From e9b6964e9fb191c48cf6b3716fa11eabdb020b53 Mon Sep 17 00:00:00 2001 From: Steffen Nurpmeso Date: Thu, 11 Feb 2021 00:43:00 +0100 Subject: [PATCH] postfix-lmdb: new port (secure mailer) --- postfix-lmdb/.footprint | 180 +++++++++++++++++++++++ postfix-lmdb/.md5sum | 11 ++ postfix-lmdb/Pkgfile | 97 +++++++++++++ postfix-lmdb/README | 104 ++++++++++++++ postfix-lmdb/aliases | 96 +++++++++++++ postfix-lmdb/lmdb-default.patch | 27 ++++ postfix-lmdb/main-addon.cf | 224 +++++++++++++++++++++++++++++ postfix-lmdb/master.patch | 16 +++ postfix-lmdb/post-install | 55 +++++++ postfix-lmdb/postfix-install.patch | 11 ++ postfix-lmdb/postfix.rc | 38 +++++ postfix-lmdb/relay_clientcerts | 1 + postfix-lmdb/sender_restrict | 3 + 13 files changed, 863 insertions(+) create mode 100644 postfix-lmdb/.footprint create mode 100644 postfix-lmdb/.md5sum create mode 100644 postfix-lmdb/Pkgfile create mode 100644 postfix-lmdb/README create mode 100644 postfix-lmdb/aliases create mode 100644 postfix-lmdb/lmdb-default.patch create mode 100644 postfix-lmdb/main-addon.cf create mode 100644 postfix-lmdb/master.patch create mode 100644 postfix-lmdb/post-install create mode 100644 postfix-lmdb/postfix-install.patch create mode 100755 postfix-lmdb/postfix.rc create mode 100644 postfix-lmdb/relay_clientcerts create mode 100644 postfix-lmdb/sender_restrict diff --git a/postfix-lmdb/.footprint b/postfix-lmdb/.footprint new file mode 100644 index 000000000..cf5cb7755 --- /dev/null +++ b/postfix-lmdb/.footprint @@ -0,0 +1,180 @@ +drwxr-xr-x root/root etc/ +drwxr-xr-x root/root etc/postfix-lmdb/ +-rw-r--r-- root/root etc/postfix-lmdb/CRUX-README.txt +-rw-r--r-- root/root etc/postfix-lmdb/LICENSE +-rw-r--r-- root/root etc/postfix-lmdb/TLS_LICENSE +-rw-r--r-- root/root etc/postfix-lmdb/access +-rw-r--r-- root/root etc/postfix-lmdb/aliases +-rw-r--r-- root/root etc/postfix-lmdb/bounce.cf.default +-rw-r--r-- root/root etc/postfix-lmdb/canonical +-rw-r--r-- root/root etc/postfix-lmdb/generic +-rw-r--r-- root/root etc/postfix-lmdb/header_checks +-rw-r--r-- root/root etc/postfix-lmdb/main.cf +-rw-r--r-- root/root etc/postfix-lmdb/main.cf.default +-rw-r--r-- root/root etc/postfix-lmdb/main.cf.proto +-rw-r--r-- root/root etc/postfix-lmdb/makedefs.out +-rw-r--r-- root/root etc/postfix-lmdb/master.cf +-rw-r--r-- root/root etc/postfix-lmdb/master.cf.proto +-rw-r--r-- root/root etc/postfix-lmdb/postfix-files +drwxr-xr-x root/root etc/postfix-lmdb/postfix-files.d/ +-rw-r--r-- root/root etc/postfix-lmdb/relay_clientcerts +-rw-r--r-- root/root etc/postfix-lmdb/relocated +-rw-r--r-- root/root etc/postfix-lmdb/sender_restrict +-rw-r--r-- root/root etc/postfix-lmdb/transport +-rw-r--r-- root/root etc/postfix-lmdb/virtual +drwxr-xr-x root/root etc/rc.d/ +-rwxr-xr-x root/root etc/rc.d/postfix-lmdb +drwxr-xr-x root/root usr/ +drwxr-xr-x root/root usr/bin/ +lrwxrwxrwx root/root usr/bin/mailq -> ../../usr/sbin/sendmail +lrwxrwxrwx root/root usr/bin/newaliases -> ../../usr/sbin/sendmail +drwxr-xr-x root/root usr/lib/ +drwxr-xr-x root/root usr/lib/postfix-lmdb/ +-rwxr-xr-x root/root usr/lib/postfix-lmdb/anvil +-rwxr-xr-x root/root usr/lib/postfix-lmdb/bounce +-rwxr-xr-x root/root usr/lib/postfix-lmdb/cleanup +-rwxr-xr-x root/root usr/lib/postfix-lmdb/discard +-rwxr-xr-x root/root usr/lib/postfix-lmdb/dnsblog +-rwxr-xr-x root/root usr/lib/postfix-lmdb/error +-rwxr-xr-x root/root usr/lib/postfix-lmdb/flush +-rwxr-xr-x root/root usr/lib/postfix-lmdb/libpostfix-dns.so +-rwxr-xr-x root/root usr/lib/postfix-lmdb/libpostfix-global.so +-rwxr-xr-x root/root usr/lib/postfix-lmdb/libpostfix-master.so +-rwxr-xr-x root/root usr/lib/postfix-lmdb/libpostfix-tls.so +-rwxr-xr-x root/root usr/lib/postfix-lmdb/libpostfix-util.so +-rwxr-xr-x root/root usr/lib/postfix-lmdb/lmtp +-rwxr-xr-x root/root usr/lib/postfix-lmdb/local +-rwxr-xr-x root/root usr/lib/postfix-lmdb/master +-rwxr-xr-x root/root usr/lib/postfix-lmdb/nqmgr +-rwxr-xr-x root/root usr/lib/postfix-lmdb/oqmgr +-rwxr-xr-x root/root usr/lib/postfix-lmdb/pickup +-rwxr-xr-x root/root usr/lib/postfix-lmdb/pipe +-rwxr-xr-x root/root usr/lib/postfix-lmdb/post-install +-rwxr-xr-x root/root usr/lib/postfix-lmdb/postfix-script +-rwxr-xr-x root/root usr/lib/postfix-lmdb/postfix-tls-script +-rwxr-xr-x root/root usr/lib/postfix-lmdb/postfix-wrapper +-rwxr-xr-x root/root usr/lib/postfix-lmdb/postlogd +-rwxr-xr-x root/root usr/lib/postfix-lmdb/postmulti-script +-rwxr-xr-x root/root usr/lib/postfix-lmdb/postscreen +-rwxr-xr-x root/root usr/lib/postfix-lmdb/proxymap +-rwxr-xr-x root/root usr/lib/postfix-lmdb/qmgr +-rwxr-xr-x root/root usr/lib/postfix-lmdb/qmqpd +-rwxr-xr-x root/root usr/lib/postfix-lmdb/scache +-rwxr-xr-x root/root usr/lib/postfix-lmdb/showq +-rwxr-xr-x root/root usr/lib/postfix-lmdb/smtp +-rwxr-xr-x root/root usr/lib/postfix-lmdb/smtpd +-rwxr-xr-x root/root usr/lib/postfix-lmdb/spawn +-rwxr-xr-x root/root usr/lib/postfix-lmdb/tlsmgr +-rwxr-xr-x root/root usr/lib/postfix-lmdb/tlsproxy +-rwxr-xr-x root/root usr/lib/postfix-lmdb/trivial-rewrite +-rwxr-xr-x root/root usr/lib/postfix-lmdb/verify +-rwxr-xr-x root/root usr/lib/postfix-lmdb/virtual +drwxr-xr-x root/root usr/sbin/ +-rwxr-xr-x root/root usr/sbin/postalias +-rwxr-xr-x root/root usr/sbin/postcat +-rwxr-xr-x root/root usr/sbin/postconf +-rwxr-xr-x root/root usr/sbin/postdrop +-rwxr-xr-x root/root usr/sbin/postfix +-rwxr-xr-x root/root usr/sbin/postkick +-rwxr-xr-x root/root usr/sbin/postlock +-rwxr-xr-x root/root usr/sbin/postlog +-rwxr-xr-x root/root usr/sbin/postmap +-rwxr-xr-x root/root usr/sbin/postmulti +-rwxr-xr-x root/root usr/sbin/postqueue +-rwxr-xr-x root/root usr/sbin/postsuper +-rwxr-xr-x root/root usr/sbin/sendmail +drwxr-xr-x root/root usr/share/ +drwxr-xr-x root/root usr/share/man/ +drwxr-xr-x root/root usr/share/man/man1/ +-rw-r--r-- root/root usr/share/man/man1/mailq.1.gz +-rw-r--r-- root/root usr/share/man/man1/newaliases.1.gz +-rw-r--r-- root/root usr/share/man/man1/postalias.1.gz +-rw-r--r-- root/root usr/share/man/man1/postcat.1.gz +-rw-r--r-- root/root usr/share/man/man1/postconf.1.gz +-rw-r--r-- root/root usr/share/man/man1/postdrop.1.gz +-rw-r--r-- root/root usr/share/man/man1/postfix-tls.1.gz +-rw-r--r-- root/root usr/share/man/man1/postfix.1.gz +-rw-r--r-- root/root usr/share/man/man1/postkick.1.gz +-rw-r--r-- root/root usr/share/man/man1/postlock.1.gz +-rw-r--r-- root/root usr/share/man/man1/postlog.1.gz +-rw-r--r-- root/root usr/share/man/man1/postmap.1.gz +-rw-r--r-- root/root usr/share/man/man1/postmulti.1.gz +-rw-r--r-- root/root usr/share/man/man1/postqueue.1.gz +-rw-r--r-- root/root usr/share/man/man1/postsuper.1.gz +-rw-r--r-- root/root usr/share/man/man1/sendmail.1.gz +drwxr-xr-x root/root usr/share/man/man5/ +-rw-r--r-- root/root usr/share/man/man5/access.5.gz +-rw-r--r-- root/root