ports/contrib
3
3
Fork 2
Code Issues Pull Requests Activity
593929e7a0
contrib/postfix-lmdb
History
Steffen Nurpmeso 6218a83b98 postfix-lmdb: 3.7.2 (not affected iirc; but: README etc. updates)
2022-06-08 23:04:58 +02:00
..
.footprint
.signature postfix-lmdb: 3.7.2 (not affected iirc; but: README etc. updates) 2022-06-08 23:04:58 +02:00
aliases
client_restrict
lmdb-default.patch
main-addon.cf postfix-lmdb: 3.7.2 (not affected iirc; but: README etc. updates) 2022-06-08 23:04:58 +02:00
master.patch postfix-lmdb: 3.7.2 (not affected iirc; but: README etc. updates) 2022-06-08 23:04:58 +02:00
Pkgfile postfix-lmdb: 3.7.2 (not affected iirc; but: README etc. updates) 2022-06-08 23:04:58 +02:00
post-install
postfix-install.patch
postfix.rc
README postfix-lmdb: 3.7.2 (not affected iirc; but: README etc. updates) 2022-06-08 23:04:58 +02:00
relay_clientcerts
sender_access
sender_restrict

README 

The CRUX postfix package
========================

* Abstract
* TLS
* SmartHost
* Relay
* DNS black lists
* Gray listing
* Address verification

Abstract
--------

- Fully configured for "sailing in the wind".
- Only listens to SMTP by default, but.
- A few knobs can be turned here and there for more, see below.

Remember to run "postmap FILE" after you have updated table files,
and "newaliases" or "postalias FILE" after changing alias files.

TLS
---

tlsproxy(8) for connection tracking is running by default.
To be identifiable generate a private key with certificate, either via

  openssl genpkey -algorithm ed25519 -out prv.pem
  #openssl pkey -in prv.pem -pubout -out pub.pem
  openssl req -x509 -key prv.pem -out crt.pem

or

  openssl req -x509 -nodes -newkey ed25519 -keyout prv.pem -out crt.pem

This is self-signed (which might be sufficient for client certificate
identification as below).  Also create DH parameters

  openssl dhparam -out dh2048.pem 2048

Move all these to a save place.  Do

  cat prv.pem crt.pem > /etc/postfix-lmdb/key_and_cert.pem
  cp dh2048.pem /etc/postfix-lmdb/dh2048.pem

Make them root:root and 0600.
Edit main.cf: uncomment all lines marked #TLS.
Edit master.cf and ditto.
Run "/etc/rc.d/postfix-lmdb reload" (or restart).

SmartHost
---------

For laptops or hosts without their own hostname using a smart host which
does the real delivery is usually the thing.

Edit main.cf and uncomment and edit lines marked #SMART.
Run "/etc/rc.d/postfix-lmdb reload" (or restart).

Authentication to the smart host is not covered by the default
configuration, with TLS as above however it may be possible to go
via client certificates shall the relayhost allow this, see below.
I.e., just reuse key_and_cert.pem "also" for this.  Just uncomment the
according lines.

Note it seems wise to go the $smtp_tls_fingerprint_cert_match approach
to verify $relayhost, because the $smtp_tls_CAfile way requires a full
chain, to the best of my knowledge.

You need to have cyrus-sasl installed otherwise (usually), and also
dovecot that drives the SASL authentication.  The default configuration
contains the necessary entries, you should only need to adjust and
uncomment it.  Just search #SMART.

Relay
-----

The default configuration only allows mails that address $mydestination
aka the local host, or shall be relayed to $mynetworks (set to the
IPv4 private address range).

Not covering SASL authentification of clients, the default configuration
ships support for client certificate fingerprint matching, in order to
allow clients which authenticate themselves to relay mail to anywhere.
Edit main.cf and uncomment and edit lines marked #RELAY.
Run "/etc/rc.d/postfix-lmdb reload" (or restart).

Put the fingerprints in /etc/postfix-lmdb/relay_clientcerts as shown.
Calculate them via

  openssl x509 -noout -sha256 -fingerprint < CERT.pem
or
  openssl x509 -outform DER -in CERT.pem | openssl dgst -sha256 -c

It seems to support public-key-only fingerprinting also.

You need to have cyrus-sasl installed otherwise (usually), and also
dovecot that drives the SASL authentication.  The default configuration
contains the necessary entries, you should only need to adjust and
uncomment it.  See above for SmartHost.

DNS deny lists
--------------

. Edit main.cf and uncomment and edit lines marked #DNSDL.
. Run "/etc/rc.d/postfix-lmdb reload" (or restart).

Gray listing
------------

. Install s-postgray, and create a minimal configuration file.
. Edit main.cf and uncomment and edit lines marked #GRAY.
. Run "/etc/rc.d/postfix-lmdb reload" (or restart).
. Track your logs to fill in configuration some days or weeks.
. Remove "-c 0" s-postgray command line option from master.cf.

Address verification
--------------------

. Unless you use gray listing with --msg-allow=permit allowance, and
  have a completed set of allowlisted entries, you should read postfix's
  README_FILES/ADDRESS_VERIFICATION_README.
. Edit main.cf and uncomment and edit lines marked #VERIFY.
  If gray listing is enabled, you could reconfigure it to not include
  recipients but only senders and client addresses via --focus-sender;
  then, change GRAY and VERIFY to happen in smtpd_sender_restrictions
  not smtpd_recipient_restrictions.
. Run "/etc/rc.d/postfix-lmdb reload" (or restart).

# s-ts-mode