From 726afb8b95f7759724c487f1163d582119333332 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Fri, 17 Oct 2014 15:28:32 -0400 Subject: [PATCH 01/20] Install CAfile on config generation. --- MTAConfigGenerator.py | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index a733ab27a..051d9676d 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -28,11 +28,16 @@ class PostfixConfigGenerator(MTAConfigGenerator): def __init__(self, policy_config, postfix_dir, fixup=False): self.fixup = fixup self.postfix_dir = postfix_dir - self.policy_file = os.path.join(postfix_dir, "starttls_everywhere_policy") - MTAConfigGenerator.__init__(self, policy_config) self.postfix_cf_file = self.find_postfix_cf() + if not os.access(self.postfix_cf_file, os.W_OK): + raise Exception("Can't write to %s, please re-run as root." + % self.postfix_cf_file) + self.policy_file = os.path.join(postfix_dir, "starttls_everywhere_policy") + self.ca_file = os.path.join(postfix_dir, "starttls_everywhere_CAfile") + MTAConfigGenerator.__init__(self, policy_config) self.wrangle_existing_config() self.set_domainwise_tls_policies() + self.update_CAfile() os.system("sudo service postfix reload") def ensure_cf_var(self, var, ideal, also_acceptable): @@ -49,7 +54,6 @@ class PostfixConfigGenerator(MTAConfigGenerator): values = map(parse_line, l) if len(set(values)) > 1: if self.fixup: - #print "Scheduling deletions:" + `values` conflicting_lines = [num for num,_var,val in values] self.deletions.extend(conflicting_lines) self.additions.append(var + " = " + ideal) @@ -57,7 +61,6 @@ class PostfixConfigGenerator(MTAConfigGenerator): raise ExistingConfigError, "Conflicting existing config values " + `l` val = values[0][2] if val not in acceptable: - #print "Scheduling deletions:" + `values` if self.fixup: self.deletions.append(values[0][0]) self.additions.append(var + " = " + ideal) @@ -86,6 +89,7 @@ class PostfixConfigGenerator(MTAConfigGenerator): policy_cf_entry = "texthash:" + self.policy_file self.ensure_cf_var("smtp_tls_policy_maps", policy_cf_entry, []) + self.ensure_cf_var("smtp_tls_CAfile", self.ca_file, []) self.maybe_add_config_lines() @@ -109,7 +113,6 @@ class PostfixConfigGenerator(MTAConfigGenerator): self.new_cf += line self.new_cf += sep + new_cf_lines - #print self.new_cf f = open(self.fn, "w") f.write(self.new_cf) f.close() @@ -142,6 +145,10 @@ class PostfixConfigGenerator(MTAConfigGenerator): f.write("\n".join(self.policy_lines) + "\n") f.close() + def update_CAfile(self): + os.system("cat /usr/share/ca-certificates/mozilla/*.crt > " + + self.ca_file) + if __name__ == "__main__": import ConfigParser if len(sys.argv) != 3: @@ -150,3 +157,4 @@ if __name__ == "__main__": c = ConfigParser.Config(sys.argv[1]) postfix_dir = sys.argv[2] pcgen = PostfixConfigGenerator(c, postfix_dir, fixup=True) + print "Done." From 1d47acddfdffe93f75c0d07ae0f127dd1693d984 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Fri, 17 Oct 2014 15:28:44 -0400 Subject: [PATCH 02/20] Remove extraneous print of config. --- ConfigParser.py | 1 - 1 file changed, 1 deletion(-) diff --git a/ConfigParser.py b/ConfigParser.py index 2d7c88ada..d1c413f74 100755 --- a/ConfigParser.py +++ b/ConfigParser.py @@ -90,7 +90,6 @@ class Config: # XXX is it ever permissible to have a domain with an acceptable-mx # that does not point to a TLS security policy? If not, check/warn/fail # here - print self.tls_policies def get_address_domains(self, mx_hostname): labels = mx_hostname.split(".") From 828c00b758063172990073bd4b667b61c1a30699 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Fri, 17 Oct 2014 15:28:49 -0400 Subject: [PATCH 03/20] Find deferred lines in log summary. Also add a cron mode that only emits output if there's something wrong. --- PostfixLogSummary.py | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/PostfixLogSummary.py b/PostfixLogSummary.py index 0348432b0..9b2f9c3b1 100755 --- a/PostfixLogSummary.py +++ b/PostfixLogSummary.py @@ -2,6 +2,7 @@ import re import sys import collections +import argparse import ConfigParser @@ -39,8 +40,8 @@ def get_counts(input, config): deferred = deferred_re.search(line) connected = connected_re.search(line) if connected: - validation = result.group(1) - mx_hostname = result.group(2).lower() + validation = connected.group(1) + mx_hostname = connected.group(2).lower() if validation == "Trusted" or validation == "Verified": seen_trusted = True address_domains = config.get_address_domains(mx_hostname) @@ -49,13 +50,13 @@ def get_counts(input, config): counts[d][validation] += 1 counts[d]["all"] += 1 elif deferred: - mx_hostname = result.group(1).lower() + mx_hostname = deferred.group(1).lower() tls_deferred[mx_hostname] += 1 if not seen_trusted: # Postfix