usr/share/man/man5/aliases.5.gz +-rw-r--r-- root/root usr/share/man/man5/body_checks.5.gz +-rw-r--r-- root/root usr/share/man/man5/bounce.5.gz +-rw-r--r-- root/root usr/share/man/man5/canonical.5.gz +-rw-r--r-- root/root usr/share/man/man5/cidr_table.5.gz +-rw-r--r-- root/root usr/share/man/man5/generic.5.gz +-rw-r--r-- root/root usr/share/man/man5/header_checks.5.gz +-rw-r--r-- root/root usr/share/man/man5/ldap_table.5.gz +-rw-r--r-- root/root usr/share/man/man5/lmdb_table.5.gz +-rw-r--r-- root/root usr/share/man/man5/master.5.gz +-rw-r--r-- root/root usr/share/man/man5/memcache_table.5.gz +-rw-r--r-- root/root usr/share/man/man5/mysql_table.5.gz +-rw-r--r-- root/root usr/share/man/man5/nisplus_table.5.gz +-rw-r--r-- root/root usr/share/man/man5/pcre_table.5.gz +-rw-r--r-- root/root usr/share/man/man5/pgsql_table.5.gz +-rw-r--r-- root/root usr/share/man/man5/postconf.5.gz +-rw-r--r-- root/root usr/share/man/man5/postfix-wrapper.5.gz +-rw-r--r-- root/root usr/share/man/man5/regexp_table.5.gz +-rw-r--r-- root/root usr/share/man/man5/relocated.5.gz +-rw-r--r-- root/root usr/share/man/man5/socketmap_table.5.gz +-rw-r--r-- root/root usr/share/man/man5/sqlite_table.5.gz +-rw-r--r-- root/root usr/share/man/man5/tcp_table.5.gz +-rw-r--r-- root/root usr/share/man/man5/transport.5.gz +-rw-r--r-- root/root usr/share/man/man5/virtual.5.gz +drwxr-xr-x root/root usr/share/man/man8/ +-rw-r--r-- root/root usr/share/man/man8/anvil.8.gz +-rw-r--r-- root/root usr/share/man/man8/bounce.8.gz +-rw-r--r-- root/root usr/share/man/man8/cleanup.8.gz +-rw-r--r-- root/root usr/share/man/man8/defer.8.gz +-rw-r--r-- root/root usr/share/man/man8/discard.8.gz +-rw-r--r-- root/root usr/share/man/man8/dnsblog.8.gz +-rw-r--r-- root/root usr/share/man/man8/error.8.gz +-rw-r--r-- root/root usr/share/man/man8/flush.8.gz +-rw-r--r-- root/root usr/share/man/man8/lmtp.8.gz +-rw-r--r-- root/root usr/share/man/man8/local.8.gz +-rw-r--r-- root/root usr/share/man/man8/master.8.gz +-rw-r--r-- root/root usr/share/man/man8/oqmgr.8.gz +-rw-r--r-- root/root usr/share/man/man8/pickup.8.gz +-rw-r--r-- root/root usr/share/man/man8/pipe.8.gz +-rw-r--r-- root/root usr/share/man/man8/postlogd.8.gz +-rw-r--r-- root/root usr/share/man/man8/postscreen.8.gz +-rw-r--r-- root/root usr/share/man/man8/proxymap.8.gz +-rw-r--r-- root/root usr/share/man/man8/qmgr.8.gz +-rw-r--r-- root/root usr/share/man/man8/qmqpd.8.gz +-rw-r--r-- root/root usr/share/man/man8/scache.8.gz +-rw-r--r-- root/root usr/share/man/man8/showq.8.gz +-rw-r--r-- root/root usr/share/man/man8/smtp.8.gz +-rw-r--r-- root/root usr/share/man/man8/smtpd.8.gz +-rw-r--r-- root/root usr/share/man/man8/spawn.8.gz +-rw-r--r-- root/root usr/share/man/man8/tlsmgr.8.gz +-rw-r--r-- root/root usr/share/man/man8/tlsproxy.8.gz +-rw-r--r-- root/root usr/share/man/man8/trace.8.gz +-rw-r--r-- root/root usr/share/man/man8/trivial-rewrite.8.gz +-rw-r--r-- root/root usr/share/man/man8/verify.8.gz +-rw-r--r-- root/root usr/share/man/man8/virtual.8.gz +drwxr-xr-x root/root var/ +drwxr-xr-x root/root var/lib/ +drwx------ root/root var/lib/postfix-lmdb/ +drwxr-xr-x root/root var/spool/ +drwxr-xr-x root/root var/spool/postfix-lmdb/ +drwx------ root/root var/spool/postfix-lmdb/active/ +drwx------ root/root var/spool/postfix-lmdb/bounce/ +drwx------ root/root var/spool/postfix-lmdb/corrupt/ +drwx------ root/root var/spool/postfix-lmdb/defer/ +drwx------ root/root var/spool/postfix-lmdb/deferred/ +drwx------ root/root var/spool/postfix-lmdb/flush/ +drwx------ root/root var/spool/postfix-lmdb/hold/ +drwx------ root/root var/spool/postfix-lmdb/incoming/ +drwx-wx--- root/root var/spool/postfix-lmdb/maildrop/ +drwxr-xr-x root/root var/spool/postfix-lmdb/pid/ +drwx------ root/root var/spool/postfix-lmdb/private/ +drwx--x--- root/root var/spool/postfix-lmdb/public/ +drwx------ root/root var/spool/postfix-lmdb/saved/ +drwx------ root/root var/spool/postfix-lmdb/trace/ diff --git a/postfix-lmdb/.md5sum b/postfix-lmdb/.md5sum new file mode 100644 index 000000000..27ced0acf --- /dev/null +++ b/postfix-lmdb/.md5sum @@ -0,0 +1,11 @@ +24bfa6cc02af20ff1306dbdc9e9ccd72 README +991eec1333efecf3e5c5785a35f63f93 aliases +356deb2ed0a246dc67417d501384b29d lmdb-default.patch +6b5b42413a938f5e1c036a29919fc6ba main-addon.cf +349f82d9bce5df2e820edde59f0df385 master.patch +3a0783dfe97cd85620ec63dc3155c138 post-install +a4d1b2df03a500cf8f9759d5fca1c1f6 postfix-3.5.9.tar.gz +3c58426d21611dd4eb1f93e924b349a1 postfix-install.patch +74ca32d588624b357889e6d783c3aa11 postfix.rc +9e5990ceca5cd7969fe1297e02fd966d relay_clientcerts +e701ec7f1075d63c1b0cf930cce8ff9e sender_restrict diff --git a/postfix-lmdb/Pkgfile b/postfix-lmdb/Pkgfile new file mode 100644 index 000000000..d34df6eb1 --- /dev/null +++ b/postfix-lmdb/Pkgfile @@ -0,0 +1,97 @@ +# Description: Secure and fast drop-in replacement for Sendmail (MTA) +# URL: https://www.postfix.org/ +# Maintainer: Steffen Nurpmeso, steffen at sdaoden dot eu +# Depends on: libpcre lmdb openssl + +rname=postfix +name=postfix-lmdb +version=3.5.9 +release=1 +source=( + https://de.${rname}.org/ftpmirror/official/${rname}-${version}.tar.gz + lmdb-default.patch postfix-install.patch post-install + ${rname}.rc + aliases README relay_clientcerts sender_restrict + main-addon.cf master.patch +) + +isinst() { pkginfo -i | grep -qE "^${1}[[:space:]]"; } + +build() { + cd ${rname}-${version} + + patch -p1 < "${SRC}"/lmdb-default.patch + patch -p1 < "${SRC}"/postfix-install.patch + + cca='-DNO_DB -DNO_EAI -DNO_NIS -DNO_NISPLUS ' + cca=${cca}' -DHAS_LMDB -DDEF_DB_TYPE=\"lmdb\" -DHAS_PCRE -DUSE_TLS' + aux= + + if isinst dovecot; then # TODO UNTESTED! + cca=${cca}' -DUSE_SASL_AUTH -DDEF_SASL_SERVER=dovecot' + fi + + if isinst cyrus-sasl; then # TODO UNTESTED! + cca=${cca}' -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl' + aux=${aux}' -lsasl2' + fi + + make tidy + make pie=yes shared=yes \ + DEBUG= \ + CCARGS="${cca}" \ + OPT="${CFLAGS}" \ + AUXLIBS_LMDB=-llmdb \ + AUXLIBS_PCRE=-lpcre \ + AUXLIBS="-lssl -lcrypto" \ + ${aux} \ + install_root="${PKG}" \ + command_directory=/usr/sbin \ + config_directory=/etc/${name} \ + daemon_directory=/usr/lib/${name} \ + data_directory=/var/lib/${name} \ + html_directory=no \ + mail_spool_directory=/var/spool/mail \ + manpage_directory=/usr/share/man \ + meta_directory=/etc/${name} \ + queue_directory=/var/spool/${name} \ + readme_directory=no \ + shlib_directory=/usr/lib/${name} \ + makefiles + + make OPT="$CFLAGS" + + make \ + install_root="${PKG}" \ + command_directory=/usr/sbin \ + config_directory=/etc/${name} \ + daemon_directory=/usr/lib/${name} \ + data_directory=/var/lib/${name} \ + html_directory=no \ + mail_spool_directory=/var/spool/mail \ + manpage_directory=/usr/share/man \ + meta_directory=/etc/${name} \ + queue_directory=/var/spool/${name} \ + readme_directory=no \ + shlib_directory=/usr/lib/${name} \ + non-interactive-package + + install -D -m 0755 "${SRC}"/${rname}.rc "${PKG}"/etc/rc.d/${name} + install -m 0644 "${SRC}"/aliases "${PKG}"/etc/${name}/aliases + install -m 0644 "${SRC}"/README "${PKG}"/etc/${name}/CRUX-README.txt + install -m 0644 "${SRC}"/relay_clientcerts \ + "${PKG}"/etc/${name}/relay_clientcerts + install -m 0644 "${SRC}"/sender_restrict \ + "${PKG}"/etc/${name}/sender_restrict + sed -E -i'' \ + -e 's/^(setgid_group.+)$/#\1/' \ + -e 's/^(inet_protocols.+)$/#\1/' \ + "${PKG}"/etc/${name}/main.cf + cat "${SRC}"/main-addon.cf >> "${PKG}"/etc/${name}/main.cf + ( + cd "${PKG}"/etc/${name} + patch -p0 < "${SRC}"/master.patch + ) +} + +# s-sh-mode diff --git a/postfix-lmdb/README b/postfix-lmdb/README new file mode 100644 index 000000000..5557cb244 --- /dev/null +++ b/postfix-lmdb/README @@ -0,0 +1,104 @@ + +The CRUX postfix package +======================== + +* Abstract +* TLS +* SmartHost +* Relay +* DNS black lists + +Abstract +-------- + +- Fully configured for "sailing in the wind". +- Only listens to SMTP by default, but. +- A few knobs can be turned here and there for more, see below. + +Remember to run "postmap FILE" after you have updated table files, +and "newaliases" or "postalias FILE" after changing alias files. + +TLS +--- + +tlsproxy(8) for connection tracking is running by default. +To be identifieable generate a private key with certificate, either via + + openssl genpkey -algorithm ed25519 -out prv.pem + #openssl pkey -in prv.pem -pubout -out pub.pem + openssl req -x509 -key prv.pem -out crt.pem + +or + + openssl req -x509 -nodes -newkey ed25519 -keyout prv.pem -out crt.pem + +Also create DH parameters + + openssl dhparam -out dh2048.pem 2048 + +Move all these to a save place. Do + + cat prv.pem crt.pem > /etc/postfix-lmdb/key_and_cert.pem + cp dh2048.pem /etc/postfix-lmdb/dh2048.pem + +Make them root:root and 0600. +Edit main.cf: uncomment all lines marked #TLS. +Edit master.cf and ditto. +Run "/etc/rc.d/postfix-lmdb reload" (or restart). + +SmartHost +--------- + +For laptops or hosts without their own hostname using a smart host which +does the real delivery is usually the thing. +Edit main.cf and uncomment and edit lines marked #SMART. +Run "/etc/rc.d/postfix-lmdb reload" (or restart). + +Authentication to the smart host is not covered by the default +configuration, with TLS as above however it may be possible to go +via client certificates shall the relayhost allow this, see below. +I.e., just reuse key_and_cert.pem "also" for this. + +Note it seems wise to go the $smtp_tls_fingerprint_cert_match approach to +verify $relayhost, because the $smtp_tls_CAfile way requires a full chain, to +the best of my knowledge. + +You need to have cyrus-sasl installed otherwise (usually), and also +dovecot that drive the SASL authentication. The default configuration +contains the necessary entries, you should only need to adjust and +uncomment it. Just search #SMART. + +Relay +----- + +The default configuration only allows mails that address $mydestination +aka the local host, or shall be relayed to $mynetworks (set to the +IPv4 private address range). + +Not covering SASL authentification of clients, the default configuration +ships support for client certificate fingerprint matching, in order to +allow clients which authenticate