Difference between revisions of "Trusted Email Services"

From Halon, SMTP software for hosting providers
Jump to: navigation, search
(Sending DATA (587))
 
(28 intermediate revisions by 2 users not shown)
Line 1: Line 1:
<hsl>
+
The '''Trusted Email Services''' (TES) initiative helps consumers and businesses to easily identify an email provider which fulfills their trust, security and privacy needs.<ref>https://openbit.eu/projekte/trusted-internet-services/</ref>. It was founded by a consortium of companies, including [https://www.open-xchange.com Open-Xchange] and Dovecot, and is governed by [https://openbit.eu/projekte/trusted-internet-services/ openBIT].
 +
 
 +
The configuration scripts on this page conform to draft v0.4 (2016-03-16).<ref>https://trusted-email-service.de/public/Trusted_Email_Services-Standards-16-03-2016.pdf</ref>
 +
 
 +
== Shared functions ==
 +
These function should be put in a include file, in order to be able to update them easily:
 +
 
 +
<hsl type="include">
 
function tes_check_client_policy()
 
function tes_check_client_policy()
 
{
 
{
Line 15: Line 22:
 
function tes_check_member_server_policy()
 
function tes_check_member_server_policy()
 
{
 
{
     global $tlsstarted, $tlsprotocol, $tlsciphers, $tlskeysize;
+
     global $tlsstarted, $tlsprotocol;
 
     if (!$tlsstarted)
 
     if (!$tlsstarted)
 
         return false;
 
         return false;
Line 25: Line 32:
 
     return true;
 
     return true;
 
}
 
}
function tes_check_nonmember_server_policy()
+
function tes_is_member($domain, $error_callback)
 
{
 
{
     global $tlsstarted, $tlsprotocol, $tlsciphers, $tlskeysize;
+
     $dns = dnscname("tes-master.$domain", ["extended_result" => true]);
 +
    if ($dns["error"] == "NXDOMAIN") return false;
 +
    if (!$dns["result"]) return $error_callback($dns["error"]);
 +
   
 +
    $tesmaster = $dns["result"][0];
 +
   
 +
    $dns = dnstxt("$domain.tes-member.$tesmaster", ["extended_result" => true]);
 +
    if ($dns["error"] == "NXDOMAIN") return false;
 +
    if (!$dns["result"]) return $error_callback($dns["error"]);
  
 +
    $dns = dnstxt("$tesmaster.tes-member.trusted-email-services.com", ["extended_result" => true]);
 +
    if ($dns["error"] == "NXDOMAIN") return false;
 +
    if (!$dns["result"]) return $error_callback($dns["error"]);
 +
 +
    return true;
 
}
 
}
 
</hsl>
 
</hsl>
  
=== Mail Submission ===
+
== Mail relay (inbound) ==
 +
Use the following scripts for inbound email delivery:
  
On client submission port (587) use the following script.
+
<hsl type="rcpt">
 +
if (tes_is_member($senderdomain, function ($error) { Defer("TES lookup failed"); }))
 +
    if (!tes_check_member_server_policy())
 +
        Reject("Member is not TES compliant");
 +
</hsl>
 +
 
 +
<hsl type="data">
 +
if (tes_is_member($senderdomain, function ($error) { Defer("TES lookup failed"); })) {
 +
    $result = DKIMSDID([$senderdomain]);
 +
    if ($result[$senderdomain] != "pass")
 +
        Reject("The messages is not DKIM signed policy of $senderdomain ($messageid)");
 +
 
 +
    $result = ScanDMARC();
 +
    if (is_array($result) && $result[$senderdomain] == "reject")
 +
        Reject("The messages violates the DMARC policy of $senderdomain ($messageid)");
 +
 
 +
    AddHeader("X-TES-Status", "member");
 +
} else {
 +
    AddHeader("X-TES-Status", "non-member");
 +
}
 +
</hsl>
 +
 
 +
== Mail submission (outbound) ==
 +
On client submission port (587) use the following scripts:
  
 
<hsl type="rcpt">
 
<hsl type="rcpt">
Line 40: Line 84:
 
     Reject("Client is not TES compliant");
 
     Reject("Client is not TES compliant");
 
</hsl>
 
</hsl>
 
And the following configuration:
 
 
* Listener setting
 
** A TLS certificate
 
** A auth flow
 
** Require TLS for AUTH
 
  
 
<hsl type="data">
 
<hsl type="data">
Line 53: Line 90:
  
 
<hsl type="predelivery">
 
<hsl type="predelivery">
if (tes_is_member())
+
if (tes_is_member($recipientdomain, function ($error) { Reschedule(3600, ["reason" => "tes_is_member: $error", "increment_retry" => false]); }))
{
 
 
     SetTLS([
 
     SetTLS([
 
         "tls_protocols" => "!SSLv2,!SSLv3,!TLSv1,!TLSv1.1",
 
         "tls_protocols" => "!SSLv2,!SSLv3,!TLSv1,!TLSv1.1",
 
         "tls" => "dane_require"
 
         "tls" => "dane_require"
 
     ]);
 
     ]);
}
+
else
</hsl>
+
    SetTLS([
 
+
        "tls" => "dane"
=== Mail Relay ===
+
     ]);
 
 
Use the following script.
 
