majic-ansible-roles Changeset

Changeset - 14eac9880a74

Parent rev.

Child rev.

[Not reviewed]

0 2 0

Branko Majic (branko) - 5 months ago 2023-12-06 21:48:52
branko@majic.rs

MAR-189: Merge some configuration changes from Debian Bullseye for mail server configuration files:

- Get rid of using the session cache databases for TLS for smtpd -
this is no longer the preferred way to handle it (RFC 5077 TLS
session tickets should be used).
- Indicate that the delivery through external commands is final (X
flag of the pipe(8) mechanism). Affects the delivery status
notifications, changing them from "relayed" to "delivered".

2 files changed with 4 insertions and 9 deletions:

roles/mail_server/templates/main.cf.j2

roles/mail_server/templates/master.cf.j2

0 comments (0 inline, 0 general)

roles/mail_server/templates/main.cf.j2

➞

Show inline comments

@@ @@ -28,9 +28,6 @@ compatibility_level = 2 @@
 #smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 #smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
 # information on enabling SSL in the smtp client.
 myhostname = {{ inventory_hostname }}
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 smtpd_tls_dh1024_param_file = /etc/ssl/private/{{ inventory_hostname }}_smtp.dh.pem
 smtpd_tls_dh512_param_file = /etc/ssl/private/{{ inventory_hostname }}_smtp.dh.pem
 smtpd_use_tls=yes
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtp_tls_security_level = may

roles/mail_server/templates/master.cf.j2

➞

Show inline comments

@@ @@ -76,7 +76,7 @@ scache unix - - y - 1 scache @@
 # Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
 maildrop  unix  -       n       n       -       -       pipe
-  flags=DRhu user={{ mail_user }} argv=/usr/bin/maildrop -d ${recipient}
+  flags=DRXhu user={{ mail_user }} argv=/usr/bin/maildrop -d ${recipient}
+#
 # ====================================================================
+#
@@ @@ -95,7 +95,7 @@ maildrop unix - n n - - pipe @@
 # Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
 #cyrus     unix  -       n       n       -       -       pipe
 #  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#  flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
 # ====================================================================
 # Old example of delivery via Cyrus.
@@ @@ -119,12 +119,11 @@ bsmtp unix - n n - - pipe @@
 scalemail-backend unix	-	n	n	-	2	pipe
   flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
 mailman   unix  -       n       n       -       -       pipe
   flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
   ${nexthop} ${user}
   flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
 # Delivery via Dovecot.
 dovecot   unix  -       n       n       -       -       pipe
-  flags=DRhu user={{ mail_user }}:{{ mail_user }} argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient}
+  flags=DRXhu user={{ mail_user }}:{{ mail_user }} argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient}
 # Submission port with hardened TLS configuration.
 submission inet n       -       y       -       -       smtpd

0 comments (0 inline, 0 general)