will only emit 'Trusted' if the certificate validates according to # the set of trust roots (CA certs) configured in smtp_tls_CAfile. print "Didn't see any trusted connections. Need to install some trust roots?" - return (counts, tls_deferred) + return (counts, tls_deferred, seen_trusted) def print_summary(counts): for mx_hostname, validations in counts.items(): @@ -65,7 +66,19 @@ def print_summary(counts): print mx_hostname, validation, validation_count / validations["all"], "of", validations["all"] if __name__ == "__main__": + arg_parser = argparse.ArgumentParser(description='This is a PyMOTW sample program') + arg_parser.add_argument('-c', action="store_true", dest="cron", default=False) + args = arg_parser.parse_args() + config = ConfigParser.Config("starttls-everywhere.json") - (counts, tls_deferred) = get_counts(sys.stdin, config) - print_summary(counts) - print tls_deferred + (counts, tls_deferred, seen_trusted) = get_counts(sys.stdin, config) + + # If not running in cron, print an overall summary of log lines seen from known hosts. + if not args.cron: + print_summary(counts) + if not seen_trusted: + print 'No Trusted connections seen! Probably need to install a CAfile.' + + if len(tls_deferred) > 0: + print "Some mail was deferred due to TLS problems:" + print tls_deferred From f04e8259a9aef0e6547fe22884268581461512e2 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Mon, 20 Oct 2014 09:29:22 -0400 Subject: [PATCH 04/20] Protocols separated by colons, not commas. --- MTAConfigGenerator.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index 051d9676d..5ca8f5aee 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -132,11 +132,11 @@ class PostfixConfigGenerator(MTAConfigGenerator): entry = address_domain + " encrypt" if "min-tls-version" in mx_policy: if mx_policy["min-tls-version"].lower() == "tlsv1": - entry += " protocols=!SSLv2,!SSLv3" + entry += " protocols=!SSLv2:!SSLv3" elif mx_policy["min-tls-version"].lower() == "tlsv1.1": - entry += " protocols=!SSLv2,!SSLv3,!TLSv1" + entry += " protocols=!SSLv2:!SSLv3:!TLSv1" elif mx_policy["min-tls-version"].lower() == "tlsv1.2": - entry += " protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" + entry += " protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1" else: print mx_policy["min-tls-version"] self.policy_lines.append(entry) From 613a8f5e8877878f3d0b169a045b0f6b2b31adec Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Mon, 20 Oct 2014 16:15:13 -0400 Subject: [PATCH 05/20] Improve cronjob operation to only process diffs. --- PostfixLogSummary.py | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/PostfixLogSummary.py b/PostfixLogSummary.py index 9b2f9c3b1..be130d958 100755 --- a/PostfixLogSummary.py +++ b/PostfixLogSummary.py @@ -1,11 +1,15 @@ #!/usr/bin/python2.7 +import argparse +import collections +import os import re import sys -import collections -import argparse +import time import ConfigParser +TIME_FORMAT = "%b %d %H:%M:%S" + # TODO: There's more to be learned from postfix logs! Here's one sample # observed during failures from the sender vagrant vm: @@ -22,7 +26,7 @@ import ConfigParser # # Also: # Oct 10 19:12:13 sender postfix/smtp[1711]: 62D3F481249: to=, relay=valid-example-recipient.com[192.168.33.7]:25, delay=0.07, delays=0.03/0.01/0.03/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host valid-example-recipient.com[192.168.33.7]) -def get_counts(input, config): +def get_counts(input, config, earliest_timestamp): seen_trusted = False counts = collections.defaultdict(lambda: collections.defaultdict(int)) @@ -32,11 +36,15 @@ def get_counts(input, config): # indicate a problem that should be alerted on. # ([^[]*) <--- any group of characters that is not "[" # Log lines for when a message is deferred for a TLS-related reason. These - deferred_re = re.compile("relay=([^[]*).* status=deferred.*TLS") + deferred_re = re.compile("relay=([^[ ]*).* status=deferred.*TLS") # Log lines for when a TLS connection was successfully established. These can # indicate the difference between Untrusted, Trusted, and Verified certs. connected_re = re.compile("([A-Za-z]+) TLS connection established to ([^[]*)") + timestamp = 0 for line in sys.stdin: + timestamp = time.strptime(line[0:15], TIME_FORMAT) + if timestamp < earliest_timestamp: + continue deferred = deferred_re.search(line) connected = connected_re.search(line) if connected: @@ -52,11 +60,7 @@ def get_counts(input, config): elif deferred: mx_hostname = deferred.group(1).lower() tls_deferred[mx_hostname] += 1 - if not seen_trusted: - # Postfix will only emit 'Trusted' if the certificate validates according to - # the set of trust roots (CA certs) configured in smtp_tls_CAfile. - print "Didn't