ports/contrib
3
3
Fork 2
Code Issues Pull Requests Activity

postfix-lmdb: dropped

Browse Source
This commit is contained in:
Tim Biermann 2022-12-22 09:53:09 +00:00
parent 0c36846961
commit 1551eb8378
Signed by: tb
GPG Key ID: 42F8B4E30B673606
15 changed files with 0 additions and 997 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

180
postfix-lmdb/.footprint
View File

@ -1,180 +0,0 @@
drwxr-xr-x root/root etc/
drwxr-xr-x root/root etc/postfix-lmdb/
-rw-r--r-- root/root etc/postfix-lmdb/CRUX-README.txt
-rw-r--r-- root/root etc/postfix-lmdb/LICENSE
-rw-r--r-- root/root etc/postfix-lmdb/TLS_LICENSE
-rw-r--r-- root/root etc/postfix-lmdb/access
-rw-r--r-- root/root etc/postfix-lmdb/aliases
-rw-r--r-- root/root etc/postfix-lmdb/bounce.cf.default
-rw-r--r-- root/root etc/postfix-lmdb/canonical
-rw-r--r-- root/root etc/postfix-lmdb/generic
-rw-r--r-- root/root etc/postfix-lmdb/header_checks
-rw-r--r-- root/root etc/postfix-lmdb/main.cf
-rw-r--r-- root/root etc/postfix-lmdb/main.cf.default
-rw-r--r-- root/root etc/postfix-lmdb/main.cf.proto
-rw-r--r-- root/root etc/postfix-lmdb/makedefs.out
-rw-r--r-- root/root etc/postfix-lmdb/master.cf
-rw-r--r-- root/root etc/postfix-lmdb/master.cf.proto
-rw-r--r-- root/root etc/postfix-lmdb/postfix-files
drwxr-xr-x root/root etc/postfix-lmdb/postfix-files.d/
-rw-r--r-- root/root etc/postfix-lmdb/relay_clientcerts
-rw-r--r-- root/root etc/postfix-lmdb/relocated
-rw-r--r-- root/root etc/postfix-lmdb/sender_restrict
-rw-r--r-- root/root etc/postfix-lmdb/transport
-rw-r--r-- root/root etc/postfix-lmdb/virtual
drwxr-xr-x root/root etc/rc.d/
-rwxr-xr-x root/root etc/rc.d/postfix-lmdb
drwxr-xr-x root/root usr/
drwxr-xr-x root/root usr/bin/
lrwxrwxrwx root/root usr/bin/mailq -> ../../usr/sbin/sendmail
lrwxrwxrwx root/root usr/bin/newaliases -> ../../usr/sbin/sendmail
drwxr-xr-x root/root usr/lib/
drwxr-xr-x root/root usr/lib/postfix-lmdb/
-rwxr-xr-x root/root usr/lib/postfix-lmdb/anvil
-rwxr-xr-x root/root usr/lib/postfix-lmdb/bounce
-rwxr-xr-x root/root usr/lib/postfix-lmdb/cleanup
-rwxr-xr-x root/root usr/lib/postfix-lmdb/discard
-rwxr-xr-x root/root usr/lib/postfix-lmdb/dnsblog
-rwxr-xr-x root/root usr/lib/postfix-lmdb/error
-rwxr-xr-x root/root usr/lib/postfix-lmdb/flush
-rwxr-xr-x root/root usr/lib/postfix-lmdb/libpostfix-dns.so
-rwxr-xr-x root/root usr/lib/postfix-lmdb/libpostfix-global.so
-rwxr-xr-x root/root usr/lib/postfix-lmdb/libpostfix-master.so
-rwxr-xr-x root/root usr/lib/postfix-lmdb/libpostfix-tls.so
-rwxr-xr-x root/root usr/lib/postfix-lmdb/libpostfix-util.so
-rwxr-xr-x root/root usr/lib/postfix-lmdb/lmtp
-rwxr-xr-x root/root usr/lib/postfix-lmdb/local
-rwxr-xr-x root/root usr/lib/postfix-lmdb/master
-rwxr-xr-x root/root usr/lib/postfix-lmdb/nqmgr
-rwxr-xr-x root/root usr/lib/postfix-lmdb/oqmgr
-rwxr-xr-x root/root usr/lib/postfix-lmdb/pickup
-rwxr-xr-x root/root usr/lib/postfix-lmdb/pipe
-rwxr-xr-x root/root usr/lib/postfix-lmdb/post-install
-rwxr-xr-x root/root usr/lib/postfix-lmdb/postfix-script
-rwxr-xr-x root/root usr/lib/postfix-lmdb/postfix-tls-script
-rwxr-xr-x root/root usr/lib/postfix-lmdb/postfix-wrapper
-rwxr-xr-x root/root usr/lib/postfix-lmdb/postlogd
-rwxr-xr-x root/root usr/lib/postfix-lmdb/postmulti-script
-rwxr-xr-x root/root usr/lib/postfix-lmdb/postscreen
-rwxr-xr-x root/root usr/lib/postfix-lmdb/proxymap
-rwxr-xr-x root/root usr/lib/postfix-lmdb/qmgr
-rwxr-xr-x root/root usr/lib/postfix-lmdb/qmqpd
-rwxr-xr-x root/root usr/lib/postfix-lmdb/scache
-rwxr-xr-x root/root usr/lib/postfix-lmdb/showq
-rwxr-xr-x root/root usr/lib/postfix-lmdb/smtp
-rwxr-xr-x root/root usr/lib/postfix-lmdb/smtpd
-rwxr-xr-x root/root usr/lib/postfix-lmdb/spawn
-rwxr-xr-x root/root usr/lib/postfix-lmdb/tlsmgr
-rwxr-xr-x root/root usr/lib/postfix-lmdb/tlsproxy
-rwxr-xr-x root/root usr/lib/postfix-lmdb/trivial-rewrite
-rwxr-xr-x root/root usr/lib/postfix-lmdb/verify
-rwxr-xr-x root/root usr/lib/postfix-lmdb/virtual
drwxr-xr-x root/root usr/sbin/
-rwxr-xr-x root/root usr/sbin/postalias
-rwxr-xr-x root/root usr/sbin/postcat
-rwxr-xr-x root/root usr/sbin/postconf
-rwxr-xr-x root/root usr/sbin/postdrop
-rwxr-xr-x root/root usr/sbin/postfix
-rwxr-xr-x root/root usr/sbin/postkick
-rwxr-xr-x root/root usr/sbin/postlock
-rwxr-xr-x root/root usr/sbin/postlog
-rwxr-xr-x root/root usr/sbin/postmap
-rwxr-xr-x root/root usr/sbin/postmulti
-rwxr-xr-x root/root usr/sbin/postqueue
-rwxr-xr-x root/root usr/sbin/postsuper
-rwxr-xr-x root/root usr/sbin/sendmail
drwxr-xr-x root/root usr/share/
drwxr-xr-x root/root usr/share/man/
drwxr-xr-x root/root usr/share/man/man1/
-rw-r--r-- root/root usr/share/man/man1/mailq.1.gz
-rw-r--r-- root/root usr/share/man/man1/newaliases.1.gz
