SSL/TLS
Connections should be encrypted using the SSL/TLS protocol, even on a private network. TLS can be initiated right after connect on the address submissions, or with the STARTTLS mechanism.
fn on_config(config) {
// Add root TLS settings.
config.server.tls = #{
preempt_cipherlist: false,
handshake_timeout: "1000ms",
protocol_version: ["TLSv1.2", "TLSv1.3"],
certificate: "/etc/letsencrypt/live/mta.doe-family.com/fullchain.pem",
private_key: "/etc/letsencrypt/live/mta.doe-family.com/privkey.pem",
};
config
}
Adding tls configuration to `/etc/vsmtp/conf.d/config.vsl`
vSMTP only support certificate with the X.509 format.
Rules can then be added to filter out unsecure transactions.
#{
helo: [
rule "deny unencrypted" || {
// It is possible to customize the policy to whitelist some ip or anything.
if ctx::is_secured() {
state::next()
} else {
state::deny(code(451, "5.7.3", "Must issue a STARTTLS command first\r\n"))
}
}
]
}
Adding rules to check if the transaction is secured in `/etc/vsmtp/filter.vsl`
See the
ctx::is_secured
reference for more details.