see any trusted connections. Need to install some trust roots?" - return (counts, tls_deferred, seen_trusted) + return (counts, tls_deferred, seen_trusted, timestamp) def print_summary(counts): for mx_hostname, validations in counts.items(): @@ -71,7 +75,14 @@ if __name__ == "__main__": args = arg_parser.parse_args() config = ConfigParser.Config("starttls-everywhere.json") - (counts, tls_deferred, seen_trusted) = get_counts(sys.stdin, config) + + last_timestamp_processed = 0 + timestamp_file = '/tmp/starttls-everywhere-last-timestamp-processed.txt' + if os.path.isfile(timestamp_file): + last_timestamp_processed = time.strptime(open(timestamp_file).read(), TIME_FORMAT) + (counts, tls_deferred, seen_trusted, latest_timestamp) = get_counts(sys.stdin, config, last_timestamp_processed) + with open(timestamp_file, "w") as f: + f.write(time.strftime(TIME_FORMAT, latest_timestamp)) # If not running in cron, print an overall summary of log lines seen from known hosts. if not args.cron: @@ -81,4 +92,5 @@ if __name__ == "__main__": if len(tls_deferred) > 0: print "Some mail was deferred due to TLS problems:" - print tls_deferred + for (k, v) in tls_deferred.iteritems(): + print "%s: %s" % (k, v) From 6db285882552e73e7ffcb6eff10293dbe0f48ce8 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 24 Feb 2016 18:19:47 -0800 Subject: [PATCH 06/20] Correct policy map delimitation --- MTAConfigGenerator.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index 43dad5f37..ea4eeaa26 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -126,11 +126,11 @@ class PostfixConfigGenerator(MTAConfigGenerator): mx_policy = self.policy_config.get_tls_policy(mx_domain) entry = address_domain + " encrypt" if mx_policy.min_tls_version.lower() == "tlsv1": - entry += " protocols=!SSLv2,!SSLv3" + entry += " protocols=!SSLv2:!SSLv3" elif mx_policy.min_tls_version.lower() == "tlsv1.1": - entry += " protocols=!SSLv2,!SSLv3,!TLSv1" + entry += " protocols=!SSLv2:!SSLv3:!TLSv1" elif mx_policy.min_tls_version.lower() == "tlsv1.2": - entry += " protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" + entry += " protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1" else: print mx_policy.min_tls_version self.policy_lines.append(entry) From 6e2b6a081706ced2e6ca1ddbc7cd3556e141934f Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 1 Mar 2016 16:37:56 -0800 Subject: [PATCH 07/20] Update README --- README.md | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 288a6ea10..f244d91e6 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,36 @@ # STARTTLS Everywhere -NOTE: this is a pre-alpha codebase. Do not run it on non-experimental systems -yet! + +## Example usage + +**WARNING: this is a pre-alpha codebase. Do not run it on production +mailservers!!!** + + +If you have a Postfix server you're willing to endanger deliverability on, you +can try obtain a certificate with the [Let's Encrypt Python Client](https://github.com/letsencrypt/letsencrypt), not the directory it lives in below `/etc/letsencrypt/live` and then do: + +``` +git clone https://github.com/EFForg/starttls-everywhere +cd starttls-everywhere +# Promise you don't care if deliverability breaks on this mail server +letsencrypt-postfix/PostfixConfigGenerator.py examples/starttls-everywhere.json /etc/postfix /etc/letsencrypt/live/YOUR.DOMAIN.EXAMPLE.COM +``` + +This will: +* Install the cert in Postfix +* Enforce mandatory TLS to some major email domains +* Enforce minimum TLS versions to some major email domains + +## Project status + +* Postfix configuration generation: working pre-alpha, not yet safe +* Email security database: working pre-alpha, definitely not yet safe +* Let's Encrypt client plugin: in progress ## Authors -Jacob Hoffman-Andrews , Peter Eckersley , Daniel Wilcox +Jacob Hoffman-Andrews , Peter Eckersley , Daniel Wilcox , Aaron Zauner ## Mailing List From 1210c04f147f6bf6f539ee0683f46af9c8939de1 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 1 Mar 2016 16:38:55 -0800 Subject: [PATCH 08/20] tweak README --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f244d91e6..8a4e04601 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ mailservers!!!