majic-ansible-roles Changeset

Changeset - a9e97d3e2306

Parent rev.

Child rev.

[Not reviewed]

0 5 1

Branko Majic (branko) - 8 years ago 2016-03-08 17:17:37
branko@majic.rs

MAR-54: Separated SMTP ports for server-to-server comms and user mail submission, allowing authentication only on port 587 (port 25 purely for server-to-server communication). Hardened TLS configuration on port 587.

6 files changed with 158 insertions and 11 deletions:

docs/rolereference.rst

docs/usage.rst

roles/mail_server/files/ferm_mail.conf

roles/mail_server/files/master.cf

137

roles/mail_server/tasks/main.yml

roles/mail_server/templates/main.cf.j2

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -775,8 +775,8 @@ The role implements the following: @@
 * Installs SWAKS (utility for testing SMTP servers).
 * Sets-up the necessary directories and files under Postfix chroot.
 * Configures firewall to allow incoming connections to the mail server. This
   includes set-up of redirection from TCP port 26 to TCP port 25 (alternate SMTP
   to work around common network blocks).
   includes set-up of redirection from TCP port 26 to TCP port 587 (alternate
   SMTP submission port to work around common network blocks).
 Deployed services are configured as follows:
@@ @@ -787,8 +787,13 @@ Deployed services are configured as follows: @@
 * Mail is stored in directory ``/var/MAIL_USER/DOMAIN/USER``, using ``Maildir``
   format.
 * TLS is required for user log-ins for both SMTP and IMAP.
 * For user submission (SMTP), users must connect and authenticate over TCP
   port 587.
 * TLS configuration is hardened for Dovecot, allowing only TLSv1.2 and PFS
   ciphers.
 * TLS configuration is hardened for Postfix on submission port 587, allowing
   only TLSv1.2 and PFS ciphers. No TLS hardening is performed on port 25 in
   order to maintain maximum interoperability.
 * RBL's are used for combating spam (if any is specified in configuration, see
   below).

docs/usage.rst

➞

Show inline comments

@@ @@ -810,7 +810,9 @@ role. @@
      swaks --to jane.doe@example.com --server comms.example.com
   Of course, free feel to also test out the mail server using any mail client of
   your choice.
   your choice. When doing so, use port 587 for SMTP. Port 25 is reserved for
   unauthenticated server-to-server mail deliveries. TLS has also been hardened
   on port 587 to allow only TLSv1.2 and PFS ciphers.
 Setting-up mail relaying from web and backup servers

roles/mail_server/files/ferm_mail.conf

➞

Show inline comments

 table filter {
     chain INPUT {
-        # SMTP (with alternative port)
+        # SMTP for server communication.
         proto tcp dport 25 ACCEPT;
         # SMTP for client submission (with alternative port)
         proto tcp dport 587 ACCEPT;
         proto tcp dport 26 ACCEPT;
         # IMAP
         proto tcp dport 143 ACCEPT;
@@ @@ -15,6 +17,6 @@ table nat { @@
     chain PREROUTING {
         # Set-up redirection for alternate SMTP port (to avoid ISP/hotel blocks
         # etc).
-        proto tcp dport 26 REDIRECT to-ports 25;
+        proto tcp dport 26 REDIRECT to-ports 587;
+    }
+}

