Skip to content

systemli/mail-tls-helper

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

105 Commits
obsolete
obsolete
 
 
tests
tests
 
 
.flake8
.flake8
 
 
.gitignore
.gitignore
 
 
.travis.yml
.travis.yml
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
TODO.md
TODO.md
 
 
mail-tls-helper.py
mail-tls-helper.py
 
 
munin-plugin
munin-plugin
 
 
munin-plugin.conf
munin-plugin.conf
 
 

Repository files navigation

mail-tls-helper

Build Status

Postfix helper script that does the following:

  • make TLS mandatory for outgoing mail wherever possible and
  • optionally alert postmasters of domains that don't support STARTTLS

In case of bugs, ideas, enhancements, feel free to open an issue or pull request on Github.

Prerequisites

  • Set Postfix SMTP client logging (configuration option smtp_tls_loglevel) to '1' or higher.
  • Ensure that Python3 is installed.
  • Copy the script to your mail system (e.g. to /usr/local/bin/) and make executable.
  • Make sure that the script can write to Postfix TLS policy map and notls SQLite DB and that the directories exist.

Postfix TLS policy map Configuration

  • Configure the Postfix TLS policy map in main.cf:

smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

Running the script

  • Run mail-tls-helper.py -h and learn about the commandline options.
  • Optionally configure logrotate to run the script automatically against the mail log file just after rotation. This can be done by configuring a post-script in the corresponding logrotate configure include (e.g. /etc/logrotate.d/rsyslog):
/var/log/mail.log
{
	[...]
	postrotate
		[...]
		/usr/local/bin/mail-tls-helper.py -d example.org
	endscript
}

Monitoring

  • munin: see the documentation header of munin-plugin

Changelog

  • 2018-07-18: version 0.9.0
    • added monitoring of mails sent over Tor
    • added reporting of blocked domains, because of missing TLS
    • added munin plugin
    • added tests
    • improved file handling
    • improved Python 3 compatibility
  • 2017-11-11: version 0.8.1
    • fix version number and update todo list in the script
  • 2017-11-11: version 0.8.0
    • restructured code, swap out all postfix related code into separate functions.
    • added new data structure 'relayDict' which can be filled by any mta specific functions
    • simplified the logic for parsing postfix logs
    • added IPv6 localhost address ::1 to relay whitlist
    • TLS domains are deleted from SQLite DB now
    • fixed calculated numbers of unencrypted mails
  • 2017-06-04: version 0.7.3
    • add support for a relay whitelist
  • 2017-06-04: version 0.7.2
    • set envelope sender address to op['from'] when using sendmail.
  • 2017-05-18: version 0.7.1
    • don't send alert mails by default (Fixes #6)
    • consequently replace commandline options '-A'/'--no-alerts' by '-a'/'--alerts'.
  • 2017-02-19: version 0.7
    • renamed to mail-tls-helper
    • complete rewrite in Python
    • fixed logfile parsing logic, much more robust now
    • added support for commandline arguments
    • added support to create a Postfix TLS policy map
  • 2017-01-22: version 0.5
    • initial release

About

Postfix helper for mandatory TLS

Topics

python tls security postfix postfix-helper

Resources

Readme
Activity
Custom properties

Stars

19 stars

Watchers

9 watching

Forks

2 forks
Report repository

Releases

3 tags

Packages

No packages published

Contributors 6

Languages