956714 - Zimbra does not attempt to use TLS for outgoing email

Status: RESOLVED FIXED

(Infrastructure & Operations Graveyard :: Infrastructure: Zimbra, task)

Description

[Stefan Arentz | :st3fan | ⏰ EST | he/him]

When I send an email to my personal email account via Zimbra (web), I see no trace of our SMTP server attempting to setup a TLS connection with my personal email server:


Jan  6 15:24:33 localhost postfix/smtpd[8348]: connect from zmmta1.corp.phx1.mozilla.com[63.245.216.72]
Jan  6 15:24:34 localhost postfix/smtpd[8348]: 5949960067: client=zmmta1.corp.phx1.mozilla.com[63.245.216.72]
Jan  6 15:24:34 localhost postfix/cleanup[8381]: 5949960067: message-id=<848649259.2690885.1389018274862.JavaMail.zimbra@mozilla.com>
Jan  6 15:24:34 localhost postfix/qmgr[5014]: 5949960067: from=<sarentz@mozilla.com>, size=1176, nrcpt=1 (queue active)
Jan  6 15:24:34 localhost postfix/smtpd[8348]: disconnect from zmmta1.corp.phx1.mozilla.com[63.245.216.72]
Jan  6 15:24:34 localhost dovecot: lda(stefan@arentz.ca): msgid=<848649259.2690885.1389018274862.JavaMail.zimbra@mozilla.com>: saved mail to INBOX
Jan  6 15:24:34 localhost postfix/pipe[8382]: 5949960067: to=<stefan@arentz.ca>, relay=dovecot, delay=0.87, delays=0.82/0.01/0/0.05, dsn=2.0.0, status=sent (delivered via dovecot service)
Jan  6 15:24:34 localhost postfix/qmgr[5014]: 5949960067: removed


Compare this to for example this session where I send an email to myself from Gmail:


Jan  6 15:27:50 localhost postfix/smtpd[8387]: connect from mail-lb0-f173.google.com[209.85.217.173]
Jan  6 15:27:50 localhost postfix/smtpd[8387]: Anonymous TLS connection established from mail-lb0-f173.google.com[209.85.217.173]: TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)
Jan  6 15:27:50 localhost postfix/smtpd[8387]: CE70C60067: client=mail-lb0-f173.google.com[209.85.217.173]
Jan  6 15:27:50 localhost postfix/cleanup[8393]: CE70C60067: message-id=<CADgKnCKoBU_5mqyEpq8wLS=Ma8KDOEz1G5OTE_R+QmW+Vg3oow@mail.gmail.com>
Jan  6 15:27:50 localhost postfix/qmgr[5014]: CE70C60067: from=<stefan.arentz@gmail.com>, size=1821, nrcpt=1 (queue active)
Jan  6 15:27:50 localhost dovecot: auth-worker: mysql(127.0.0.1): Connected to database postfix
Jan  6 15:27:50 localhost postfix/smtpd[8387]: disconnect from mail-lb0-f173.google.com[209.85.217.173]
Jan  6 15:27:51 localhost dovecot: lda(stefan@arentz.ca): msgid=<CADgKnCKoBU_5mqyEpq8wLS=Ma8KDOEz1G5OTE_R+QmW+Vg3oow@mail.gmail.com>: saved mail to INBOX
Jan  6 15:27:51 localhost postfix/pipe[8394]: CE70C60067: to=<stefan@arentz.ca>, relay=dovecot, delay=0.84, delays=0.64/0.01/0/0.2, dsn=2.0.0, status=sent (delivered via dovecot service)
Jan  6 15:27:51 localhost postfix/qmgr[5014]: CE70C60067: removed


See the missing 'Anonymous TLS connection established' log entry for the case where Mozilla's Zimbra server is sending out email.

I think it would be really great if we can fix this. Now that we live in a post-Snowden era where we pretty much know that all plaintext email is captured by government agencies.

 S.

Comment 1

[Julien Vehent]

Is zimbra using Postfix as a MTA? I'm not familiar with zimbra's configuration details, but as far as postfix goes, configuring STARTTLS for outbound emails in the MTA is trivial:

# TLS client options
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes

Comment 2

[:Atoll]

This article [1] documents the steps required for Zimbra 7, including the zmlocalconfig commands to finalize the postfix changes once confirmed working.

[1] http://www.oranged.to/2012/06/04/zimbra-outbound-smtp-tls-encryption/

Comment 3

[Ed Lim [:limed]]

(In reply to Julien Vehent [:ulfr] from comment #1)
> Is zimbra using Postfix as a MTA? I'm not familiar with zimbra's
> configuration details, but as far as postfix goes, configuring STARTTLS for
> outbound emails in the MTA is trivial:
> 
> # TLS client options
> smtp_use_tls = yes
> smtp_tls_note_starttls_offer = yes

Correct it is using postfix

Comment 4

[Julien Vehent]

For definitions: postfix calls "smtp" the outbound mail client, and "smtpd" the inbound mail daemon. In this bug, we care about "smtp" only, because the SMTPD part is gated by Postini, and they provide STARTTLS already.

From what I'm reading in the link :atoll posted, the postfix conf needs to be edited directly. Is that right?

Comment 5

[:Atoll]

(In reply to Julien Vehent [:ulfr] from comment #4)
> From what I'm reading in the link :atoll posted, the postfix conf needs to
> be edited directly. Is that right?

Incorrect, based on my read. The postconf commands (which replace direct editing) are only to *test* the config and make sure it works as expected; if it works as desired, the zmlocalconfig commands make the changes permanent.

Comment 6

[Dave Miller [:justdave]]

We already have this setting tweaked on existing servers.  There's a pair of them that gate all of the outbound mail via Postini (for purposes of encryption services), and those two are set to force TLS on outbound connections (also have postini set as the outbound relay).  So there's nothing really to learn here, just have to tweak that same setting on the rest of the servers, too (set it for "use if available" rather than "always" though).

I think the only action here is to get with CAB and pick a time to flip the switch.

Comment 7

[Ed Lim [:limed]]

Ran the following

[zimbra@zmmta1.mail.corp.phx1 ~]$ zmlocalconfig -e postfix_smtp_tls_security_level=may
[zimbra@zmmta1.mail.corp.phx1 ~]$ zmmtactl restart
Rewriting configuration files...done.
Stopping saslauthd...done.
Starting saslauthd...done.
/postfix-script: refreshing the Postfix mail system

[zimbra@zmmta2.mail.corp.phx1 elim]$ zmlocalconfig -e postfix_smtp_tls_security_level=may
[zimbra@zmmta2.mail.corp.phx1 elim]$ zmmtactl restart
Rewriting configuration files...done.
Stopping saslauthd...done.
Starting saslauthd...done.
/postfix-script: refreshing the Postfix mail system

We should be good here

Comment 8

[Dave Miller [:justdave]]

[zimbra@zmmta1.mail.corp.phx1 ~]$ zmlocalconfig postfix_smtp_tls_security_level
postfix_smtp_tls_security_level = may

It's still enabled on Zimbra.  It's smtp.mozilla.org that's still broken.  Needs a new bug.