From 572151ddf642a7a31922445d56bcd33928f6f267 2020-12-22 15:05:06 From: Branko Majic Date: 2020-12-22 15:05:06 Subject: [PATCH] MAR-175: Update Postfix configuration, merging changes from Debian Buster stock installation and latest ISPmail tutorials: - Added commented-out section for TLS parameters from Debian Buster default configuration. This should slightly help with handling the diff's in the future. - Added a number of "missing" configuration parameters from the Debian Buster stock configuration. - Separate relay-related restrictions from spam-related restrictions. - Updated configuration for RBLs. - Updated default service definitions in the master.cf configuration to be in-line with options defined in Debian Buster. This is primarily revolving around the change to the chroot option. Previously the default was to chroot the processes, while new default is not to do so. This required marking a number of services to be explicitly chroot'ed. - Updated the submission service definition in master.cf configuration file. Some minor changes were made, like switching to using the smtpd_relay_restrictions instead of smtpd_recipient_restrictions (better suited configuration option for this use-case since it's not spam-related), being more explicit around TLS being required for authentication. --- diff --git a/roles/mail_server/molecule/default/tests/test_optional.py b/roles/mail_server/molecule/default/tests/test_optional.py index 4c276bcbd13dcb55ea8da93d413d8d58d2960b98..4fd6e1eda3f02fb88b4079c58ada9d42d58b6874 100644 --- a/roles/mail_server/molecule/default/tests/test_optional.py +++ b/roles/mail_server/molecule/default/tests/test_optional.py @@ -65,8 +65,8 @@ def test_postfix_main_cf_file_content(host): assert "mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 %s" % allow_relay_from_ip in config_lines assert "smtpd_tls_cert_file = /etc/ssl/certs/%s_smtp.pem" % hostname in config_lines assert "smtpd_tls_key_file = /etc/ssl/private/%s_smtp.key" % hostname in config_lines - assert " reject_rbl bl.spamcop.net" in config_lines - assert " reject_rbl zen.spamhaus.org" in config_lines + assert " reject_rbl_client bl.spamcop.net" in config_lines + assert " reject_rbl_client zen.spamhaus.org" in config_lines assert "smtp_host_lookup = dns, native" in config_lines diff --git a/roles/mail_server/templates/main.cf.j2 b/roles/mail_server/templates/main.cf.j2 index 015c86190e3fcf9c3e840599683b2d8d5812086f..bf9d1f0326339af0a6c6e9b118b7bdaf1c839bc6 100644 --- a/roles/mail_server/templates/main.cf.j2 +++ b/roles/mail_server/templates/main.cf.j2 @@ -17,6 +17,17 @@ append_dot_mydomain = no readme_directory = no +# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on +# fresh installs. +compatibility_level = 2 + +# TLS parameters +#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +#smtpd_use_tls=yes +#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. @@ -32,13 +43,14 @@ mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all +inet_protocols = all # LDAP directory look-ups for domains, mailboxes and aliases. virtual_mailbox_domains = ldap:/etc/postfix/ldap-virtual-mailbox-domains.cf virtual_mailbox_maps = ldap:/etc/postfix/ldap-virtual-mailbox-maps.cf virtual_alias_maps = ldap:/etc/postfix/ldap-virtual-alias-maps.cf -# Delivery of mails via Dovecot for virtual domains. +# Delivery of mails via Dovecot LDA for virtual domains. virtual_transport = dovecot dovecot_destination_recipient_limit = 1 @@ -60,13 +72,19 @@ smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache -# Recipients restricting. -smtpd_recipient_restrictions = permit_mynetworks - permit_sasl_authenticated - {% for rbl in smtp_rbl -%} - reject_rbl {{ rbl }} - {% endfor -%} +# Allow relaying only from trusted networks. Do not relay mails for +# domains for which the mail server is not responsible. +smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination + +# Reject delivery of mails for domains for which the local server is +# not responsible, as well as any mails coming from addresses in one +# of the configured RBL's. +smtpd_recipient_restrictions = permit_mynetworks +{% for rbl in smtp_rbl %} + reject_rbl_client {{ rbl }} +{% endfor %} + smtpd_milters = unix:/var/run/clamav/clamav-milter.ctl non_smtpd_milters = unix:/var/run/clamav/clamav-milter.ctl diff --git a/roles/mail_server/templates/master.cf.j2 b/roles/mail_server/templates/master.cf.j2 index 445a5b8eb1f46e3f102e16d182f4535f50b827bb..acd9f67dbf4675c2303b5234d82d9acc8082c25c 100644 --- a/roles/mail_server/templates/master.cf.j2 +++ b/roles/mail_server/templates/master.cf.j2 @@ -7,14 +7,14 @@ # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args -# (yes) (yes) (yes) (never) (100) +# (yes) (yes) (no) (never) (100) # ========================================================================== -smtp inet n - - - - smtpd -#smtp inet n - - - 1 postscreen -#smtpd pass - - - - - smtpd -#dnsblog unix - - - - 0 dnsblog -#tlsproxy unix - - - - 0 tlsproxy -#submission inet n - - - - smtpd +smtp inet n - y - - smtpd +#smtp inet n - y - 1 postscreen +#smtpd pass - - y - - smtpd +#dnsblog unix - - y - 0 dnsblog +#tlsproxy unix - - y - 0 tlsproxy +#submission inet n - y - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes @@ -25,7 +25,7 @@ smtp inet n - - - - smtpd # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING -#smtps inet n - - - - smtpd +#smtps inet n - y - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes @@ -36,32 +36,32 @@ smtp inet n - - - - smtpd # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING -#628 inet n - - - - qmqpd -pickup unix n - - 60 1 pickup -cleanup unix n - - - 0 cleanup +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr -tlsmgr unix - - - 1000? 1 tlsmgr -rewrite unix - - - - - trivial-rewrite -bounce unix - - - - 0 bounce -defer unix - - - - 0 bounce -trace unix - - - - 0 bounce -verify unix - - - - 1 verify -flush unix n - - 1000? 0 flush +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap -smtp unix - - - - - smtp -relay unix - - - - - smtp +smtp unix - - y - - smtp +relay unix - - y - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 -showq unix n - - - - showq -error unix - - - - - error -retry unix - - - - - error -discard unix - - - - - discard +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard local unix - n n - - local virtual unix - n n - - virtual -lmtp unix - - - - - lmtp -anvil unix - - - - 1 anvil -scache unix - - - - 1 scache +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual @@ -127,11 +127,13 @@ dovecot unix - n n - - pipe flags=DRhu user={{ mail_user }}:{{ mail_user }} argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient} # Submission port with hardened TLS configuration. -submission inet n - - - - smtpd - -o smtpd_sasl_auth_enable=yes +submission inet n - y - - smtpd + -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt - -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject + -o smtpd_sasl_auth_enable=yes + -o smtpd_tls_auth_only=yes + -o smtpd_recipient_restrictions= + -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_tls_mandatory_protocols={{ mail_server_tls_protocols | join(',') }} -o smtpd_tls_mandatory_ciphers=high -o tls_high_cipherlist={{ mail_server_tls_ciphers }} - -o syslog_name=postfix/submission