Re: Two-way TLS and other security for LMTP over the internet?

Sun, 29 Oct 2023 05:47:11 -0700 

It's been a while since I looked at this but I think you need
service lmtp {
  inet_listener lmtp {
    ssl = yes
To restrict login by IP address
protocol lmtp {
  login_trusted_networks = 127.0.0.1
Also, last time I looked at this, the LMTP TLS server does not check the
subject name on a client certificate, so if you intend to use client
certificates, you will need to set up a dedicated certificate authority who's
only job is to issue LMTP client certificates.
On 29/10/2023 10:58 pm, [email protected] wrote:
     Dovecot version 2.3.19.1 (9b53102964)
     Postfix version 3.5.18


     We have a Postfix server that runs on a VPS with a hosting company
     and
     a Dovecot IMAP server that runs at the office.

     We want Postfix to push the mail it receives to the Dovecot IMAP
     server, using the least amount of intermediate software. This
     transfer
     occurs over the open internet.

     LMTP over TCP seems like a great solution, *if* it can be secured.
     But
     I'm not finding documentation on how to actually setup something like
     two-way TLS over LMTP.

     1. Is there any setting in Dovecot where I can set a remote IP
     address
     (or hostname) that will be the only address that Dovecot's LMTP
     accepts
     connections from?

     2. My current configuration options for LMTP in Dovecot look like:


     protocol lmtp {
         ssl_cert = </etc/ssl/imap/imap.crt
         ssl_key = </etc/ssl/imap/imap.key
         ssl_ca = </etc/ssl/imap/authority.crt
         ssl_verify_client_cert = yes
         auth_ssl_require_client_cert = yes
     }


     service lmtp {
       user = vmail
       inet_listener lmtp {
         address = * ::
         port = 24
       }
     }


     With these settings, I can telnet from the Postfix server to the
     Dovecot server with LMTP, and I'm not convinced there is any
     encryption
     actually enabled or any TLS verification going on.

     Is there any reasonable security that can be setup to make this safe
     (within Dovecot and Postfix settings, not using VPNs and SSH
     tunnels)?

     If so, how?
     _______________________________________________
     dovecot mailing list -- [email protected]
     To unsubscribe send an email to [email protected]

 Virus-free.www.avg.com

_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to