From 14eac9880a74dcf10aaf0c755c786f53c9248b2a 2023-12-06 21:48:52 From: Branko Majic Date: 2023-12-06 21:48:52 Subject: [PATCH] MAR-189: Merge some configuration changes from Debian Bullseye for mail server configuration files: - Get rid of using the session cache databases for TLS for smtpd - this is no longer the preferred way to handle it (RFC 5077 TLS session tickets should be used). - Indicate that the delivery through external commands is final (X flag of the pipe(8) mechanism). Affects the delivery status notifications, changing them from "relayed" to "delivered". --- diff --git a/roles/mail_server/templates/main.cf.j2 b/roles/mail_server/templates/main.cf.j2 index 752b2a60607124033448dc8f148f132953ae7fdc..5c7b1d1a99fa7a86206508d6daedce1ec2591f8b 100644 --- a/roles/mail_server/templates/main.cf.j2 +++ b/roles/mail_server/templates/main.cf.j2 @@ -28,9 +28,6 @@ compatibility_level = 2 #smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache #smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache -# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for -# information on enabling SSL in the smtp client. - myhostname = {{ inventory_hostname }} alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases @@ -68,7 +65,6 @@ smtpd_tls_key_file = /etc/ssl/private/{{ ansible_fqdn }}_smtp.key smtpd_tls_dh1024_param_file = /etc/ssl/private/{{ inventory_hostname }}_smtp.dh.pem smtpd_tls_dh512_param_file = /etc/ssl/private/{{ inventory_hostname }}_smtp.dh.pem smtpd_use_tls=yes -smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_security_level = may diff --git a/roles/mail_server/templates/master.cf.j2 b/roles/mail_server/templates/master.cf.j2 index acd9f67dbf4675c2303b5234d82d9acc8082c25c..38f2bb33c5fff5a3b26bd3e824b8ba8e6829f3ed 100644 --- a/roles/mail_server/templates/master.cf.j2 +++ b/roles/mail_server/templates/master.cf.j2 @@ -76,7 +76,7 @@ scache unix - - y - 1 scache # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - pipe - flags=DRhu user={{ mail_user }} argv=/usr/bin/maildrop -d ${recipient} + flags=DRXhu user={{ mail_user }} argv=/usr/bin/maildrop -d ${recipient} # # ==================================================================== # @@ -95,7 +95,7 @@ maildrop unix - n n - - pipe # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe -# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # Old example of delivery via Cyrus. @@ -119,12 +119,11 @@ bsmtp unix - n n - - pipe scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe - flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py - ${nexthop} ${user} + flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} # Delivery via Dovecot. dovecot unix - n n - - pipe - flags=DRhu user={{ mail_user }}:{{ mail_user }} argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient} + flags=DRXhu user={{ mail_user }}:{{ mail_user }} argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient} # Submission port with hardened TLS configuration. submission inet n - y - - smtpd