** If you have a Postfix server you're willing to endanger deliverability on, you -can try obtain a certificate with the [Let's Encrypt Python Client](https://github.com/letsencrypt/letsencrypt), not the directory it lives in below `/etc/letsencrypt/live` and then do: +can try obtain a certificate with the [Let's Encrypt Python Client](https://github.com/letsencrypt/letsencrypt), note the directory it lives in below `/etc/letsencrypt/live` and then do: ``` git clone https://github.com/EFForg/starttls-everywhere @@ -26,7 +26,7 @@ This will: * Postfix configuration generation: working pre-alpha, not yet safe * Email security database: working pre-alpha, definitely not yet safe -* Let's Encrypt client plugin: in progress +* Fully integrated Let's Encrypt client postfix plugin: in progress, not yet ready ## Authors From 3a8e1d7a707a509022839fa31944b1daf8f4b2e6 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 1 Mar 2016 16:40:03 -0800 Subject: [PATCH 09/20] Further status update --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 8a4e04601..e0746c4a1 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,8 @@ This will: * Postfix configuration generation: working pre-alpha, not yet safe * Email security database: working pre-alpha, definitely not yet safe * Fully integrated Let's Encrypt client postfix plugin: in progress, not yet ready +* DANE support: none yet +* SMTP-STS integration: none yet ## Authors From a435036a1ecedcfe143d00f186dbf808e06d1983 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 1 Mar 2016 19:03:47 -0800 Subject: [PATCH 10/20] Document MVP objectives --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index e0746c4a1..9f20c4457 100644 --- a/README.md +++ b/README.md @@ -24,11 +24,18 @@ This will: ## Project status +STARTTLS Everywhere development is re-starting after a hiatus. Initial +objectives: + * Postfix configuration generation: working pre-alpha, not yet safe * Email security database: working pre-alpha, definitely not yet safe * Fully integrated Let's Encrypt client postfix plugin: in progress, not yet ready * DANE support: none yet * SMTP-STS integration: none yet +* Direct mechanisms for mail domains to request inclusion: none yet +* Failure reporting mechanisms: early progress, not yet ready +* Mechanisms for secure mutli-organization signature on the policy database: + none yet ## Authors From b2977ad6a996aae6bf2cd1527098722286282b3e Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 1 Mar 2016 19:06:02 -0800 Subject: [PATCH 11/20] Documentation details --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9f20c4457..008907baf 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,8 @@ letsencrypt-postfix/PostfixConfigGenerator.py examples/starttls-everywhere.json ``` This will: -* Install the cert in Postfix +* Ensure your mail server initiates STARTTLS encryption +* Install the Let's Encrypt cert in Postfix * Enforce mandatory TLS to some major email domains * Enforce minimum TLS versions to some major email domains From 874c59012ab219d24678907891a1249b1277d0d8 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 2 Mar 2016 10:47:52 -0800 Subject: [PATCH 12/20] Update README --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 008907baf..27563a899 100644 --- a/README.md +++ b/README.md @@ -35,8 +35,9 @@ objectives: * SMTP-STS integration: none yet * Direct mechanisms for mail domains to request inclusion: none yet * Failure reporting mechanisms: early progress, not yet ready -* Mechanisms for secure mutli-organization signature on the policy database: +* Mechanisms for secure multi-organization signature on the policy database: none yet +* Support for mail servers other than Postfix: none yet ## Authors From e88eac65da32fe33228c650eeee51ca40ef138ea Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 2 Mar 2016 10:47:59 -0800 Subject: [PATCH 13/20] [documentation] Add links to LEPC interface sources --- letsencrypt-postfix/PostfixConfigGenerator.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py index 43a3c19cf..25cab9ce7 100755 --- a/letsencrypt-postfix/PostfixConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -135,6 +135,7 @@ class PostfixConfigGenerator: f.close() ### Let's Encrypt client IPlugin ### + # https://github.com/letsencrypt/letsencrypt/blob/master/letsencrypt/plugins/common.py#L35 def prepare(self): """Prepare the plugin. @@ -164,6 +165,7 @@ class PostfixConfigGenerator: ### Let's Encrypt client IInstaller ### + # https://github.com/letsencrypt/letsencrypt/blob/master/letsencrypt/interfaces.py#L232 def get_all_names(self): """Returns all names that may be authenticated. From 0ce1684ba6895706422349dce5d2b1c94e60ae05 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 9 Mar 2016 10:50:15 -0800 Subject: [PATCH 14/20] Changes to MTAConfigGenerator needed to be moved by hand --- MTAConfigGenerator.py | 160 ------------------ letsencrypt-postfix/PostfixConfigGenerator.py | 18 +- 2 files changed, 12 insertions(+), 166 deletions(-) delete mode 100755 MTAConfigGenerator.py diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py deleted file mode 100755 index 5ca8f5aee..000000000 --- a/MTAConfigGenerator.py +++ /dev/null @@ -1,160 +0,0 @@ -#!