themselves to relay mail to anywhere. +Edit main.cf and uncomment and edit lines marked #RELAY. +Run "/etc/rc.d/postfix-lmdb reload" (or restart). + +Put the fingerprints in /etc/postfix-lmdb/relay_clientcerts as shown. +Calculate them via + + openssl x509 -noout -sha256 -fingerprint < CERT.pem +or + openssl x509 -outform DER -in CERT.pem | openssl dgst -sha256 -c + +It seems to support public-key-only fingerprinting also. + +You need to have cyrus-sasl installed otherwise (usually), and also +dovecot that drive the SASL authentication. The default configuration +contains the necessary entries, you should only need to adjust and +uncomment it. See above for SmartHost. + +DNS black lists +--------------- + +Edit main.cf and uncomment and edit lines marked #DNSBL. +Run "/etc/rc.d/postfix-lmdb reload" (or restart). + +# s-ts-mode diff --git a/postfix-lmdb/aliases b/postfix-lmdb/aliases new file mode 100644 index 000000000..9828d6977 --- /dev/null +++ b/postfix-lmdb/aliases @@ -0,0 +1,96 @@ +# +# Sample aliases file. Install in the location as specified by the +# output from the command "postconf alias_maps". Typical path names +# are /etc/aliases or /etc/mail/aliases. +# +# >>>>>>>>>> The program "newaliases" must be run after +# >> NOTE >> this file is updated for any changes to +# >>>>>>>>>> show through to Postfix. +# + +# Person who should get root's mail. Don't receive mail as root! +#root: you + +# Basic system aliases -- these MUST be present +MAILER-DAEMON: postmaster +postmaster: root + +# General redirections for pseudo accounts +bin: root +daemon: root +named: root +nobody: root +uucp: root +www: root +ftp-bugs: root +postfix: root + +# Put your local aliases here. + +# Well-known aliases +manager: root +dumper: root +operator: root +abuse: postmaster + +# trap decode to catch security attacks +decode: root + +# ALIASES(5) ALIASES(5) +# o An alias definition has the form +# +# name: value1, value2, ... +# +# o Empty lines and whitespace-only lines are ignored, +# as are lines whose first non-whitespace character +# is a `#'. +# +# o A logical line starts with non-whitespace text. A +# line that starts with whitespace continues a logi- +# cal line. +# +# The name is a local address (no domain part). Use double +# quotes when the name contains any special characters such +# as whitespace, `#', `:', or `@'. The name is folded to +# lowercase, in order to make database lookups case insensi- +# tive. +# The value contains one or more of the following: +# +# address +# Mail is forwarded to address, which is compatible +# with the RFC 822 standard. +# +# /file/name +# Mail is appended to /file/name. See local(8) for +# details of delivery to file. Delivery is not lim- +# ited to regular files. For example, to dispose of +# unwanted mail, deflect it to /dev/null. +# +# |command +# Mail is piped into command. Commands that contain +# special characters, such as whitespace, should be +# enclosed between double quotes. See local(8) for +# details of delivery to command. +# +# When the command fails, a limited amount of command +# output is mailed back to the sender. The file +# /usr/include/sysexits.h defines the expected exit +# status codes. For example, use "|exit 67" to simu- +# late a "user unknown" error, and "|exit 0" to +# implement an expensive black hole. +# +# :include:/file/name +# Mail is sent to the destinations listed in