Iptables only allow smtp connections with start tls

iptablessmtptls

Is it somehow possible to block/abort unencrypted smtp connections with iptables?

effectively rejecting all connections which dont do a start tls.

Best Answer

This is unavoidably tricky. The nature of TLS is such that a plaintext connection to your MTA has to be established before TLS can be negotiated, so iptables (operating as it does at the transport layer) is ill-designed to influence issues at the application layer.

You could write another target module and direct your traffic through that, but unless you're a networking God, this is probably no more feasible for you than it is for me. And I definitely don't know how to do it.

The upshot is that application-layer stuff is much easier to enforce inside the application. You don't say what MTA you're using, but I suspect that most MTAs that are bright enough to do TLS are bright enough to mandate it.

I use sendmail. There's a nice piece on mandating TLS from various providers at http://www.brandonhutchinson.com/Using_TLS_with_Sendmail.html , which directs me to the access database entry

TLS_Clt:communication_partner_MTA                           PERM+VERIFY:112

which requires a particular communication partner, presumably identified by IP address, to both authenticate with a key of at least 112 bits length, and have a properly-signed certificate. The sendmail config page at http://www.sendmail.org/documentation/configurationReadme , in the ANTI-SPAM CONFIGURATION CONTROL section, says that access db entries involving IPv4 addresses can take the form of a single octet, which then apply to all addresses beginning with that octet. So I speculate, and I stress it's just speculation, that sendmail would allow me to have a series of entries

TLS_Clt:1       PERM:112
TLS_Clt:2       PERM:112
TLS_Clt:3       PERM:112
....
TLS_Clt:223       PERM:112

Mandating encryption (though not verifiably-signed certificates; self-signed TLS certs are very common, and I'd be inclined not to bar them) from all IP addresses. I would also not have an entry for TLS_Clt:127, as localhost should probably not be so restricted.

I repeat that I've not tested any of the above, and if your MTA is something other than sendmail, the above won't be specifically helpful; but I wanted to show that my MTA (at least) seems to have hooks for doing what you want. Good luck with your investigations.

Related Solutions

IIS6 SMTP and TLS on outbound connections

There is no way to create an opportunistic SMTP server in IIS. You'll need to create two virtual SMTP servers (one with TLS required, and one without) and route mail accordingly.

http://www.phreek.org/index.php/prkblog/comments/enable_tls_on_your_iis_60_smtp_virtual_server

Security – How to inspect remote SMTP server’s TLS certificate

You can use OpenSSL. If you have to check the certificate with STARTTLS, then just do

openssl s_client -connect mail.example.com:25 -starttls smtp

or for a standard secure smtp port:

openssl s_client -connect mail.example.com:465

Best Answer

Related Solutions

IIS6 SMTP and TLS on outbound connections

Security – How to inspect remote SMTP server’s TLS certificate

Related Topic