-rw-r--r-- root/root usr/share/man/man1/postalias.1.gz
-rw-r--r-- root/root usr/share/man/man1/postcat.1.gz
-rw-r--r-- root/root usr/share/man/man1/postconf.1.gz
-rw-r--r-- root/root usr/share/man/man1/postdrop.1.gz
-rw-r--r-- root/root usr/share/man/man1/postfix-tls.1.gz
-rw-r--r-- root/root usr/share/man/man1/postfix.1.gz
-rw-r--r-- root/root usr/share/man/man1/postkick.1.gz
-rw-r--r-- root/root usr/share/man/man1/postlock.1.gz
-rw-r--r-- root/root usr/share/man/man1/postlog.1.gz
-rw-r--r-- root/root usr/share/man/man1/postmap.1.gz
-rw-r--r-- root/root usr/share/man/man1/postmulti.1.gz
-rw-r--r-- root/root usr/share/man/man1/postqueue.1.gz
-rw-r--r-- root/root usr/share/man/man1/postsuper.1.gz
-rw-r--r-- root/root usr/share/man/man1/sendmail.1.gz
drwxr-xr-x root/root usr/share/man/man5/
-rw-r--r-- root/root usr/share/man/man5/access.5.gz
-rw-r--r-- root/root usr/share/man/man5/aliases.5.gz
-rw-r--r-- root/root usr/share/man/man5/body_checks.5.gz
-rw-r--r-- root/root usr/share/man/man5/bounce.5.gz
-rw-r--r-- root/root usr/share/man/man5/canonical.5.gz
-rw-r--r-- root/root usr/share/man/man5/cidr_table.5.gz
-rw-r--r-- root/root usr/share/man/man5/generic.5.gz
-rw-r--r-- root/root usr/share/man/man5/header_checks.5.gz
-rw-r--r-- root/root usr/share/man/man5/ldap_table.5.gz
-rw-r--r-- root/root usr/share/man/man5/lmdb_table.5.gz
-rw-r--r-- root/root usr/share/man/man5/master.5.gz
-rw-r--r-- root/root usr/share/man/man5/memcache_table.5.gz
-rw-r--r-- root/root usr/share/man/man5/mysql_table.5.gz
-rw-r--r-- root/root usr/share/man/man5/nisplus_table.5.gz
-rw-r--r-- root/root usr/share/man/man5/pcre_table.5.gz
-rw-r--r-- root/root usr/share/man/man5/pgsql_table.5.gz
-rw-r--r-- root/root usr/share/man/man5/postconf.5.gz
-rw-r--r-- root/root usr/share/man/man5/postfix-wrapper.5.gz
-rw-r--r-- root/root usr/share/man/man5/regexp_table.5.gz
-rw-r--r-- root/root usr/share/man/man5/relocated.5.gz
-rw-r--r-- root/root usr/share/man/man5/socketmap_table.5.gz
-rw-r--r-- root/root usr/share/man/man5/sqlite_table.5.gz
-rw-r--r-- root/root usr/share/man/man5/tcp_table.5.gz
-rw-r--r-- root/root usr/share/man/man5/transport.5.gz
-rw-r--r-- root/root usr/share/man/man5/virtual.5.gz
drwxr-xr-x root/root usr/share/man/man8/
-rw-r--r-- root/root usr/share/man/man8/anvil.8.gz
-rw-r--r-- root/root usr/share/man/man8/bounce.8.gz
-rw-r--r-- root/root usr/share/man/man8/cleanup.8.gz
-rw-r--r-- root/root usr/share/man/man8/defer.8.gz
-rw-r--r-- root/root usr/share/man/man8/discard.8.gz
-rw-r--r-- root/root usr/share/man/man8/dnsblog.8.gz
-rw-r--r-- root/root usr/share/man/man8/error.8.gz
-rw-r--r-- root/root usr/share/man/man8/flush.8.gz
-rw-r--r-- root/root usr/share/man/man8/lmtp.8.gz
-rw-r--r-- root/root usr/share/man/man8/local.8.gz
-rw-r--r-- root/root usr/share/man/man8/master.8.gz
-rw-r--r-- root/root usr/share/man/man8/oqmgr.8.gz
-rw-r--r-- root/root usr/share/man/man8/pickup.8.gz
-rw-r--r-- root/root usr/share/man/man8/pipe.8.gz
-rw-r--r-- root/root usr/share/man/man8/postlogd.8.gz
-rw-r--r-- root/root usr/share/man/man8/postscreen.8.gz
-rw-r--r-- root/root usr/share/man/man8/proxymap.8.gz
-rw-r--r-- root/root usr/share/man/man8/qmgr.8.gz
-rw-r--r-- root/root usr/share/man/man8/qmqpd.8.gz
-rw-r--r-- root/root usr/share/man/man8/scache.8.gz
-rw-r--r-- root/root usr/share/man/man8/showq.8.gz
-rw-r--r-- root/root usr/share/man/man8/smtp.8.gz
-rw-r--r-- root/root usr/share/man/man8/smtpd.8.gz
-rw-r--r-- root/root usr/share/man/man8/spawn.8.gz
-rw-r--r-- root/root usr/share/man/man8/tlsmgr.8.gz
-rw-r--r-- root/root usr/share/man/man8/tlsproxy.8.gz
-rw-r--r-- root/root usr/share/man/man8/trace.8.gz
-rw-r--r-- root/root usr/share/man/man8/trivial-rewrite.8.gz
-rw-r--r-- root/root usr/share/man/man8/verify.8.gz
-rw-r--r-- root/root usr/share/man/man8/virtual.8.gz
drwxr-xr-x root/root var/
drwxr-xr-x root/root var/lib/
drwx------ root/root var/lib/postfix-lmdb/
drwxr-xr-x root/root var/spool/
drwxr-xr-x root/root var/spool/postfix-lmdb/
drwx------ root/root var/spool/postfix-lmdb/active/
drwx------ root/root var/spool/postfix-lmdb/bounce/
drwx------ root/root var/spool/postfix-lmdb/corrupt/
drwx------ root/root var/spool/postfix-lmdb/defer/
drwx------ root/root var/spool/postfix-lmdb/deferred/
drwx------ root/root var/spool/postfix-lmdb/flush/
drwx------ root/root var/spool/postfix-lmdb/hold/
drwx------ root/root var/spool/postfix-lmdb/incoming/
drwx-wx--- root/root var/spool/postfix-lmdb/maildrop/
drwxr-xr-x root/root var/spool/postfix-lmdb/pid/
drwx------ root/root var/spool/postfix-lmdb/private/
drwx--x--- root/root var/spool/postfix-lmdb/public/
drwx------ root/root var/spool/postfix-lmdb/saved/
drwx------ root/root var/spool/postfix-lmdb/trace/

