Postfix config misses smtp_* parameters and includes several default settings

[gsauthof]

Take this generated config: https://ssl-config.mozilla.org/#server=postfix&version=3.5.6&config=intermediate&openssl=1.1.1g&guideline=5.6

The following values are already Postfix defaults:

smtpd_tls_mandatory_ciphers = medium
tls_preempt_cipherlist = no

I've checked the Postfix documentation and postconf -d output on Fedora 32.

Then there are some settings for when doing mandatory TLS, i.e.

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_ciphers = medium

although mandatory TLS isn't configured - cf. the smtpd_tls_security_level = may line which configures opportunistic TLS. Thus, those options aren't effective here.

On the other hand, the sister options for opportunistic TLS are missing, i.e. this one is missing:

smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

Also, the generated config only includes smtpd_* options and no smtp_* variants. Note that opportunistic TLS also makes sense when the mail server is sending mail, i.e. e.g. when SMTP relaying mail to a destination server. Thus, the config is missing at least the following smtp options:

smtp_tls_security_level = may
smtp_tls_protocols  = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

[DG1000]

I agree. I just updated my configuration and was wondering why the smtp_* variants are missing.

[polarathene]

Regarding cipher selection

I would imagine that smtp_* aren't set as delivery via port 25:

• Is expected to support plain-text if STARTTLS is unable to establish a secure connection.
• Nor is a secure connection to the MTA necessarily secure throughout the full transit to the recipient as there may be other hops involved afterwards out of your influence.

If you choose to restrict the ciphers that could be used, the fallback thus is to continue the connection and deliver without any encryption.

For connections to a relay host like SendGrid you may prefer to set the security level to encrypt instead of my to avoid plain-text, then it is up to SendGrid from then on which will probably be much more relaxed. Ideally you'd also relay over implicit TLS (port 465) instead of opportunistic (port 587).

---

• smtp_tls_security_level = may 👍
• smtp_tls_protocols = >=TLSv1.2 (the equivalent syntax since Postfix 3.6, the default for smtp_ here is >=TLSv1)

Note:

• If the MTA you're delivering to for some reason still doesn't support TLS 1.2, you're preferring to deliver without any encryption at all vs a cipher that may still provide some degree of security.
• There are still some old systems in 2024 in use that require TLS <1.2.

---

The following values are already Postfix defaults:

smtpd_tls_mandatory_ciphers = medium
tls_preempt_cipherlist = no

It's ok to be explicit with security settings that are still the defaults. A user may be applying the suggested config to an already configured instance where these may have been configured differently by mistake or intentionally.

IIRC:

• tls_preempt_cipherlist = yes is fine for port 25 where your cipher support may be more broad for compatibility. The server provides preference order and the client must choose the first one it is compatible with.
• tls_preempt_cipherlist = no can be acceptable on submission(s) ports 587 and 465 where you may enforce TLS and restrict the cipher list for authenticating clients to those that are only forward secret compatible (EDIT: May have been AEAD specific.. it's been a while since I looked into this). Letting the client choose is better here.

While mandatory ciphers is set to medium, some may adjust this to high to alter the high cipher list if they customize the cipher list (against the advice of Postfix). Which can be useful when you use a security level of encrypt.

The config only focuses on main.cf, and not master.cf where the submission(s) ports will apply their overrides for the additional security expectations. smtpd_tls_auth_only = yes presently used in the generator shouldn't be relevant if port 25 doesn't offer SASL auth (which it shouldn't, but you do see this in the wild), it's implicit when using a security level of encrypt, by default SASL auth is disabled as per smtpd_sasl_auth_enable.

smtpd_tls_exclude_ciphers can be relevant when you're comfortable dismissing the official Postfix docs advice to avoid configuring it. DMS sets this (see git blame history for reference, this explains SEED / CAMELLIA, and this for SHA1).