[heroes] TLS for wiki notifications
It appears the new wiki is not using TLS to send out notifications. -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Hello, Am Mittwoch, 26. Juli 2017, 17:51:24 CEST schrieb PatrickD Garvey:
It appears the new wiki is not using TLS to send out notifications.
Right, the wiki VM uses a very basic Postfix setup to send out mails, which also means it doesn't have any certificates. Now the question (to the other heroes) is: how do we want to handle outgoing mails? - should each VM send out mails, or do we have/want/need (pick one!) a gateway for outgoing mails? [1] - what about SSL certificates? Regards, Christian Boltz [1] I darkly remember to have heard something about an outgoing mail gateway, but I don't remember any details. -- Schlagen. Verklagen. Z.B. bei der c't verpfeifen, auf daß es fortan die Spatzen von den Dächern pfeifen, was für Pfeifen das bei $Firma sind. *scnr* [David Haller in suse-linux] -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Hi On Wed, 26 Jul 2017 21:41:47 +0200 Christian Boltz wrote:
Now the question (to the other heroes) is: how do we want to handle outgoing mails? - should each VM send out mails, or do we have/want/need (pick one!) a gateway for outgoing mails? [1] - what about SSL certificates?
I would recommend to define a relay machine who handles: * mails from the machines to the outside * acts as incoming machine for specific external hosts (especially mx{1,2}.suse.de) * runs a basic spam filter As this is needed for lists.opensuse.org anyway, there is already a slightly related ticket for it: https://progress.opensuse.org/issues/20794 ^^ => leaving it up to Theo to work this out :-) Regards, Lars -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
On Thu, Jul 27, 2017 at 11:47:24AM +0200, Lars Vogdt wrote:
Hi
On Wed, 26 Jul 2017 21:41:47 +0200 Christian Boltz wrote:
Now the question (to the other heroes) is: how do we want to handle outgoing mails? - should each VM send out mails, or do we have/want/need (pick one!) a gateway for outgoing mails? [1] - what about SSL certificates?
I would recommend to define a relay machine who handles: * mails from the machines to the outside * acts as incoming machine for specific external hosts (especially mx{1,2}.suse.de) * runs a basic spam filter
As this is needed for lists.opensuse.org anyway, there is already a slightly related ticket for it: https://progress.opensuse.org/issues/20794
^^ => leaving it up to Theo to work this out :-)
Fully agree. Till this gets implemented, we can add the wildcard keys on the wiki machine to stop sending unencrypted mails -- Theo Chatzimichos <tampakrap@opensuse.org> <tchatzimichos@suse.com> System Administrator SUSE Operations and Services Team
On Thu, 27 Jul 2017 12:02:21 +0200 Theo Chatzimichos <tampakrap@opensuse.org> wrote:
Fully agree. Till this gets implemented, we can add the wildcard keys on the wiki machine to stop sending unencrypted mails
You can even use Let's Encrypt certificates (as I do on status.opensuse.org already). This way you make sure that a wildcard certificate will not be missused somehow (even if it's just a matter of time until Let's encrypt allows wildcard certs, too). Regards, Lars -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Christian Boltz wrote:
Hello,
Am Mittwoch, 26. Juli 2017, 17:51:24 CEST schrieb PatrickD Garvey:
It appears the new wiki is not using TLS to send out notifications.
Right, the wiki VM uses a very basic Postfix setup to send out mails, which also means it doesn't have any certificates.
It doesn't need certificates for sending, just enable TLS : smtp_tls_security_level = may -- Per Jessen, Zürich (22.8°C) openSUSE mailing list admin -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Hello, Am Dienstag, 1. August 2017, 19:04:11 CEST schrieb Per Jessen:
Christian Boltz wrote:
Am Mittwoch, 26. Juli 2017, 17:51:24 CEST schrieb PatrickD Garvey:
It appears the new wiki is not using TLS to send out notifications.
Right, the wiki VM uses a very basic Postfix setup to send out mails, which also means it doesn't have any certificates.
It doesn't need certificates for sending, just enable TLS :
smtp_tls_security_level = may
Indeed, you are right :-) - thanks for the hint! Adding this config option and enabling tlsmgr in master.cf did the trick. Wiki notifications now get sent over an encrypted connection whenever possible. I just checked the postfix package in Tumbleweed - tlsmgr is now enabled by default, but it looks like smtp_tls_security_level isn't set, which means it falls back to smtp_use_tls = no :-( BTW: I also set myhostname = en.opensuse.org because "localhost" looks too spammy ;-) Regards, Christian Boltz --
Alle Distributionen saugen - die Schmerzen sind nur *anders* Für die einen ist es Linux, für die anderen der flexibelste Schmerzbaukasten der Welt. [> G. Doering + Oli Schad]
-- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Christian Boltz wrote:
Hello,
Am Dienstag, 1. August 2017, 19:04:11 CEST schrieb Per Jessen:
Christian Boltz wrote:
Am Mittwoch, 26. Juli 2017, 17:51:24 CEST schrieb PatrickD Garvey:
It appears the new wiki is not using TLS to send out notifications.
Right, the wiki VM uses a very basic Postfix setup to send out mails, which also means it doesn't have any certificates.
It doesn't need certificates for sending, just enable TLS :
smtp_tls_security_level = may
Indeed, you are right :-) - thanks for the hint!
Adding this config option and enabling tlsmgr in master.cf did the trick. Wiki notifications now get sent over an encrypted connection whenever possible.
I just checked the postfix package in Tumbleweed - tlsmgr is now enabled by default, but it looks like smtp_tls_security_level isn't set, which means it falls back to smtp_use_tls = no :-(
In principle TLS means more overhead, but I can't imagine it's a real problem on today's machines. Still, it's a matter for the postmaster, I wouldn't expect it to be enabled by default.
BTW: I also set myhostname = en.opensuse.org because "localhost" looks too spammy ;-)
It's probably not really important, but as a mailserver, the IP (195.135.221.161) ought to have a reverse mapping that matches. -- Per Jessen, Zürich (21.0°C) openSUSE mailing list admin -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
participants (6)
-
Christian Boltz -
Lars Vogdt -
Lars Vogdt -
PatrickD Garvey -
Per Jessen -
Theo Chatzimichos