17
postfix-lmdb/.signature
View File

@ -1,17 +0,0 @@
untrusted comment: verify with /etc/ports/contrib.pub
RWSagIOpLGJF37JkVc144j0BdgrNRkQ4YS1j1ZUhbYiRzla5Z486wG/67QYX97nKPwvM6wK9ifJY4l4PdicWmbcPIIVJBEutSQQ=
SHA256 (Pkgfile) = 18fcdeeb8faf6526260fac657c5d26381b8c014b3f48f8056d8913879a0b075a
SHA256 (.footprint) = c4bef46624508b9105e8c5816c322560a560c09e9c5507509eb95c886d52a387
SHA256 (postfix-3.7.3.tar.gz) = d22f3d37ef75613d5d573b56fc51ef097f2c0d0b0e407923711f71c1fb72911b
SHA256 (lmdb-default.patch) = 11f42333ae0640a3ca579463ed28007973693b93bc734b5d82225fcb516bf05e
SHA256 (postfix-install.patch) = 7185d2b2e4d7cc090b958c1d372c16e15f274465e2123686a0d97db20e2b5943
SHA256 (post-install) = 16dfda7fc118659d5ed83d4a0f683c730b0de723f9700806666532efa2502957
SHA256 (postfix.rc) = 5ac60205a95faf4633c64bc60d2689f654b997932e3bbc1204b66df7b5dce1d2
SHA256 (README) = f0b40f97977607b7fd50791f611396ac0efb747227dd4063e05be914d23c7ded
SHA256 (aliases) = 60ae98d869800055b248c32c183a1836cc5a698cf337cb7ad734e862ae80e95a
SHA256 (relay_clientcerts) = 2aa69a949c06826e2f5a760791fb5cebb37e6797613270fd11381c33afa38297
SHA256 (client_restrict) = 9496a99f6714625c5883a41f8a5f9db8aa43199ef2167c18d83a2b39469622e3
SHA256 (sender_access) = c9b9b86c985facdc18e6bfe436c78340174fc315478e578d82c956e35355e678
SHA256 (sender_restrict) = 9b672511eac1971f8cd72b045e200aac8e0fe6407f1a055085fc1b85c1f24ed7
SHA256 (main-addon.cf) = 9b76d29773fec26c3500df9203b5740ca52b44d5fc62d8c80da518f5959e6063
SHA256 (master.patch) = 096b53869e8a55c8971b6ab055c170f5dc7dc676e254e5780dbdfab2a145947c