the +# named file. Lines in :include: files have the same +# syntax as the right-hand side of alias entries. +# +# A destination can be any destination that is +# described in this manual page. However, delivery to +# "|command" and /file/name is disallowed by default. +# To enable, edit the allow_mail_to_commands and +# allow_mail_to_files configuration parameters. +# SEE ALSO +# local(8), local delivery agent +# newaliases(1), create/update alias database +# postalias(1), create/update alias database +# postconf(5), configuration parameters diff --git a/postfix-lmdb/lmdb-default.patch b/postfix-lmdb/lmdb-default.patch new file mode 100644 index 000000000..949b2a840 --- /dev/null +++ b/postfix-lmdb/lmdb-default.patch @@ -0,0 +1,27 @@ +Upstream: Not applicable +Reason: Make LMDB the default configuration + +Author: Duncan Bellamy + +diff --git a/src/global/mail_params.h b/src/global/mail_params.h +index a6119f1..9639c60 100644 +--- a/src/global/mail_params.h ++++ b/src/global/mail_params.h +@@ -2826,7 +2826,7 @@ extern int var_vrfy_pend_limit; + extern char *var_verify_service; + + #define VAR_VERIFY_MAP "address_verify_map" +-#define DEF_VERIFY_MAP "btree:$data_directory/verify_cache" ++#define DEF_VERIFY_MAP "lmdb:$data_directory/verify_cache" + extern char *var_verify_map; + + #define VAR_VERIFY_POS_EXP "address_verify_positive_expire_time" +@@ -3594,7 +3594,7 @@ extern char *var_multi_cntrl_cmds; + * postscreen(8) + */ + #define VAR_PSC_CACHE_MAP "postscreen_cache_map" +-#define DEF_PSC_CACHE_MAP "btree:$data_directory/postscreen_cache" ++#define DEF_PSC_CACHE_MAP "lmdb:$data_directory/postscreen_cache" + extern char *var_psc_cache_map; + + #define VAR_SMTPD_SERVICE "smtpd_service_name" diff --git a/postfix-lmdb/main-addon.cf b/postfix-lmdb/main-addon.cf new file mode 100644 index 000000000..92565861b --- /dev/null +++ b/postfix-lmdb/main-addon.cf @@ -0,0 +1,224 @@ + +### CRUX-ADDON + +default_privs = _postfix_xlocal +setgid_group = _postfix_queue +mail_spool_directory = /var/spool/mail +alias_database = lmdb:/etc/postfix-lmdb/aliases +alias_maps = $alias_database +# all # or ipv4, ipv6 or ipv4 or ipv6 +inet_protocols = all + +#myhostname = arch-2020 # default: gethostname +#mydomain = localdomain # default: $myhostname less one component +#myorigin = $mydomain +# , lists.$myhostname +mydestination = $myhostname, localhost.$mydomain, localhost +mynetworks_style = host +# One class A, 16 class B, 256 class C networks; loopback +# Dunno how to specify IPv6 link-local and site-local +mynetworks = 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 +#inet_interfaces = localhost +#inet_interfaces = $myhostname, localhost +inet_interfaces = all +#debug_peer_list = 10.0.0.1 + +smtputf8_enable = no +disable_vrfy_command = yes +default_verp_delimiters = -= +verp_delimiter_filter = -= +recipient_delimiter = + +# Only localhost for mailing-lists etc.; maybe $mynetworks? +smtpd_authorized_verp_clients = 127.0.0.1 + +default_process_limit = 8 +anvil_rate_time_unit = 60s +anvil_status_update_time = 3600s +#n_flow_delay = 1s +body_checks_size_limit = 102400 +bounce_size_limit = 50000 +#header_size_limit = 102400 +mailbox_size_limit = 100000000 +message_size_limit = 442000 + +# Calculate: +# openssl x509 -noout -sha256 -fingerprint < CERT.pem +# OR +# openssl x509 -outform DER -in CERT.pem | openssl dgst -sha256 -c +# Put the hash only in