 
 
<hsl type="rcpt">
 
if (tes_is_member()) {
 
if (!tes_check_member_server_policy())
 
    Reject("Member is not TES compliant");
 
} else {
 
if (!tes_check_nonmember_server_policy())
 
     Reject("Server is not TES compliant");
 
}
 
 
</hsl>
 
</hsl>
  
=== Receiving DATA (25) ===
+
and the following listener configuration settings:
 
 
<hsl type="data">
 
$result = DKIMSDID([$senderdomain]);
 
if ($result[$senderdomain] != "pass")
 
Reject();
 
AddHeader("X-TES-Status", tes_is_member()?"member":"non-member");
 
</hsl>
 
  
<hsl type="predelivery">
+
* A TLS certificate
 +
* An AUTH flow authentication
 +
* Require TLS for AUTH
  
</hsl>
+
==References==
 +
<references />

Latest revision as of 10:57, 24 March 2016

The Trusted Email Services (TES) initiative helps consumers and businesses to easily identify an email provider which fulfills their trust, security and privacy needs.[1]. It was founded by a consortium of companies, including Open-Xchange and Dovecot, and is governed by openBIT.

The configuration scripts on this page conform to draft v0.4 (2016-03-16).[2]

Shared functions

These function should be put in a include file, in order to be able to update them easily:

Include file
function tes_check_client_policy()
{
    global 
$saslauthed$tlsstarted$tlsprotocol;
    if (!
$tlsstarted)
        return 
false;
    if (
$tlsprotocol == "SSLv2" or
        
$tlsprotocol == "SSLv3" or
        
$tlsprotocol == "TLSv1")
        return 
false;
    if (!
$saslauthed)
        return 
false;
    return 
true;
}
function 
tes_check_member_server_policy()
{
    global 
$tlsstarted$tlsprotocol;
    if (!
$tlsstarted)
        return 
false;
    if (
$tlsprotocol == "SSLv2" or
        
$tlsprotocol == "SSLv3" or
        
$tlsprotocol == "TLSv1" or
        
$tlsprotocol == "TLSv1.1")
        return 
false;
    return 
true;
}
function 
tes_is_member($domain$error_callback)
{
    
$dns dnscname("tes-master.$domain", ["extended_result" => true]);
    if (
$dns["error"] == "NXDOMAIN") return false;
    if (!
$dns["result"]) return $error_callback($dns["error"]);
    
    
$tesmaster $dns["result"][0];
    
    
$dns dnstxt("$domain.tes-member.$tesmaster", ["extended_result" => true]);
    if (
$dns["error"] == "NXDOMAIN") return false;
    if (!
$dns["result"]) return $error_callback($dns["error"]);

    
$dns dnstxt("$tesmaster.tes-member.trusted-email-services.com", ["extended_result" => true]);
    if (
$dns["error"] == "NXDOMAIN") return false;
    if (!
$dns["result"]) return $error_callback($dns["error"]);

    return 
true;

Mail relay (inbound)

Use the following scripts for inbound email delivery:

if (tes_is_member($senderdomain, function ($error) { Defer("TES lookup failed"); }))
    if (!
tes_check_member_server_policy())
        
Reject("Member is not TES compliant"); 

if (tes_is_member($senderdomain, function ($error) { Defer("TES lookup failed"); })) {
    
$result DKIMSDID([$senderdomain]);
    if (
$result[$senderdomain] != "pass")
        
Reject("The messages is not DKIM signed policy of $senderdomain ($messageid)");

    
$result ScanDMARC();
    if (
is_array($result) && $result[$senderdomain] == "reject")
        
Reject("The messages violates the DMARC policy of $senderdomain ($messageid)");

    
AddHeader("X-TES-Status""member");
} else {
    
AddHeader("X-TES-Status""non-member");

Mail submission (outbound)

On client submission port (587) use the following scripts:

if (!tes_check_client_policy())
    
Reject("Client is not TES compliant"); 

DKIMSign($selector$senderdomain$rsakey); 

if (tes_is_member($recipientdomain, function ($error) { Reschedule(3600, ["reason" => "tes_is_member: $error""increment_retry" => false]); }))
    
SetTLS([
        
"tls_protocols" => "!SSLv2,!SSLv3,!TLSv1,!TLSv1.1",
        
"tls" => "dane_require"
    
]);
else
    
SetTLS([
        
"tls" => "dane"
    
]); 

and the following listener configuration settings:

  • A TLS certificate
  • An AUTH flow authentication
  • Require TLS for AUTH

References