103
postfix-lmdb/Pkgfile
View File

@ -1,103 +0,0 @@
# Description: Secure and fast drop-in replacement for Sendmail (MTA)
# URL: https://www.postfix.org/
# Maintainer: Steffen Nurpmeso, steffen at sdaoden dot eu
# Depends on: libpcre2 lmdb openssl
# Optional: dovecot cyrus-sasl
rname=postfix
name=postfix-lmdb
version=3.7.3
release=1
source=(
https://de.${rname}.org/ftpmirror/official/${rname}-${version}.tar.gz
lmdb-default.patch
postfix-install.patch
post-install
${rname}.rc
README
aliases
relay_clientcerts
client_restrict sender_access sender_restrict
main-addon.cf master.patch
)
build() {
cd ${rname}-${version}
patch -p1 < "${SRC}"/lmdb-default.patch
patch -p1 < "${SRC}"/postfix-install.patch
cca='-DNO_DB -DNO_EAI -DNO_NIS -DNO_NISPLUS -DUSE_TLS'
cca=${cca}' -DHAS_LMDB -DDEF_DB_TYPE=\"lmdb\"'
cca=${cca}' -DHAS_PCRE=2 '"$(pcre2-config --cflags)"
aux=
if prt-get isinst dovecot; then # TODO UNTESTED!
cca=${cca}' -DUSE_SASL_AUTH -DDEF_SASL_SERVER=dovecot'
fi
if prt-get isinst cyrus-sasl; then # TODO UNTESTED!
cca=${cca}' -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl'
aux=${aux}' -lsasl2'
fi
unset LD_LIBRARY_PATH
make tidy
make pie=yes shared=yes \
DEBUG= \
CCARGS="${cca}" \
OPT="${CFLAGS}" \
AUXLIBS_LMDB=-llmdb \
AUXLIBS_PCRE="$(pkg-config --libs libpcre2-8)" \
AUXLIBS="-lssl -lcrypto" \
${aux} \
install_root="${PKG}" \
command_directory=/usr/sbin \
config_directory=/etc/${name} \
daemon_directory=/usr/lib/${name} \
data_directory=/var/lib/${name} \
html_directory=no \
mail_spool_directory=/var/spool/mail \
manpage_directory=/usr/share/man \
meta_directory=/etc/${name} \
queue_directory=/var/spool/${name} \
readme_directory=no \
shlib_directory=/usr/lib/${name} \
makefiles
make OPT="$CFLAGS"
make \
install_root="${PKG}" \
command_directory=/usr/sbin \
config_directory=/etc/${name} \
daemon_directory=/usr/lib/${name} \
data_directory=/var/lib/${name} \
html_directory=no \
mail_spool_directory=/var/spool/mail \
manpage_directory=/usr/share/man \
meta_directory=/etc/${name} \
queue_directory=/var/spool/${name} \
readme_directory=no \
shlib_directory=/usr/lib/${name} \
non-interactive-package
install -D -m 0755 "${SRC}"/${rname}.rc "${PKG}"/etc/rc.d/${name}
install -m 0644 "${SRC}"/aliases "${PKG}"/etc/${name}/aliases
install -m 0644 "${SRC}"/README "${PKG}"/etc/${name}/CRUX-README.txt
install -m 0644 "${SRC}"/relay_clientcerts \
"${PKG}"/etc/${name}/relay_clientcerts
install -m 0644 "${SRC}"/sender_restrict \
"${PKG}"/etc/${name}/sender_restrict
sed -E -i'' \
-e 's/^(setgid_group.+)$/#\1/' \
-e 's/^(inet_protocols.+)$/#\1/' \
"${PKG}"/etc/${name}/main.cf
cat "${SRC}"/main-addon.cf >> "${PKG}"/etc/${name}/main.cf
(
cd "${PKG}"/etc/${name}
patch -p0 < "${SRC}"/master.patch
)
}
# s-sh-mode

131
postfix-lmdb/README
View File

@ -1,131 +0,0 @@
The CRUX postfix package
========================
* Abstract
* TLS
* SmartHost
* Relay
* DNS black lists
* Gray listing
* Address verification
Abstract
--------
- Fully configured for "sailing in the wind".
- Only listens to SMTP by default, but.
- A few knobs can be turned here and there for more, see below.
Remember to run "postmap FILE" after you have updated table files,
and "newaliases" or "postalias FILE" after changing alias files.
TLS
---
tlsproxy(8) for connection tracking is running by default.
To be identifiable generate a private key with certificate, either via
openssl genpkey -algorithm ed25519 -out prv.pem
#openssl pkey -in prv.pem -pubout -out pub.pem
openssl req -x509 -key prv.pem -out crt.pem
or
openssl req -x509 -nodes -newkey ed25519 -keyout prv.pem -out crt.pem
This is self-signed (which might be sufficient for client certificate
identification as below). Also create DH parameters
openssl dhparam -out dh2048.pem 2048
Move all these to a save place. Do
cat prv.pem crt.pem > /etc/postfix-lmdb/key_and_cert.pem
cp dh2048.pem /etc/postfix-lmdb/dh2048.pem
Make them root:root and 0600.
Edit main.cf: uncomment all lines marked #TLS.
Edit master.cf and ditto.
Run "/etc/rc.d/postfix-lmdb reload" (or restart).
SmartHost
---------
For laptops or hosts without their own hostname using a smart host which
does the real delivery is usually the thing.
Edit main.cf and uncomment and edit lines marked #SMART.
Run "/etc/rc.d/postfix-lmdb reload" (or restart).
Authentication to the smart host is not covered by the default
configuration, with TLS as above however it may be possible to go
via client certificates shall the relayhost allow this, see below.
I.e., just reuse key_and_cert.pem "also" for this. Just uncomment the
according lines.
Note it seems wise to go the $smtp_tls_fingerprint_cert_match approach
to verify $relayhost, because the $smtp_tls_CAfile way requires a full
chain, to the best of my knowledge.
You need to have cyrus-sasl installed otherwise (usually), and also
dovecot that drives the SASL authentication. The default configuration
contains the necessary entries, you should only need to adjust and
uncomment it. Just search #SMART.
Relay
-----
The default configuration only allows mails that address $mydestination
aka the local host, or shall be relayed to $mynetworks (set to the
IPv4 private address range).
Not covering SASL authentification of clients, the default configuration
ships support for client certificate fingerprint matching, in order to
allow clients which authenticate themselves to relay mail to anywhere.
Edit main.cf and uncomment and edit lines marked #RELAY.
Run "/etc/rc.d/postfix-lmdb reload" (or restart).
Put the fingerprints in /etc/postfix-lmdb/relay_clientcerts as shown.
Calculate them via
openssl x509 -noout -sha256 -fingerprint < CERT.pem
or
openssl x509 -outform DER -in CERT.pem | openssl dgst -sha256 -c
It seems to support public-key-only fingerprinting also.
You need to have cyrus-sasl installed otherwise (usually), and also
dovecot that drives the SASL authentication. The default configuration
contains the necessary entries, you should only need to adjust and
uncomment it. See above for SmartHost.
DNS deny lists
--------------
. Edit main.cf and uncomment and edit lines marked #DNSDL.
. Run "/etc/rc.d/postfix-lmdb reload" (or restart).
Gray listing
------------
. Install s-postgray, and create a minimal configuration file.
. Edit main.cf and uncomment and edit lines marked #GRAY.
. Run "/etc/rc.d/postfix-lmdb reload" (or restart).
. Track your logs to fill in configuration some days or weeks.
. Remove "-c 0" s-postgray command line option from master.cf.
Address verification
--------------------
. Unless you use gray listing with --msg-allow=permit allowance, and
have a completed set of allowlisted entries, you should read postfix's
README_FILES/ADDRESS_VERIFICATION_README.
. Edit main.cf and uncomment and edit lines marked #VERIFY.
If gray listing is enabled, you could reconfigure it to not include
recipients but only senders and client addresses via --focus-sender;
then, change GRAY and VERIFY to happen in smtpd_sender_restrictions
not smtpd_recipient_restrictions.
. Run "/etc/rc.d/postfix-lmdb reload" (or restart).
# s-ts-mode

