much. smtpd_tls_exclude_ciphers applies to
 #   both port 25 and port 587, but because we override the cipher list for both, it probably isn't used.
 #   Use Mozilla's "Old" recommendations at https://ssl-config.mozilla.org/#server=postfix&server-version=3.3.0&config=old&openssl-version=1.1.1
-# For port 587 (via the 'mandatory' settings):
-# * Use Mozilla's "Intermediate" TLS recommendations from https://ssl-config.mozilla.org/#server=postfix&server-version=3.3.0&config=intermediate&openssl-version=1.1.1
-#   using and overriding the "high" cipher list so we don't conflict with the more permissive settings for port 25.
 tools/editconf.py /etc/postfix/main.cf \
 	smtpd_tls_security_level=may\
 	smtpd_tls_auth_only=yes \
@@ -130,18 +133,23 @@ tools/editconf.py /etc/postfix/main.cf \
 	smtpd_tls_ciphers=medium \
 	tls_medium_cipherlist=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA \
 	smtpd_tls_exclude_ciphers=aNULL,RC4 \
+	tls_preempt_cipherlist=no \
+	smtpd_tls_received_header=yes
+
+# For ports 465/587 (via the 'mandatory' settings):
+# * Use Mozilla's "Intermediate" TLS recommendations from https://ssl-config.mozilla.org/#server=postfix&server-version=3.3.0&config=intermediate&openssl-version=1.1.1
+#   using and overriding the "high" cipher list so we don't conflict with the more permissive settings for port 25.
+tools/editconf.py /etc/postfix/main.cf \
 	smtpd_tls_mandatory_protocols="!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \
 	smtpd_tls_mandatory_ciphers=high \
 	tls_high_cipherlist=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 \
-	smtpd_tls_mandatory_exclude_ciphers=aNULL,DES,3DES,MD5,DES+MD5,RC4 \
-	tls_preempt_cipherlist=no \
-	smtpd_tls_received_header=yes
+	smtpd_tls_mandatory_exclude_ciphers=aNULL,DES,3DES,MD5,DES+MD5,RC4
 
 # Prevent non-authenticated users from sending mail that requires being
 # relayed elsewhere. We don't want to be an "open relay". On outbound
 # mail, require one of:
 #
-# * `permit_sasl_authenticated`: Authenticated users (i.e. on port 587).
+# * `permit_sasl_authenticated`: Authenticated users (i.e. on port 465/587).
 # * `permit_mynetworks`: Mail that originates locally.
 # * `reject_unauth_destination`: No one else. (Permits mail whose destination is local and rejects other mail.)
 tools/editconf.py /etc/postfix/main.cf \
@@ -263,6 +271,7 @@ tools/editconf.py /etc/postfix/main.cf \
 # Allow the two SMTP ports in the firewall.
 
 ufw_allow smtp
+ufw_allow smtps
 ufw_allow submission
 
 # Restart services

setup/ssl.sh

@@ -10,7 +10,7 @@
 #
 #  * DNSSEC DANE TLSA records
 #  * IMAP
-#  * SMTP (opportunistic TLS for port 25 and submission on port 587)
+#  * SMTP (opportunistic TLS for port 25 and submission on ports 465/587)
 #  * HTTPS
 #
 # The certificate is created with its CN set to the PRIMARY_HOSTNAME. It is
@@ -19,7 +19,7 @@
 #
 # The Diffie-Hellman cipher bits are used for SMTP and HTTPS, when a
 # Diffie-Hellman cipher is selected during TLS negotiation. Diffie-Hellman
-# provides Perfect Forward Secrecy. 
+# provides Perfect Forward Secrecy.
 
 source setup/functions.sh # load our functions
 source /etc/mailinabox.conf # load global vars

tests/test_mail.py

@@ -41,9 +41,8 @@ This is a test message. It should be automatically deleted by the test script.""
 	)
 
 # Connect to the server on the SMTP submission TLS port.
-server = smtplib.SMTP(host, 587)
+server = smtplib.SMTP_SSL(host)
 #server.set_debuglevel(1)
-server.starttls()
 
 # Verify that the EHLO name matches the server's reverse DNS.
 ipaddr = socket.gethostbyname(host) # IPv4 only!