roles/mail_server/files/master.cf

➞

Show inline comments

@@ new file 100644 @@
+#
 # Postfix master process configuration file.  For details on the format
 # of the file, see the master(5) manual page (command: "man 5 master" or
 # on-line: http://www.postfix.org/master.5.html).
+#
 # Do not forget to execute "postfix reload" after editing this file.
+#
 # ==========================================================================
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (yes)   (never) (100)
 # ==========================================================================
 smtp      inet  n       -       -       -       -       smtpd
 #smtp      inet  n       -       -       -       1       postscreen
 #smtpd     pass  -       -       -       -       -       smtpd
 #dnsblog   unix  -       -       -       -       0       dnsblog
 #tlsproxy  unix  -       -       -       -       0       tlsproxy
 #submission inet n       -       -       -       -       smtpd
 #  -o syslog_name=postfix/submission
 #  -o smtpd_tls_security_level=encrypt
 #  -o smtpd_sasl_auth_enable=yes
 #  -o smtpd_reject_unlisted_recipient=no
 #  -o smtpd_client_restrictions=$mua_client_restrictions
 #  -o smtpd_helo_restrictions=$mua_helo_restrictions
 #  -o smtpd_sender_restrictions=$mua_sender_restrictions
 #  -o smtpd_recipient_restrictions=
 #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 #  -o milter_macro_daemon_name=ORIGINATING
 #smtps     inet  n       -       -       -       -       smtpd
 #  -o syslog_name=postfix/smtps
 #  -o smtpd_tls_wrappermode=yes
 #  -o smtpd_sasl_auth_enable=yes
 #  -o smtpd_reject_unlisted_recipient=no
 #  -o smtpd_client_restrictions=$mua_client_restrictions
 #  -o smtpd_helo_restrictions=$mua_helo_restrictions
 #  -o smtpd_sender_restrictions=$mua_sender_restrictions
 #  -o smtpd_recipient_restrictions=
 #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 #  -o milter_macro_daemon_name=ORIGINATING
 #628       inet  n       -       -       -       -       qmqpd
 pickup    unix  n       -       -       60      1       pickup
 cleanup   unix  n       -       -       -       0       cleanup
 qmgr      unix  n       -       n       300     1       qmgr
 #qmgr     unix  n       -       n       300     1       oqmgr
 tlsmgr    unix  -       -       -       1000?   1       tlsmgr
 rewrite   unix  -       -       -       -       -       trivial-rewrite
 bounce    unix  -       -       -       -       0       bounce
 defer     unix  -       -       -       -       0       bounce
 trace     unix  -       -       -       -       0       bounce
 verify    unix  -       -       -       -       1       verify
 flush     unix  n       -       -       1000?   0       flush
 proxymap  unix  -       -       n       -       -       proxymap
 proxywrite unix -       -       n       -       1       proxymap
 smtp      unix  -       -       -       -       -       smtp
 relay     unix  -       -       -       -       -       smtp
 #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
 showq     unix  n       -       -       -       -       showq
 error     unix  -       -       -       -       -       error
 retry     unix  -       -       -       -       -       error
 discard   unix  -       -       -       -       -       discard
 local     unix  -       n       n       -       -       local
 virtual   unix  -       n       n       -       -       virtual
 lmtp      unix  -       -       -       -       -       lmtp
 anvil     unix  -       -       -       -       1       anvil
 scache    unix  -       -       -       -       1       scache
+#
 # ====================================================================
 # Interfaces to non-Postfix software. Be sure to examine the manual
 # pages of the non-Postfix software to find out what options it wants.
+#
 # Many of the following services use the Postfix pipe(8) delivery
 # agent.  See the pipe(8) man page for information about ${recipient}
 # and other message envelope options.
 # ====================================================================
+#
 # maildrop. See the Postfix MAILDROP_README file for details.
 # Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
 maildrop  unix  -       n       n       -       -       pipe
   flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
 # ====================================================================
+#
 # Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
 # Specify in cyrus.conf:
 #   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
 # Specify in main.cf one or more of the following:
 #  mailbox_transport = lmtp:inet:localhost
 #  virtual_transport = lmtp:inet:localhost
+#
 # ====================================================================
+#
 # Cyrus 2.1.5 (Amos Gouaux)
 # Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
 #cyrus     unix  -       n       n       -       -       pipe
 #  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
 # ====================================================================
 # Old example of delivery via Cyrus.
+#
 #old-cyrus unix  -       n       n       -       -       pipe
 #  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
 # ====================================================================
+#
 # See the Postfix UUCP_README file for configuration details.
+#
 uucp      unix  -       n       n       -       -       pipe
   flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
 # Other external delivery methods.
+#
 ifmail    unix  -       n       n       -       -       pipe
   flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
 bsmtp     unix  -       n       n       -       -       pipe
   flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
 scalemail-backend unix	-	n	n	-	2	pipe
   flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
 mailman   unix  -       n       n       -       -       pipe
   flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
   ${nexthop} ${user}
 # Delivery via Dovecot.
 dovecot   unix  -       n       n       -       -       pipe
   flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient}
 # Submission port with hardened TLS configuration.
 submission inet n       -       -       -       -       smtpd
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_tls_security_level=encrypt
   -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
   -o smtpd_tls_mandatory_protocols=TLSv1.2
   -o smtpd_tls_mandatory_ciphers=high
   -o tls_high_cipherlist=DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT
   -o syslog_name=postfix/submission

roles/mail_server/tasks/main.yml

➞

Show inline comments

@@ @@ -113,10 +113,9 @@ @@
   notify:
     - Restart Dovecot
 - name: Configure Postfix for Dovecot delivery
   lineinfile: dest=/etc/postfix/master.cf state=present
               regexp="dovecot"
               line="dovecot   unix  -       n       n       -       -       pipe    flags=DRhu user={{ mail_user }}:{{ mail_user }} argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient}"
 - name: Deploy Postifx master process configuration
   copy: src="master.cf" dest="/etc/postfix/master.cf"
         owner=root group=root mode=644
   notify:
     - Restart Postfix

roles/mail_server/templates/main.cf.j2

➞

Show inline comments

 virtual_transport = dovecot
 dovecot_destination_recipient_limit = 1
 # SMTP authentication.
 # SMTP authentication configured, but disabled by default (for server-to-server
 # communication). Users should connect via submission port instead to be able to
 # authenticate.
 smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth
-smtpd_sasl_auth_enable = yes
+smtpd_sasl_auth_enable = no
 # TLS configuration.
 smtpd_tls_security_level = may

0 comments (0 inline, 0 general)