96
postfix-lmdb/aliases
View File

@ -1,96 +0,0 @@
#
# Sample aliases file. Install in the location as specified by the
# output from the command "postconf alias_maps". Typical path names
# are /etc/aliases or /etc/mail/aliases.
#
# >>>>>>>>>> The program "newaliases" must be run after
# >> NOTE >> this file is updated for any changes to
# >>>>>>>>>> show through to Postfix.
#
# Person who should get root's mail. Don't receive mail as root!
#root: you
# Basic system aliases -- these MUST be present
MAILER-DAEMON: postmaster
postmaster: root
# General redirections for pseudo accounts
bin: root
daemon: root
named: root
nobody: root
uucp: root
www: root
ftp-bugs: root
postfix: root
# Put your local aliases here.
# Well-known aliases
manager: root
dumper: root
operator: root
abuse: postmaster
# trap decode to catch security attacks
decode: root
# ALIASES(5) ALIASES(5)
# o An alias definition has the form
#
# name: value1, value2, ...
#
# o Empty lines and whitespace-only lines are ignored,
# as are lines whose first non-whitespace character
# is a `#'.
#
# o A logical line starts with non-whitespace text. A
# line that starts with whitespace continues a logi-
# cal line.
#
# The name is a local address (no domain part). Use double
# quotes when the name contains any special characters such
# as whitespace, `#', `:', or `@'. The name is folded to
# lowercase, in order to make database lookups case insensi-
# tive.
# The value contains one or more of the following:
#
# address
# Mail is forwarded to address, which is compatible
# with the RFC 822 standard.
#
# /file/name
# Mail is appended to /file/name. See local(8) for
# details of delivery to file. Delivery is not lim-
# ited to regular files. For example, to dispose of
# unwanted mail, deflect it to /dev/null.
#
# |command
# Mail is piped into command. Commands that contain
# special characters, such as whitespace, should be
# enclosed between double quotes. See local(8) for
# details of delivery to command.
#
# When the command fails, a limited amount of command
# output is mailed back to the sender. The file
# /usr/include/sysexits.h defines the expected exit
# status codes. For example, use "|exit 67" to simu-
# late a "user unknown" error, and "|exit 0" to
# implement an expensive black hole.
#
# :include:/file/name
# Mail is sent to the destinations listed in the
# named file. Lines in :include: files have the same
# syntax as the right-hand side of alias entries.
#
# A destination can be any destination that is
# described in this manual page. However, delivery to
# "|command" and /file/name is disallowed by default.
# To enable, edit the allow_mail_to_commands and
# allow_mail_to_files configuration parameters.
# SEE ALSO
# local(8), local delivery agent
# newaliases(1), create/update alias database
# postalias(1), create/update alias database
# postconf(5), configuration parameters

2
postfix-lmdb/client_restrict
View File

@ -1,2 +0,0 @@
# See access(5) for format (REJECT,OK,HOLD,DUNNO)

27
postfix-lmdb/lmdb-default.patch
View File

@ -1,27 +0,0 @@
Upstream: Not applicable
Reason: Make LMDB the default configuration
Author: Duncan Bellamy <dunk@denkimushi.com>
diff --git a/src/global/mail_params.h b/src/global/mail_params.h
index a6119f1..9639c60 100644
--- a/src/global/mail_params.h
+++ b/src/global/mail_params.h
@@ -2826,7 +2826,7 @@ extern int var_vrfy_pend_limit;
extern char *var_verify_service;
#define VAR_VERIFY_MAP "address_verify_map"
-#define DEF_VERIFY_MAP "btree:$data_directory/verify_cache"
+#define DEF_VERIFY_MAP "lmdb:$data_directory/verify_cache"
extern char *var_verify_map;
#define VAR_VERIFY_POS_EXP "address_verify_positive_expire_time"
@@ -3594,7 +3594,7 @@ extern char *var_multi_cntrl_cmds;
* postscreen(8)
*/
#define VAR_PSC_CACHE_MAP "postscreen_cache_map"
-#define DEF_PSC_CACHE_MAP "btree:$data_directory/postscreen_cache"
+#define DEF_PSC_CACHE_MAP "lmdb:$data_directory/postscreen_cache"
extern char *var_psc_cache_map;
#define VAR_SMTPD_SERVICE "smtpd_service_name"

