diff --git a/docs/rolereference.rst b/docs/rolereference.rst index dabdcf8815c528dde58693ec975c1d11c3c5289c..98c4a5f4f205df9e8f9aea15f72db1247aa3019a 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -775,8 +775,8 @@ The role implements the following: * Installs SWAKS (utility for testing SMTP servers). * Sets-up the necessary directories and files under Postfix chroot. * Configures firewall to allow incoming connections to the mail server. This - includes set-up of redirection from TCP port 26 to TCP port 25 (alternate SMTP - to work around common network blocks). + includes set-up of redirection from TCP port 26 to TCP port 587 (alternate + SMTP submission port to work around common network blocks). Deployed services are configured as follows: @@ -787,8 +787,13 @@ Deployed services are configured as follows: * Mail is stored in directory ``/var/MAIL_USER/DOMAIN/USER``, using ``Maildir`` format. * TLS is required for user log-ins for both SMTP and IMAP. +* For user submission (SMTP), users must connect and authenticate over TCP + port 587. * TLS configuration is hardened for Dovecot, allowing only TLSv1.2 and PFS ciphers. +* TLS configuration is hardened for Postfix on submission port 587, allowing + only TLSv1.2 and PFS ciphers. No TLS hardening is performed on port 25 in + order to maintain maximum interoperability. * RBL's are used for combating spam (if any is specified in configuration, see below). diff --git a/docs/usage.rst b/docs/usage.rst index ea7f8e86d9de33ca3dcc39fc41eb8faa3c49e840..ecfc0984d1dcecb5f25da43d0cff6003532cb543 100644 --- a/docs/usage.rst +++ b/docs/usage.rst @@ -810,7 +810,9 @@ role. swaks --to jane.doe@example.com --server comms.example.com Of course, free feel to also test out the mail server using any mail client of - your choice. + your choice. When doing so, use port 587 for SMTP. Port 25 is reserved for + unauthenticated server-to-server mail deliveries. TLS has also been hardened + on port 587 to allow only TLSv1.2 and PFS ciphers. Setting-up mail relaying from web and backup servers diff --git a/roles/mail_server/files/ferm_mail.conf b/roles/mail_server/files/ferm_mail.conf index f14eaae24cae3bfaac914c41bd40a4c521d5c2d0..298b2214ffbe7db97c196ec95b4e0954441a2f5e 100644 --- a/roles/mail_server/files/ferm_mail.conf +++ b/roles/mail_server/files/ferm_mail.conf @@ -1,7 +1,9 @@ table filter { chain INPUT { - # SMTP (with alternative port) + # SMTP for server communication. proto tcp dport 25 ACCEPT; + # SMTP for client submission (with alternative port) + proto tcp dport 587 ACCEPT; proto tcp dport 26 ACCEPT; # IMAP proto tcp dport 143 ACCEPT; @@ -15,6 +17,6 @@ table nat { chain PREROUTING { # Set-up redirection for alternate SMTP port (to avoid ISP/hotel blocks # etc). - proto tcp dport 26 REDIRECT to-ports 25; + proto tcp dport 26 REDIRECT to-ports 587; } } diff --git a/roles/mail_server/files/master.cf b/roles/mail_server/files/master.cf new file mode 100644 index 0000000000000000000000000000000000000000..b49c18b78ec46ba4e924916a855b815893ab52b8 --- /dev/null +++ b/roles/mail_server/files/master.cf @@ -0,0 +1,137 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (yes) (never) (100) +# ========================================================================== +smtp inet n - - - - smtpd +#smtp inet n - - - 1 postscreen +#smtpd pass - - - - - smtpd +#dnsblog unix - - - - 0 dnsblog +#tlsproxy unix - - - - 0 tlsproxy +#submission inet n - - - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#smtps inet n - - - - smtpd +# -o syslog_name=postfix/smtps +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - - - - qmqpd +pickup unix n - - 60 1 pickup +cleanup unix n - - - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - - 1000? 1 tlsmgr +rewrite unix - - - - - trivial-rewrite +bounce unix - - - - 0 bounce +defer unix - - - - 0 bounce +trace unix - - - - 0 bounce +verify unix - - - - 1 verify +flush unix n - - 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - - - - smtp +relay unix - - - - - smtp +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - - - - showq +error unix - - - - - error +retry unix - - - - - error +discard unix - - - - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - - - - lmtp +anvil unix - - - - 1 anvil +scache unix - - - - 1 scache +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} + +# Delivery via Dovecot. +dovecot unix - n n - - pipe + flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient} + +# Submission port with hardened TLS configuration. +submission inet n - - - - smtpd + -o smtpd_sasl_auth_enable=yes + -o smtpd_tls_security_level=encrypt + -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject + -o smtpd_tls_mandatory_protocols=TLSv1.2 + -o smtpd_tls_mandatory_ciphers=high + -o tls_high_cipherlist=DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT + -o syslog_name=postfix/submission diff --git a/roles/mail_server/tasks/main.yml b/roles/mail_server/tasks/main.yml index 7d872aaa13266566fe8c62dc8c5162001d0025cf..6de1d770fd3ee77669ff67d539dd68cc0e7202ce 100644 --- a/roles/mail_server/tasks/main.yml +++ b/roles/mail_server/tasks/main.yml @@ -113,10 +113,9 @@ notify: - Restart Dovecot -- name: Configure Postfix for Dovecot delivery - lineinfile: dest=/etc/postfix/master.cf state=present - regexp="dovecot" - line="dovecot unix - n n - - pipe flags=DRhu user={{ mail_user }}:{{ mail_user }} argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient}" +- name: Deploy Postifx master process configuration + copy: src="master.cf" dest="/etc/postfix/master.cf" + owner=root group=root mode=644 notify: - Restart Postfix diff --git a/roles/mail_server/templates/main.cf.j2 b/roles/mail_server/templates/main.cf.j2 index dc36f62783ce61886f1107edbcce50ce8eceb281..149112a710c7fceb4b441b5628501ccb9e333c70 100644 --- a/roles/mail_server/templates/main.cf.j2 +++ b/roles/mail_server/templates/main.cf.j2 @@ -42,10 +42,12 @@ virtual_alias_maps = ldap:/etc/postfix/ldap-virtual-alias-maps.cf virtual_transport = dovecot dovecot_destination_recipient_limit = 1 -# SMTP authentication. +# SMTP authentication configured, but disabled by default (for server-to-server +# communication). Users should connect via submission port instead to be able to +# authenticate. smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth -smtpd_sasl_auth_enable = yes +smtpd_sasl_auth_enable = no # TLS configuration. smtpd_tls_security_level = may