majic-ansible-roles Changeset

Changeset - 572151ddf642

Parent rev.

Child rev.

[Not reviewed]

0 3 0

Branko Majic (branko) - 3 years ago 2020-12-22 15:05:06
branko@majic.rs

MAR-175: Update Postfix configuration, merging changes from Debian Buster stock installation and latest ISPmail tutorials:

- Added commented-out section for TLS parameters from Debian Buster
default configuration. This should slightly help with handling the
diff's in the future.
- Added a number of "missing" configuration parameters from the Debian
Buster stock configuration.
- Separate relay-related restrictions from spam-related restrictions.
- Updated configuration for RBLs.
- Updated default service definitions in the master.cf configuration
to be in-line with options defined in Debian Buster. This is
primarily revolving around the change to the chroot
option. Previously the default was to chroot the processes, while
new default is not to do so. This required marking a number of
services to be explicitly chroot'ed.
- Updated the submission service definition in master.cf configuration
file. Some minor changes were made, like switching to using the
smtpd_relay_restrictions instead of
smtpd_recipient_restrictions (better suited configuration option for
this use-case since it's not spam-related), being more explicit
around TLS being required for authentication.

3 files changed with 60 insertions and 40 deletions:

roles/mail_server/molecule/default/tests/test_optional.py

roles/mail_server/templates/main.cf.j2

roles/mail_server/templates/master.cf.j2

0 comments (0 inline, 0 general)

roles/mail_server/molecule/default/tests/test_optional.py

➞

Show inline comments

@@ @@ -65,8 +65,8 @@ def test_postfix_main_cf_file_content(host): @@
     assert "mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 %s" % allow_relay_from_ip in config_lines
     assert "smtpd_tls_cert_file = /etc/ssl/certs/%s_smtp.pem" % hostname in config_lines
     assert "smtpd_tls_key_file = /etc/ssl/private/%s_smtp.key" % hostname in config_lines
     assert "  reject_rbl bl.spamcop.net" in config_lines
     assert "  reject_rbl zen.spamhaus.org" in config_lines
     assert "  reject_rbl_client bl.spamcop.net" in config_lines
     assert "  reject_rbl_client zen.spamhaus.org" in config_lines
     assert "smtp_host_lookup = dns, native" in config_lines

roles/mail_server/templates/main.cf.j2

➞

Show inline comments

@@ @@ -17,6 +17,17 @@ append_dot_mydomain = no @@
 readme_directory = no
 # See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
 # fresh installs.
 compatibility_level = 2
 # TLS parameters
 #smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
 #smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
 #smtpd_use_tls=yes
 #smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 #smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
 # information on enabling SSL in the smtp client.
@@ @@ -32,13 +43,14 @@ mailbox_command = procmail -a "$EXTENSION" @@
 mailbox_size_limit = 0
 recipient_delimiter = +
 inet_interfaces = all
 inet_protocols = all
 # LDAP directory look-ups for domains, mailboxes and aliases.
 virtual_mailbox_domains = ldap:/etc/postfix/ldap-virtual-mailbox-domains.cf
 virtual_mailbox_maps = ldap:/etc/postfix/ldap-virtual-mailbox-maps.cf
 virtual_alias_maps = ldap:/etc/postfix/ldap-virtual-alias-maps.cf
 # Delivery of mails via Dovecot for virtual domains.
+# Delivery of mails via Dovecot LDA for virtual domains.
 virtual_transport = dovecot
 dovecot_destination_recipient_limit = 1
@@ @@ -60,13 +72,19 @@ smtpd_use_tls=yes @@
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 # Recipients restricting.
 smtpd_recipient_restrictions = permit_mynetworks
   permit_sasl_authenticated
   {% for rbl in smtp_rbl -%}
   reject_rbl {{ rbl }}
   {% endfor -%}
 # Allow relaying only from trusted networks. Do not relay mails for
 # domains for which the mail server is not responsible.
 smtpd_relay_restrictions = permit_mynetworks
   reject_unauth_destination
 # Reject delivery of mails for domains for which the local server is
 # not responsible, as well as any mails coming from addresses in one
 # of the configured RBL's.
 smtpd_recipient_restrictions = permit_mynetworks
 {% for rbl in smtp_rbl %}
   reject_rbl_client {{ rbl }}
 {% endfor %}
 smtpd_milters = unix:/var/run/clamav/clamav-milter.ctl
 non_smtpd_milters = unix:/var/run/clamav/clamav-milter.ctl