286
postfix-lmdb/main-addon.cf
View File

@ -1,286 +0,0 @@
### CRUX-ADDON
default_privs = _postfix_xlocal
setgid_group = _postfix_queue
mail_spool_directory = /var/spool/mail
alias_database = lmdb:$meta_directory/aliases
alias_maps = $alias_database
# all # or ipv4, ipv6 or ipv4 or ipv6
inet_protocols = all
#myhostname = crux-box # default: gethostname
#mydomain = localdomain # default: $myhostname less one component
#myorigin = $mydomain
# , lists.$myhostname
mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks_style = host
# mynetworks: which addresses we treat as belonging to "our network".
# RFC 1918 defines several "address ranges for private internets",
# one class A, 16 class B, 256 class C networks:
# 10.0.0.0 - 10.255.255.255 (10/8 prefix)
# 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
# 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
# In practice these are used by WLAN and other such networks, which is not
# "our" per se. RFC 5737 defines several blocks "reserved for documentation"
# that SHOULD NOT occur on the public internet, so they should be blocked on
# ingress and better not leave on egress, but they can be assigned to local
# namespaces etc., and be used within VPNs:
# 192.0.2.0 - 192.0.2.255 (192.0.2.0/24, TEST-NET-1, from RFC 1166)
# 198.51.100.0 - 198.51.100.255 (198.51.100.0/24, TEST-NET-2)
# 203.0.113.0 - 203.0.113.255 (203.0.113.0/24, TEST-NET-3)
# Dunno how to specify IPv6 link-local and site-local
#mynetworks = 192.0.2.0/24 198.51.100.0/24 203.0.113.0/24 127.0.0.0/8
mynetworks = 127.0.0.0/8
#inet_interfaces = localhost
#inet_interfaces = $myhostname, localhost
inet_interfaces = all
#debug_peer_list = localhost
smtputf8_enable = no
disable_vrfy_command = yes
default_verp_delimiters = -=
verp_delimiter_filter = -=
recipient_delimiter = +
default_process_limit = 8
anvil_rate_time_unit = 60s
anvil_status_update_time = 3600s
#n_flow_delay = 1s
body_checks_size_limit = 102400
bounce_size_limit = 50000
#header_size_limit = 102400
mailbox_size_limit = 100000000
message_size_limit = 442000
## TLSPROXY(8) (where diverging from daemon / client)
tls_append_default_CA = no
## POSTFIX DAEMON
# Calculate:
# openssl x509 -noout -sha256 -fingerprint < CERT.pem
# OR
# openssl x509 -outform DER -in CERT.pem | openssl dgst -sha256 -c
# Put the hash only in relay_clientcerts, right hand value is not inspected:
# FINGERPRINT-HERE whatever value
# Search #RELAY for this, uncomment
#RELAY relay_clientcerts = lmdb:$meta_directory/relay_clientcerts
# relay_domains <-> reject_unauth_destination,permit_auth_destination
# eg lmdb:$meta_directory/transport
transport_maps =
relay_domains = $mynetworks,$transport_maps
# Only localhost for mailing-lists etc.; maybe $mynetworks?
smtpd_authorized_verp_clients = 127.0.0.1
# Clients connection checks
smtpd_client_restrictions =
# permit_inet_interfaces, OR
permit_mynetworks,
#RELAY permit_tls_clientcerts,
#[RELAY] permit_sasl_authenticated,
check_client_access lmdb:$meta_directory/client_restrict,
reject_unknown_client_hostname,
# in case you want reject DNS blacklists rather than greylist them,
# exchange sleep (maybe) and uncomment the lines below
sleep 1,
#reject_rbl_client cbl.abuseat.org,
#reject_rbl_client sbl.spamhaus.org,
#DNSDL reject_rbl_client zen.spamhaus.org,
#DNSDL reject_rbl_client dnsbl.sorbs.net,
#reject_rbl_client bl.spamcop.net,
#reject_rbl_client list.dsbl.org,
reject_unauth_pipelining,
#reject
permit
smtpd_data_restrictions =
reject_unauth_pipelining,
permit
smtpd_helo_restrictions =
# permit_inet_interfaces, OR
permit_mynetworks,
#RELAY permit_tls_clientcerts,
#[RELAY] permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname,
permit
# MAIL FROM Checks
smtpd_sender_restrictions =
# permit_inet_interfaces, OR
permit_mynetworks,
#RELAY reject_authenticated_sender_login_mismatch,
#RELAY permit_tls_clientcerts,
#[RELAY] permit_sasl_authenticated,
reject_non_fqdn_sender,
# Total no-goes database, eg: qq.com reject
check_sender_access lmdb:$meta_directory/sender_restrict,
reject_unknown_sender_domain,
reject_unknown_reverse_client_hostname,
#GRAY: with --focus-sender only! And --msg-allow=permit
#GRAY check_policy_service unix:private/postgray,
#VERIFY(..then) reject_unverified_sender,
permit
smtpd_relay_before_recipient_restrictions = yes
# RCPT TO checks, relay policy
# Local clients and authenticated clients may specify any destination domain
smtpd_relay_restrictions =
# permit_inet_interfaces, OR
permit_mynetworks,
#RELAY permit_tls_clientcerts,
#[RELAY] permit_sasl_authenticated,
reject_non_fqdn_recipient,
#permit_auth_destination,
#reject
reject_unauth_destination,
permit
# RCPT TO checks, spam blocking policy
# Match fast for $mynetworks and authenticated clients.
smtpd_recipient_restrictions =
# permit_inet_interfaces, OR
permit_mynetworks,
#RELAY permit_tls_clientcerts,
#[RELAY] permit_sasl_authenticated,
reject_unknown_recipient_domain,