/usr/bin/env python - -import sys -import string -import os, os.path - -def parse_line(line_data): - """ - Return the (line number, left hand side, right hand side) of a stripped - postfix config line. - - Lines are like: - smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache - """ - num,line = line_data - left, sep, right = line.partition("=") - if not sep: - return None - return (num, left.strip(), right.strip()) - -class MTAConfigGenerator: - def __init__(self, policy_config): - self.policy_config = policy_config - -class ExistingConfigError(ValueError): pass - -class PostfixConfigGenerator(MTAConfigGenerator): - def __init__(self, policy_config, postfix_dir, fixup=False): - self.fixup = fixup - self.postfix_dir = postfix_dir - self.postfix_cf_file = self.find_postfix_cf() - if not os.access(self.postfix_cf_file, os.W_OK): - raise Exception("Can't write to %s, please re-run as root." - % self.postfix_cf_file) - self.policy_file = os.path.join(postfix_dir, "starttls_everywhere_policy") - self.ca_file = os.path.join(postfix_dir, "starttls_everywhere_CAfile") - MTAConfigGenerator.__init__(self, policy_config) - self.wrangle_existing_config() - self.set_domainwise_tls_policies() - self.update_CAfile() - os.system("sudo service postfix reload") - - def ensure_cf_var(self, var, ideal, also_acceptable): - """ - Ensure that existing postfix config @var is in the list of @acceptable - values; if not, set it to the ideal value. - """ - acceptable = [ideal] + also_acceptable - - l = [(num,line) for num,line in enumerate(self.cf) if line.startswith(var)] - if not any(l): - self.additions.append(var + " = " + ideal) - else: - values = map(parse_line, l) - if len(set(values)) > 1: - if self.fixup: - conflicting_lines = [num for num,_var,val in values] - self.deletions.extend(conflicting_lines) - self.additions.append(var + " = " + ideal) - else: - raise ExistingConfigError, "Conflicting existing config values " + `l` - val = values[0][2] - if val not in acceptable: - if self.fixup: - self.deletions.append(values[0][0]) - self.additions.append(var + " = " + ideal) - else: - raise ExistingConfigError, "Existing config has %s=%s"%(var,val) - - def wrangle_existing_config(self): - """ - Try to ensure/mutate that the config file is in a sane state. - Fixup means we'll delete existing lines if necessary to get there. - """ - self.additions = [] - self.deletions = [] - self.fn = self.find_postfix_cf() - self.raw_cf = open(self.fn).readlines() - self.cf = map(string.strip, self.raw_cf) - #self.cf = [line for line in cf if line and not line.startswith("#")] - - # Check we're currently accepting inbound STARTTLS sensibly - self.ensure_cf_var("smtpd_use_tls", "yes", []) - # Ideally we use it opportunistically in the outbound direction - self.ensure_cf_var("smtp_tls_security_level", "may", ["encrypt","dane"]) - # Maximum verbosity lets us collect failure information - self.ensure_cf_var("smtp_tls_loglevel", "1", []) - # Inject a reference to our per-domain policy map - policy_cf_entry = "texthash:" + self.policy_file - - self.ensure_cf_var("smtp_tls_policy_maps", policy_cf_entry, []) - self.ensure_cf_var("smtp_tls_CAfile", self.ca_file, []) - - self.maybe_add_config_lines() - - def maybe_add_config_lines(self): - if not self.additions: - return - if self.fixup: - print "Deleting lines:", self.deletions - self.additions[:0]=["#","# New config lines added by STARTTLS Everywhere","#"] - new_cf_lines = "\n".join(self.additions) + "\n" - print "Adding to %s:" % self.fn - print new_cf_lines - if self.raw_cf[-1][-1] == "\n": sep = "" - else: sep = "\n" - - self.new_cf = "" - for num, line in enumerate(self.raw_cf): - if self.fixup and num in self.deletions: - self.new_cf += "# Line removed by STARTTLS Everywhere\n# " + line - else: - self.new_cf += line - self.new_cf += sep + new_cf_lines - - f = open(self.fn, "w") - f.write(self.new_cf) - f.close() - - def find_postfix_cf(self): - "Search far and wide for the correct postfix configuration file" - return os.path.join(self.postfix_dir, "main.cf") - - def set_domainwise_tls_policies(self): - self.policy_lines = [] - for address_domain, properties in self.policy_config.acceptable_mxs.items(): - mx_list = properties["accept-mx-domains"] - if len(mx_list) > 1: - print "Lists of multiple accept-mx-domains not yet supported, skipping ", address_domain - mx_domain = mx_list[0] - mx_policy = self.policy_config.tls_policies[mx_domain] - entry = address_domain + " encrypt" - if "min-tls-version" in mx_policy: - if mx_policy["min-tls-version"].lower() == "tlsv1": - entry += " protocols=!SSLv2:!SSLv3" - elif mx_policy["min-tls-version"].lower() == "tlsv1.1": - entry += " protocols=!SSLv2:!SSLv3:!TLSv1" - elif mx_policy["min-tls-version"].lower() == "tlsv1.2": - entry += " protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1" - else: - print mx_policy["min-tls-version"] - self.policy_lines.append(entry) - - f = open(self.policy_file, "w") - f.write("\n".join(self.policy_lines) + "\n") - f.close() - - def update_CAfile(self): - os.system("cat /usr/share/ca-certificates/mozilla/*.crt > " + - self.ca_file) - -if __name__ == "__main__": - import ConfigParser - if len(sys.argv) != 3: - print "Usage: MTAConfigGenerator starttls-everywhere.json /etc/postfix" - sys.exit(1) - c = ConfigParser.Config(sys.argv[1]) - postfix_dir = sys.argv[2] - pcgen = PostfixConfigGenerator(c, postfix_dir, fixup=True) - print "Done." diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py index 25cab9ce7..af29d493c 100755 --- a/letsencrypt-postfix/PostfixConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -25,6 +25,7 @@ class PostfixConfigGenerator: self.postfix_dir = postfix_dir self.policy_config = policy_config self.policy_file = os.path.join(postfix_dir, "starttls_everywhere_policy") + self.ca_file = os.path.join(postfix_dir, "starttls_everywhere_CAfile") def ensure_cf_var(self, var, ideal, also_acceptable): """ @@ -40,7 +41,6 @@ class PostfixConfigGenerator: values = map(parse_line, l) if len(set(values)) > 1: if self.fixup: - #print "Scheduling deletions:" + `values` conflicting_lines = [num for num,_var,val in values] self.deletions.extend(conflicting_lines) self.additions.append(var + " = " + ideal) @@ -48,7 +48,6 @@ class PostfixConfigGenerator: raise ExistingConfigError, "Conflicting existing config values " + `l` val = values[0][2] if val not in acceptable: - #print "Scheduling deletions:" + `values` if self.fixup: self.deletions.append(values[0][0]) self.additions.append(var + " = " + ideal) @@ -99,10 +98,11 @@ class PostfixConfigGenerator: self.new_cf += line self.new_cf += sep + new_cf_lines - #print self.new_cf - f = open(self.fn, "w") - f.write(self.new_cf) - f.close() + if not os.access(self.postfix_cf_file, os.W_OK): + raise Exception("Can't write to %s, please re-run as root." + % self.postfix_cf_file) + with open(self.fn, "w") as f: + f.write(self.new_cf) def find_postfix_cf(self): "Search far and wide for the correct postfix configuration file" @@ -186,6 +186,7 @@ class PostfixConfigGenerator: self.ensure_cf_var("smtpd_tls_cert_file", fullchain_path, []) self.ensure_cf_var("smtpd_tls_key_file", key_path, []) self.set_domainwise_tls_policies() + self.update_CAfile() def enhance(self, domain, enhancement, options=None): """Perform a configuration enhancement. @@ -259,17 +260,22 @@ class PostfixConfigGenerator: """Restart or refresh the server content. :raises .PluginError: when server cannot be restarted """ + print "Reloading postfix config..." if os.geteuid() != 0: os.system("sudo service postfix reload") else: os.system("service postfix reload") + def update_CAfile(self): + os.system("cat /usr/share/ca-certificates/mozilla/*.crt > " + self.ca_file) + def usage(): print ("Usage: %s starttls-everywhere.json /etc/postfix /etc/letsencrypt/live/example.com/" % sys.argv[0]) sys.exit(1) + if __name__ == "__main__": import Config as config if len(sys.argv) != 4: From a58c6524436d04adc43a89a0fa7534e7d6cdfdba Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 9 Mar 2016 10:54:15 -0800 Subject: [PATCH 15/20] ConfigParser is gone! --- ConfigParser.py | 114 ------------------------------------------------ 1 file changed, 114 deletions(-) delete mode 100755 ConfigParser.py diff --git a/ConfigParser.py b/ConfigParser.py deleted file mode 100755 index d1c413f74..000000000 --- a/ConfigParser.py +++ /dev/null @@ -1,114 +0,0 @@ -#!/usr/bin/env python - -import sys -import json -from datetime import datetime -import string -import collections - -def parse_timestamp(ts): - try: - int(ts) - dt = datetime.fromtimestamp(ts) - return dt - except: - raise ValueError, "Invalid timestamp integer: " + `ts` - -legal = string.letters + string.digits + ".-" -known_tlds =["com","org","net","biz","info",] # xxx make me from an ICANN list -def looks_like_a_domain(s): - "Return true if string looks like a domain, as best we can tell..." - global known_tlds - try: - domain = s.lower() - assert domain[0].islower() - assert all([c in legal for c in domain]) - tld = s.split(".")