[heroes] TLS for wiki notifications
It appears the new wiki is not using TLS to send out notifications. -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Hello, Am Mittwoch, 26. Juli 2017, 17:51:24 CEST schrieb PatrickD Garvey:
It appears the new wiki is not using TLS to send out notifications.
Right, the wiki VM uses a very basic Postfix setup to send out mails, which also means it doesn't have any certificates. Now the question (to the other heroes) is: how do we want to handle outgoing mails? - should each VM send out mails, or do we have/want/need (pick one!) a gateway for outgoing mails? [1] - what about SSL certificates? Regards, Christian Boltz [1] I darkly remember to have heard something about an outgoing mail gateway, but I don't remember any details. -- Schlagen. Verklagen. Z.B. bei der c't verpfeifen, auf daß es fortan die Spatzen von den Dächern pfeifen, was für Pfeifen das bei $Firma sind. *scnr* [David Haller in suse-linux] -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Hi On Wed, 26 Jul 2017 21:41:47 +0200 Christian Boltz wrote:
Now the question (to the other heroes) is: how do we want to handle outgoing mails? - should each VM send out mails, or do we have/want/need (pick one!) a gateway for outgoing mails? [1] - what about SSL certificates?
I would recommend to define a relay machine who handles: * mails from the machines to the outside * acts as incoming machine for specific external hosts (especially mx{1,2}.suse.de) * runs a basic spam filter As this is needed for lists.opensuse.org anyway, there is already a slightly related ticket for it: https://progress.opensuse.org/issues/20794 ^^ => leaving it up to Theo to work this out :-) Regards, Lars -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
On Thu, Jul 27, 2017 at 11:47:24AM +0200, Lars Vogdt wrote:
Hi
On Wed, 26 Jul 2017 21:41:47 +0200 Christian Boltz wrote:
Now the question (to the other heroes) is: how do we want to handle outgoing mails? - should each VM send out mails, or do we have/want/need (pick one!) a gateway for outgoing mails? [1] - what about SSL certificates?
I would recommend to define a relay machine who handles: * mails from the machines to the outside * acts as incoming machine for specific external hosts (especially mx{1,2}.suse.de) * runs a basic spam filter
As this is needed for lists.opensuse.org anyway, there is already a slightly related ticket for it: https://progress.opensuse.org/issues/20794
^^ => leaving it up to Theo to work this out :-)
Fully agree. Till this gets implemented, we can add the wildcard keys on the
wiki machine to stop sending unencrypted mails
--
Theo Chatzimichos
On Thu, 27 Jul 2017 12:02:21 +0200 Theo Chatzimichos
Fully agree. Till this gets implemented, we can add the wildcard keys on the wiki machine to stop sending unencrypted mails
You can even use Let's Encrypt certificates (as I do on status.opensuse.org already). This way you make sure that a wildcard certificate will not be missused somehow (even if it's just a matter of time until Let's encrypt allows wildcard certs, too). Regards, Lars -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Christian Boltz wrote:
Hello,
Am Mittwoch, 26. Juli 2017, 17:51:24 CEST schrieb PatrickD Garvey:
It appears the new wiki is not using TLS to send out notifications.
Right, the wiki VM uses a very basic Postfix setup to send out mails, which also means it doesn't have any certificates.
It doesn't need certificates for sending, just enable TLS : smtp_tls_security_level = may -- Per Jessen, Zürich (22.8°C) openSUSE mailing list admin -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Hello, Am Dienstag, 1. August 2017, 19:04:11 CEST schrieb Per Jessen:
Christian Boltz wrote:
Am Mittwoch, 26. Juli 2017, 17:51:24 CEST schrieb PatrickD Garvey:
It appears the new wiki is not using TLS to send out notifications.
Right, the wiki VM uses a very basic Postfix setup to send out mails, which also means it doesn't have any certificates.
It doesn't need certificates for sending, just enable TLS :
smtp_tls_security_level = may
Indeed, you are right :-) - thanks for the hint! Adding this config option and enabling tlsmgr in master.cf did the trick. Wiki notifications now get sent over an encrypted connection whenever possible. I just checked the postfix package in Tumbleweed - tlsmgr is now enabled by default, but it looks like smtp_tls_security_level isn't set, which means it falls back to smtp_use_tls = no :-( BTW: I also set myhostname = en.opensuse.org because "localhost" looks too spammy ;-) Regards, Christian Boltz --
Alle Distributionen saugen - die Schmerzen sind nur *anders* Für die einen ist es Linux, für die anderen der flexibelste Schmerzbaukasten der Welt. [> G. Doering + Oli Schad]
-- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Christian Boltz wrote:
Hello,
Am Dienstag, 1. August 2017, 19:04:11 CEST schrieb Per Jessen:
Christian Boltz wrote:
Am Mittwoch, 26. Juli 2017, 17:51:24 CEST schrieb PatrickD Garvey:
It appears the new wiki is not using TLS to send out notifications.
Right, the wiki VM uses a very basic Postfix setup to send out mails, which also means it doesn't have any certificates.
It doesn't need certificates for sending, just enable TLS :
smtp_tls_security_level = may
Indeed, you are right :-) - thanks for the hint!
Adding this config option and enabling tlsmgr in master.cf did the trick. Wiki notifications now get sent over an encrypted connection whenever possible.
I just checked the postfix package in Tumbleweed - tlsmgr is now enabled by default, but it looks like smtp_tls_security_level isn't set, which means it falls back to smtp_use_tls = no :-(
In principle TLS means more overhead, but I can't imagine it's a real problem on today's machines. Still, it's a matter for the postmaster, I wouldn't expect it to be enabled by default.
BTW: I also set myhostname = en.opensuse.org because "localhost" looks too spammy ;-)
It's probably not really important, but as a mailserver, the IP (195.135.221.161) ought to have a reverse mapping that matches. -- Per Jessen, Zürich (21.0°C) openSUSE mailing list admin -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
participants (6)
-
Christian Boltz -
Lars Vogdt -
Lars Vogdt -
PatrickD Garvey -
Per Jessen -
Theo Chatzimichos