# DB of MAIL FROM's without policy server checks (one way, or another)
check_sender_access lmdb:$meta_directory/sender_access,
#check_policy_service inet:127.0.0.1:5525,
#GRAY: without --focus-sender
#GRAY check_policy_service unix:private/postgray,
#VERIFY(..then) reject_unverified_sender,
#(VERIFY would not) reject_unverified_recipient,
permit
# i would turn that on..
#smtpd_delay_reject = no
smtpd_helo_required = yes
smtpd_hard_error_limit = 2
smtpd_soft_error_limit = 1
smtpd_per_record_deadline = yes
smtpd_timeout = 15s
smtpd_starttls_timeout = 15s
smtpd_junk_command_limit = 5
#smtpd_log_access_permit_actions =
# permit_tls_clientcerts,
# permit_sasl_authenticated
#smtpd_client_connection_rate_limit = 20
#smtpd_client_connection_count_limit = 2
#VERIFY address_verify_map = lmdb:$data_directory/verify_cache
#VERIFY address_verify_cache_cleanup_interval = 86400s
#TLS Do not forget to look into master.cf!
# That one is for client certificates!
#smtpd_tls_CAfile = /etc/dovecot/cert.pem
#TLS smtpd_tls_chain_files = $meta_directory/key_and_cert.pem
#TLS smtpd_tls_dh1024_param_file = $meta_directory/dh2048.pem
# This are managed per-service in master.cf!
#smtpd_tls_security_level = none
#RELAY smtpd_tls_ask_ccert = yes
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1
#SMART The next is usually nice but when using client certificates
smtpd_tls_received_header = no
smtpd_tls_fingerprint_digest = sha256
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers =
aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_ciphers = $smtpd_tls_mandatory_ciphers
smtpd_tls_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
smtpd_tls_session_cache_database = lmdb:$data_directory/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
# Usually enabled per-service in master.cf!
#smtpd_sasl_auth_enable = yes
smtpd_sasl_auth_enable = no
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
## POSTFIX CLIENT
#TLS comment out next
#SMART comment out next
smtp_tls_security_level = may
# To always go directly SMTPS/SUBMISSIONS
#smtp_tls_wrappermode = yes
smtp_tls_fingerprint_digest = $smtpd_tls_fingerprint_digest
smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
smtp_tls_protocols = $smtpd_tls_protocols
#SMART When only relaying to smarthost, the next should be =high
#SMART smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
smtp_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
smtp_tls_ciphers = $smtpd_tls_ciphers
smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
smtp_tls_connection_reuse = yes
smtp_tls_session_cache_database = lmdb:$data_directory/smtp_scache
smtp_tls_session_cache_timeout = $smtpd_tls_session_cache_timeout
#smtp_sasl_auth_enable = $smtpd_sasl_auth_enable
#smtp_sasl_type = $smtpd_sasl_type
#smtp_sasl_path = $smtpd_sasl_path
#smtp_sasl_mechanism_filter = !external
#smtp_sasl_security_options = $smtpd_sasl_security_options
#smtp_sasl_tls_security_options = $smtpd_sasl_tls_security_options
#smtp_sasl_mechanism_filter = plain, login
# For laptops etc, rely on smarthost to do real delivery.
# One or more destinations in the form of a domain name, hostname,
# hostname:port, [hostname]:port, [hostaddress] or [hostaddress]:port,
# separated by comma or whitespace. The form [hostname] turns off MX lookups
# check man(5) postconf -> local_header_rewrite_clients;
# "Or", i.e., for mail(1): use "-r myname@mydesired.host"
#SMART relayhost = [HOST]:submissions
#SMART Next only when going directly SMTPS/SUBMISSIONS
#SMART smtp_tls_wrappermode = yes
#SMART smtp_tls_chain_files = $smtpd_tls_chain_files
#SMART EITHER these three
#SMART smtp_tls_security_level = verify
#SMART smtp_tls_CAfile = /etc/ssl/cert.pem
#SMART smtp_tls_scert_verifydepth = 9
#SMART OR these two
#SMART smtp_tls_security_level = fingerprint
#SMART smtp_tls_fingerprint_cert_match = FINGERPRINT
# The following is not tested, really, and may not work with default config
#SMART disable_dns_lookups = yes
#SMART Authentication like that not tried, this from postfix SASL_README:
#smtp_sasl_auth_enable = yes
#smtp_sasl_tls_security_options = noanonymous
#smtp_sasl_password_maps = lmdb:$meta_directory/sasl_passwd
# $meta_directory/sasl_passwd:
# # destination credentials
# #user1@example.com username1:password1
# #user2@example.net username2:password2
# [mail.isp.example] username:password
# # Alternative form:
# # [mail.isp.example]:submission username:password
#SMART Even sender-specific, uncomment the user1 user2 entries above then
# sender_dependent_relayhost_maps = lmdb:$meta_directory/sender_relay
# $meta_directory/sender_relay:
# # Per-sender provider; see also $meta_directory/sasl_passwd.
# user1@example.com [mail.example.com]:submission
# user2@example.net [mail.example.net]
# Permanently (to _destinations) instead if this is "no"
smtp_connection_cache_on_demand = yes
# $relayhost WITHOUT [] and : etc.!!
smtp_connection_cache_destinations = $relayhost
smtp_connection_cache_time_limit = 10s
smtp_connection_reuse_count_limit = 242