[-1] - if tld not in known_tlds: - # XXX perform DNS query to determine that this TLD exists - pass - return True - except: - return False - -class Config: - def __init__(self, cfg_file_name = "config.json"): - f = open(cfg_file_name) - self.cfg = json.loads(f.read()) - self.tls_policies = {} - self.mx_map = {} - for atr, val in self.cfg.items(): - # Verify each attribute of the structure - if atr.startswith("comment"): - continue - if atr == "author": - if type(val) not in [str, unicode]: - raise TypeError, "Author must be a string: " + `val` - elif atr == "timestamp": - self.timestamp = parse_timestamp(val) - elif atr == "expires": - self.expires = parse_timestamp(val) - elif atr == "tls-policies": - for domain, policies in self.check_tls_policy_domains(val): - if type(policies) != dict: - raise TypeError, domain + "'s policies should be a dict: " + `policies` - self.tls_policies[domain] = {} # being here enforces TLS at all - for policy, v in policies.items(): - value = str(v).lower() - if policy == "require-tls": - if value in ("true", "1", "yes"): - self.tls_policies[domain]["required"] = True - elif value in ("false", "0", "no"): - self.tls_policies[domain]["required"] = False - else: - raise ValueError, "Unknown require-tls value " + `value` - elif policy == "min-tls-version": - reasonable = ["TLS", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"] - reasonable = map(string.lower, reasonable) - if not value in reasonable: - raise ValueError, "Not a valid TLS version string: " + `value` - self.tls_policies[domain]["min-tls-version"] = str(value) - elif policy == "enforce-mode": - if value == "enforce": - self.tls_policies[domain]["enforce"] = True - elif value == "log-only": - self.tls_policies[domain]["enforce"] = False - else: - raise ValueError, "Not a known enoforcement policy " + `value` - elif atr == "acceptable-mxs": - self.acceptable_mxs = val - self.mx_domain_to_address_domains = collections.defaultdict(set) - for address_domain, properties in self.acceptable_mxs.items(): - mx_list = properties["accept-mx-domains"] - if len(mx_list) > 1: - print "Lists of multiple accept-mx-domains not yet supported, skipping ", address_domain - mx_domain = mx_list[0] - self.mx_domain_to_address_domains[mx_domain].add(address_domain) - pass - else: - sys.stderr.write("Unknown attribute: " + `atr` + "\n") - # XXX is it ever permissible to have a domain with an acceptable-mx - # that does not point to a TLS security policy? If not, check/warn/fail - # here - - def get_address_domains(self, mx_hostname): - labels = mx_hostname.split(".") - for n in range(1, len(labels)): - parent = "." + ".".join(labels[n:]) - if parent in self.mx_domain_to_address_domains: - return self.mx_domain_to_address_domains[parent] - return None - - def check_tls_policy_domains(self, val): - if type(val) != dict: - raise TypeError, "tls-policies should be a dict" + `val` - for domain, policies in val.items(): - try: - assert type(domain) == unicode - d = str(domain) # convert from unicode - except: - raise TypeError, "tls-policy domain not a string" + `domain` - yield (d, policies) - -if __name__ == "__main__": - c = Config() From 87022782fb0fa8431632a5713f12927874d0a7b3 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 9 Mar 2016 10:59:10 -0800 Subject: [PATCH 16/20] Catch stray missing line --- letsencrypt-postfix/PostfixConfigGenerator.py | 1 + 1 file changed, 1 insertion(+) diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py index af29d493c..20ca3edb4 100755 --- a/letsencrypt-postfix/PostfixConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -76,6 +76,7 @@ class PostfixConfigGenerator: policy_cf_entry = "texthash:" + self.policy_file self.ensure_cf_var("smtp_tls_policy_maps", policy_cf_entry, []) + self.ensure_cf_var("smtp_tls_CAfile", self.ca_file, []) def maybe_add_config_lines(self): From e42a222c5d54d08836371200afb0af30106d3685 Mon Sep 17 00:00:00 2001 From: Aaron Zauner Date: Tue, 29 Mar 2016 15:02:59 +0200 Subject: [PATCH 17/20] preliminary Postfix version check --- letsencrypt-postfix/PostfixConfigGenerator.py | 25 ++++++++++++++++--- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py index 25cab9ce7..162a0d832 100755 --- a/letsencrypt-postfix/PostfixConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -1,6 +1,7 @@ #!/usr/bin/env python import sys import string +import subprocess import os, os.path def parse_line(line_data): @@ -148,13 +149,29 @@ class PostfixConfigGenerator: :raises .NoInstallationError: when the necessary programs/files cannot be located. Plugin will NOT be displayed on a list of available plugins. - :raises .NotSupportedError: - when the installation is recognized, but the version is not - currently supported. - """ + :raises .NotSupportedError: + when the installation is recognized, but the version is not + currently supported. + :rtype tuple: + """ # XXX ensure we raise the right kinds of exceptions self.postfix_cf_file = self.find_postfix_cf() + # Parse Postfix version number (feature support, syntax changes etc.) + mail_version = subprocess.Popen(['/usr/sbin/postconf', '-d', 'mail_version'], \ + stdout=subprocess.PIPE) \ + .communicate()[0].split()[2] + maj, min, rev = mail_version.split('.') + + # Postfix has changed support for TLS features, supported protocol versions + # KEX methods, ciphers et cetera over the years. We sort out version dependend + # differences here and pass them onto other configuration functions. + # see: + # http://www.postfix.org/TLS_README.html + # http://www.postfix.org/FORWARD_SECRECY_README.html + self.postfix_version = mail_version + + return maj, min, rev def more_info(self): """Human-readable string to help the user. From 1cde7f9b5429bc70bee06c38034b51947c5cb758 Mon Sep 17 00:00:00 2001 From: Aaron Zauner Date: Tue, 29 Mar 2016 16:19:34 +0200 Subject: [PATCH 18/20] added doc. on postfix version dependent features --- letsencrypt-postfix/PostfixConfigGenerator.py | 39 ++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py index 162a0d832..5e219cc43 100755 --- a/letsencrypt-postfix/PostfixConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -162,6 +162,7 @@ class PostfixConfigGenerator: stdout=subprocess.PIPE) \ .communicate()[0].split()[2] maj, min, rev = mail_version.split('.') + self.postfix_version = mail_version # Postfix has changed support for TLS features, supported protocol versions # KEX methods, ciphers et cetera over the years. We sort out version dependend @@ -169,8 +170,44 @@ class PostfixConfigGenerator: # see: # http://www.postfix.org/TLS_README.html # http://www.postfix.org/FORWARD_SECRECY_README.html - self.postfix_version = mail_version + + # Postfix == 2.2: + # - TLS support introduced via 3rd party patch, see: + # http://www.postfix.org/TLS_LEGACY_README.html + # Postfix => 2.2: + # - built-in TLS support added + # - Support for PFS introduced + # - Support for (E)DHE params >= 1024bit (need to be generated), default 1k + + # Postfix => 2.5: + # - Syntax to specify mandatory protocol version changes: + # * < 2.5: `smtpd_tls_mandatory_protocols = TLSv1` + # * => 2.5: `smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3` + # - Certificate fingerprint verification added + + # Postfix => 2.6: + # - Support for ECDHE NIST P-256 curve (enable `smtpd_tls_eecdh_grade = strong`) + # - Support for configurable cipher-suites and protocol versions added, pre-2.6 + # releases always set EXPORT, options: `smtp_tls_ciphers` and `smtp_tls_protocols` + # - `smtp_tls_eccert_file` and `smtp_tls_eckey_file` config. options added + + # Postfix => 2.8: + # - Override Client suite preference w. `tls_preempt_cipherlist = yes` + # - Elliptic curve crypto. support enabled by default + + # Postfix => 2.9: + # - Public key fingerprint support added + # - `permit_tls_clientcerts`, `permit_tls_all_clientcerts` and + # `check_ccert_access` config. options added + + # Postfix <= 2.9.5: + # - BUG: Public key fingerprint is computed incorrectly + + # Postfix => 3.1: + # - Built-in support for TLS management and DANE added, see: + # http://www.postfix.org/postfix-tls.1.html + return maj, min, rev def more_info(self): From 1d37e94e17b552712d1ade5f981aed8ba4835b17 Mon Sep 17 00:00:00 2001 From: Aaron Zauner Date: Tue, 29 Mar 2016 18:43:08 +0200 Subject: [PATCH 19/20] disable SSLv3 and v3 by default #24 --- letsencrypt-postfix/PostfixConfigGenerator.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py index 4b6783633..dfb20ccea 100755 --- a/letsencrypt-postfix/PostfixConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -79,6 +79,10 @@ class PostfixConfigGenerator: self.ensure_cf_var("smtp_tls_policy_maps", policy_cf_entry, []) self.ensure_cf_var("smtp_tls_CAfile", self.ca_file, []) + # Disable SSLv2 and SSLv3. Syntax for `smtp_tls_protocols` changed + # between Postfix version 2.5 and 2.6, since we only support => 2.11 + # we don't use nor support legacy Postfix syntax. + self.ensure_cf_var("smtp_tls_protocols", "!SSLv2, !SSLv3", []) def maybe_add_config_lines(self): if not self.additions: From 0ba508ee2dc88bd86aa4209efd55c498e394ffea Mon Sep 17 00:00:00 2001 From: Aaron Zauner Date: Tue, 29 Mar 2016 19:02:00 +0200 Subject: [PATCH 20/20] disable SSLv2,3 client-side too #24 --- letsencrypt-postfix/PostfixConfigGenerator.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py index dfb20ccea..609477f0b 100755 --- a/letsencrypt-postfix/PostfixConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -82,7 +82,10 @@ class PostfixConfigGenerator: # Disable SSLv2 and SSLv3. Syntax for `smtp_tls_protocols` changed # between Postfix version 2.5 and 2.6, since we only support => 2.11 # we don't use nor support legacy Postfix syntax. + # - Server: self.ensure_cf_var("smtp_tls_protocols", "!SSLv2, !SSLv3", []) + # - Client: + self.ensure_cf_var("smtp_tls_mandatory_protocols", "!SSLv2, !SSLv3", []) def maybe_add_config_lines(self): if not self.additions: