Enable SMTPS per RFC 8314

[almereyda]

Impacted versions

all

Steps to reproduce

1. Read RFC 8314
2. Find the unconfigured SMTPS port in

   modoboa-installer/modoboa_installer/scripts/files/postfix/master.cf.tpl

   Lines 30 to 40 in d05618e

   	#smtps inet n - - - - smtpd
   	# -o syslog_name=postfix/smtps
   	# -o smtpd_tls_wrappermode=yes
   	# -o smtpd_sasl_auth_enable=yes
   	# -o smtpd_reject_unlisted_recipient=no
   	# -o smtpd_client_restrictions=$mua_client_restrictions
   	# -o smtpd_helo_restrictions=$mua_helo_restrictions
   	# -o smtpd_sender_restrictions=$mua_sender_restrictions
   	# -o smtpd_recipient_restrictions=
   	# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
   	# -o milter_macro_daemon_name=ORIGINATING

Expected behavior

master.cf

26,28c26,28
<   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
<   -o smtpd_helo_restrictions=
<   -o smtpd_sender_restrictions=reject_sender_login_mismatch
---
>   -o smtpd_client_restrictions=$mua_client_restrictions
>   -o smtpd_helo_restrictions=$mua_helo_restrictions
>   -o smtpd_sender_restrictions=$mua_sender_restrictions
31,38c31,39
< #smtps     inet  n       -       -       -       -       smtpd
< #  -o syslog_name=postfix/smtps
< #  -o smtpd_tls_wrappermode=yes
< #  -o smtpd_sasl_auth_enable=yes
< #  -o smtpd_reject_unlisted_recipient=no
< #  -o smtpd_client_restrictions=$mua_client_restrictions
< #  -o smtpd_helo_restrictions=$mua_helo_restrictions
< #  -o smtpd_sender_restrictions=$mua_sender_restrictions
---
> smtps     inet  n       -       -       -       -       smtpd
>   -o syslog_name=postfix/smtps
>   -o tls_preempt_cipherlist=yes
>   -o smtpd_tls_wrappermode=yes
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_reject_unlisted_recipient=no
>   -o smtpd_client_restrictions=$mua_client_restrictions
>   -o smtpd_helo_restrictions=$mua_helo_restrictions
>   -o smtpd_sender_restrictions=$mua_sender_restrictions
41c42,43
< #  -o milter_macro_daemon_name=ORIGINATING
---
>   -o milter_macro_daemon_name=ORIGINATING
>   -o smtpd_proxy_filter=inet:[127.0.0.1]:10026
153c155
<         -o local_header_rewrite_clients=
---
>         -o local_header_rewrite_clients=permit_mynetworks,permit_sasl_authenticated

main.cf, between ## Recipient restriction rules and ## Postscreen settings

# Sender restriction rules
smtpd_sender_restrictions =
    permit_mynetworks
    reject_non_fqdn_sender
    reject_unknown_sender_domain
    reject_unknown_reverse_client_hostname

# Relay restriction rules
smtpd_relay_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination

# Custom restriction classes
smtpd_restriction_classes =
    mua_sender_restrictions
    mua_client_restrictions
    mua_helo_restrictions

mua_client_restrictions =
    permit_sasl_authenticated
    reject

mua_sender_restrictions =
    permit_sasl_authenticated
    reject_sender_login_mismatch

mua_helo_restrictions =
    permit_mynetworks
    reject_invalid_hostname
#    reject_non_fqdn_hostname

We're running this configuration quite stable since a few years. It has not been audited for security.

Also note the commented reject_non_fqdn_hostname rule, which hasn't affected us badly, yet. Also smtpd_recipient_restrictions and smtpd_relay_restrictions from the commented smtps part in master.cf remain untouched, to mirror the given submission configuration.

There's more discussion in the thread at https://discord.com/channels/930814728928895078/1203376038793584720

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[almereyda]

RFC 8314 has not been superseded.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[almereyda]

This is now the default and won't go away to soon.

[phizev]

@almereyda I tried to view the related discord discussion mentioned in your original issue, it appears to be gone, is there a back up, or reference elsewhere?

[almereyda]

In section "3.3. Implicit TLS for SMTP Submission" from RFC 8314 from 2018 it is the recommendation to transition to implicit TLS on the SMTPS / submission port:

The STARTTLS mechanism on port 587 is relatively widely deployed due
to the situation with port 465 (discussed in Section 7.3). This
differs from IMAP and POP services where Implicit TLS is more widely
deployed on servers than STARTTLS. It is desirable to migrate core
protocols used by MUA software to Implicit TLS over time, for
consistency as well as for the additional reasons discussed in
Appendix A.

The linked sections provide further details about the rationale behind this explicit port registration at the IANA for implicit TLS for SMTP.

This clears the double registration of the port 465 with TCP at https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=465, once for urd, the " URL Rendezvous Directory for SSM", and once for submissions, the "Message Submission over TLS protocol"