37
postfix-lmdb/master.patch
View File

@ -1,37 +0,0 @@
--- master.cf.orig 2022-06-08 22:53:27.956225130 +0200
+++ master.cf 2022-06-08 22:56:16.596225800 +0200
@@ -10,6 +10,20 @@
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
+#TLS Does: STARTTLS on :25, enforced STARTTLS on :587, always TLS on :465
+#TLS -o smtpd_tls_security_level=may
+#TLS -o smtpd_sasl_auth_enable=no
+#TLS submission inet n - n - - smtpd
+#TLS -o syslog_name=postfix/submission
+#TLS -o smtpd_tls_security_level=encrypt
+#TLS -o smtpd_sasl_auth_enable=yes
+#TLS # This was SMTPS aka :465. I use it as that.
+#TLS submissions inet n - n - - smtpd
+#TLS -o syslog_name=postfix/submissions
+#TLS -o smtpd_tls_wrappermode=yes
+#TLS -o smtpd_sasl_auth_enable=no
+tlsproxy unix - - n - 0 tlsproxy
+ -o tlsproxy_tls_security_level=encrypt
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
@@ -86,7 +100,12 @@
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
-#
+
+#GRAY
+#GRAY postgray unix - n n - - spawn
+#GRAY
+#GRAY user=_postfix_xlocal argv=/usr/libexec/s-postgray -c0 -R /etc/postfix-lmdb/pg.rc
+
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#

58
postfix-lmdb/post-install
View File

@ -1,58 +0,0 @@
#!/bin/sh -
name=postfix-lmdb
# owner
usr=postfix
usrgrp=${usr}
# group for mail submission and queue
queuegrp=_postfix_queue
# Default rights used by the local delivery agent for delivery
# to external file, used in absence of a recipient user context.
# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
defusr=_postfix_xlocal
defgrp=${defusr}
getent group mail >/dev/null || groupadd -r mail
getent group ${usrgrp} >/dev/null || groupadd -r ${usrgrp}
getent passwd ${usr} >/dev/null 2>&1 || {
useradd -r -g ${usrgrp} -d /var/spool/${name} -s /bin/false ${usr}
passwd -l ${usr}
}
getent group ${queuegrp} >/dev/null || groupadd -r ${queuegrp}
getent group ${defgrp} >/dev/null || groupadd -r ${defgrp}
getent passwd ${defusr} >/dev/null 2>&1 || {
useradd -r -g ${defgrp} -d /var/spool/mail -s /sbin/nologin ${defusr}
passwd -l ${defusr}
}
p_i() {
/usr/lib/${name}/post-install \
install_root= \
command_directory=/usr/sbin \
config_directory=/etc/${name} \
daemon_directory=/usr/lib/${name} \
data_directory=/var/lib/${name} \
html_directory=no \
mail_spool_directory=/var/spool/mail \
manpage_directory=/usr/share/man \
meta_directory=/etc/${name} \
queue_directory=/var/spool/${name} \
readme_directory=no \
shlib_directory=/usr/lib/${name} \
"${@}"
}
p_i create-missing
p_i upgrade-permissions
/usr/sbin/postalias /etc/${name}/aliases
/usr/sbin/postmap lmdb:/etc/${name}/relay_clientcerts
/usr/sbin/postmap lmdb:/etc/${name}/client_restrict
/usr/sbin/postmap lmdb:/etc/${name}/sender_access
/usr/sbin/postmap lmdb:/etc/${name}/sender_restrict

11
postfix-lmdb/postfix-install.patch
View File

@ -1,11 +0,0 @@
--- a/postfix-install
+++ b/postfix-install
@@ -832,7 +832,7 @@
# the wrong place when Postfix is being upgraded.
case "$mail_version" in
-"") mail_version="`bin/postconf -dhx mail_version`" || exit 1
+"") mail_version="`bin/postconf -c $CONFIG_DIRECTORY -dhx mail_version`" || exit 1
esac
# Undo MAIL_VERSION expansion at the end of a parameter value. If

38
postfix-lmdb/postfix.rc
View File

@ -1,38 +0,0 @@
#!/bin/sh
#@ /etc/rc.d/postfix: start/stop postfix daemon
PROG=/usr/sbin/postfix
OPTS=
case "${1}" in
check)
exec ${PROG} ${OPTS} check
;;
start)
exec ${PROG} ${OPTS} start
;;
stop)
exec ${PROG} ${OPTS} stop
;;
restart)
"${0}" stop
exec "${0}" start
;;
reload)
exec ${PROG} ${OPTS} reload
;;
abort)
exec ${PROG} ${OPTS} abort
;;
flush)
exec ${PROG} ${OPTS} flush
;;
status)
exec ${PROG} ${OPTS} status
;;
*)
echo "usage: ${0} check|start|stop|restart|reload|abort|flush|status"
;;
esac
# s-sh-mode

5
postfix-lmdb/relay_clientcerts
View File

@ -1,5 +0,0 @@
# FINGERPRINT any value
# openssl x509 -noout -sha256 -fingerprint < CERT.pem
# OR
# openssl x509 -outform DER -in CERT.pem | openssl dgst -sha256 -c

3
postfix-lmdb/sender_access
View File

@ -1,3 +0,0 @@
# See access(5) for format (REJECT,OK,HOLD,DUNNO)
crux.nu OK

3
postfix-lmdb/sender_restrict
View File

@ -1,3 +0,0 @@
# See access(5) for format (REJECT,OK,HOLD,DUNNO)
qq.com reject