roles/mail_server/templates/master.cf.j2

➞

Show inline comments

@@ @@ -7,14 +7,14 @@ @@
+#
 # ==========================================================================
 # service type  private unpriv  chroot  wakeup  maxproc command + args
-#               (yes)   (yes)   (yes)   (never) (100)
+#               (yes)   (yes)   (no)    (never) (100)
 # ==========================================================================
 smtp      inet  n       -       -       -       -       smtpd
 #smtp      inet  n       -       -       -       1       postscreen
 #smtpd     pass  -       -       -       -       -       smtpd
 #dnsblog   unix  -       -       -       -       0       dnsblog
 #tlsproxy  unix  -       -       -       -       0       tlsproxy
 #submission inet n       -       -       -       -       smtpd
 smtp      inet  n       -       y       -       -       smtpd
 #smtp      inet  n       -       y       -       1       postscreen
 #smtpd     pass  -       -       y       -       -       smtpd
 #dnsblog   unix  -       -       y       -       0       dnsblog
 #tlsproxy  unix  -       -       y       -       0       tlsproxy
 #submission inet n       -       y       -       -       smtpd
 #  -o syslog_name=postfix/submission
 #  -o smtpd_tls_security_level=encrypt
 #  -o smtpd_sasl_auth_enable=yes
@@ @@ -25,7 +25,7 @@ smtp inet n - - - - smtpd @@
 #  -o smtpd_recipient_restrictions=
 #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 #  -o milter_macro_daemon_name=ORIGINATING
-#smtps     inet  n       -       -       -       -       smtpd
+#smtps     inet  n       -       y       -       -       smtpd
 #  -o syslog_name=postfix/smtps
 #  -o smtpd_tls_wrappermode=yes
 #  -o smtpd_sasl_auth_enable=yes
@@ @@ -36,32 +36,32 @@ smtp inet n - - - - smtpd @@
 #  -o smtpd_recipient_restrictions=
 #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 #  -o milter_macro_daemon_name=ORIGINATING
 #628       inet  n       -       -       -       -       qmqpd
 pickup    unix  n       -       -       60      1       pickup
 cleanup   unix  n       -       -       -       0       cleanup
 #628       inet  n       -       y       -       -       qmqpd
 pickup    unix  n       -       y       60      1       pickup
 cleanup   unix  n       -       y       -       0       cleanup
 qmgr      unix  n       -       n       300     1       qmgr
 #qmgr     unix  n       -       n       300     1       oqmgr
 tlsmgr    unix  -       -       -       1000?   1       tlsmgr
 rewrite   unix  -       -       -       -       -       trivial-rewrite
 bounce    unix  -       -       -       -       0       bounce
 defer     unix  -       -       -       -       0       bounce
 trace     unix  -       -       -       -       0       bounce
 verify    unix  -       -       -       -       1       verify
 flush     unix  n       -       -       1000?   0       flush
 tlsmgr    unix  -       -       y       1000?   1       tlsmgr
 rewrite   unix  -       -       y       -       -       trivial-rewrite
 bounce    unix  -       -       y       -       0       bounce
 defer     unix  -       -       y       -       0       bounce
 trace     unix  -       -       y       -       0       bounce
 verify    unix  -       -       y       -       1       verify
 flush     unix  n       -       y       1000?   0       flush
 proxymap  unix  -       -       n       -       -       proxymap
 proxywrite unix -       -       n       -       1       proxymap
 smtp      unix  -       -       -       -       -       smtp
 relay     unix  -       -       -       -       -       smtp
 smtp      unix  -       -       y       -       -       smtp
 relay     unix  -       -       y       -       -       smtp
 #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
 showq     unix  n       -       -       -       -       showq
 error     unix  -       -       -       -       -       error
 retry     unix  -       -       -       -       -       error
 discard   unix  -       -       -       -       -       discard
 showq     unix  n       -       y       -       -       showq
 error     unix  -       -       y       -       -       error
 retry     unix  -       -       y       -       -       error
 discard   unix  -       -       y       -       -       discard
 local     unix  -       n       n       -       -       local
 virtual   unix  -       n       n       -       -       virtual
 lmtp      unix  -       -       -       -       -       lmtp
 anvil     unix  -       -       -       -       1       anvil
 scache    unix  -       -       -       -       1       scache
 lmtp      unix  -       -       y       -       -       lmtp
 anvil     unix  -       -       y       -       1       anvil
 scache    unix  -       -       y       -       1       scache
+#
 # ====================================================================
 # Interfaces to non-Postfix software. Be sure to examine the manual
@@ @@ -127,11 +127,13 @@ dovecot unix - n n - - pipe @@
   flags=DRhu user={{ mail_user }}:{{ mail_user }} argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient}
 # Submission port with hardened TLS configuration.
 submission inet n       -       -       -       -       smtpd
   -o smtpd_sasl_auth_enable=yes
 submission inet n       -       y       -       -       smtpd
   -o syslog_name=postfix/submission
   -o smtpd_tls_security_level=encrypt
   -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_tls_auth_only=yes
   -o smtpd_recipient_restrictions=
   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
   -o smtpd_tls_mandatory_protocols={{ mail_server_tls_protocols | join(',') }}
   -o smtpd_tls_mandatory_ciphers=high
   -o tls_high_cipherlist={{ mail_server_tls_ciphers }}
   -o syslog_name=postfix/submission

0 comments (0 inline, 0 general)