relay_clientcerts, right hand value is not inspected: +# FINGERPRINT-HERE whatever value +# Search #RELAY for this, uncomment +#RELAY relay_clientcerts = lmdb:/etc/postfix-lmdb/relay_clientcerts +# relay_domains <-> reject_unauth_destination,permit_auth_destination + # eg lmdb:/etc/postfix-lmdb/transport +transport_maps = +relay_domains = $mynetworks,$transport_maps + +# Clients which are allowed to invoke commands +smtpd_client_restrictions = +# permit_tls_clientcerts, +# permit_sasl_authenticated, + permit_mynetworks, + # in case you want reject DNS blacklists rather than greylist them + # with gross, exchange sleep (maybe) and uncomment the lines below + sleep 1, + #reject_rbl_client cbl.abuseat.org, + #reject_rbl_client sbl.spamhaus.org, +#DNSBL reject_rbl_client zen.spamhaus.org, +#DNSBL reject_rbl_client dnsbl.sorbs.net, + #reject_rbl_client bl.spamcop.net, + #reject_rbl_client list.dsbl.org, + reject_unauth_pipelining, + #reject + permit + +smtpd_data_restrictions = + reject_unauth_pipelining, + permit + +smtpd_helo_restrictions = +#RELAY permit_tls_clientcerts, +# permit_sasl_authenticated, + permit_mynetworks, + reject_invalid_helo_hostname, + reject_non_fqdn_helo_hostname, + reject_unknown_helo_hostname + +# RCPT TO checks, spam blocking policy +# Match fast for $mynetworks and authenticated clients. +smtpd_recipient_restrictions = +#RELAY permit_tls_clientcerts, +# permit_sasl_authenticated, + permit_mynetworks, + reject_unknown_sender_domain, + reject_unknown_reverse_client_hostname, + reject_unknown_recipient_domain, + reject_unauth_destination, + # better not reject_unverified_sender, + #check_policy_service inet:127.0.0.1:5525, + permit + +# RCPT TO checks, relay policy +# Local clients and authenticated clients may specify any destination domain +smtpd_relay_restrictions = +#RELAY permit_tls_clientcerts, +# permit_sasl_authenticated, + permit_mynetworks, + reject_non_fqdn_sender, + reject_non_fqdn_recipient, + #permit_auth_destination, + #reject + reject_unauth_destination, + permit + +# MAIL FROM Checks +smtpd_sender_restrictions = +#RELAY permit_tls_clientcerts, +# permit_sasl_authenticated, + permit_mynetworks, + # Eg: qq.com reject + lmdb:/etc/postfix-lmdb/sender_restrict, + reject_unknown_sender_domain, + permit + +# i would turn that on.. +#smtpd_delay_reject = no +smtpd_helo_required = yes +smtpd_hard_error_limit = 1 +smtpd_soft_error_limit = 1 +smtpd_per_record_deadline = yes +smtpd_timeout = 15s +smtpd_starttls_timeout = 15s +smtpd_junk_command_limit = 5 +smtpd_log_access_permit_actions = 1 +smtpd_client_connection_rate_limit = 20 +smtpd_client_connection_count_limit = 2 + +# TLS see CRUX-README.txt for this +tls_append_default_CA = no +# That one is for client certificates! +#smtpd_tls_CAfile = /etc/dovecot/cert.pem +#TLS smtpd_tls_chain_files = /etc/postfix-lmdb/key_and_cert.pem +#TLS smtpd_tls_dh1024_param_file = /etc/postfix-lmdb/dh2048.pem +#TLS smtpd_tls_security_level = may +#TLS comment out next; see master.cf, too! +smtpd_tls_security_level = none +#RELAY smtpd_tls_ask_ccert = yes +smtpd_tls_ask_ccert = no +smtpd_tls_auth_only = yes +smtpd_tls_loglevel = 1 +smtpd_tls_received_header = yes +smtpd_tls_fingerprint_digest = sha256 +smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +smtpd_tls_protocols = $smtpd_tls_mandatory_protocols +smtpd_tls_mandatory_ciphers = medium +smtpd_tls_mandatory_exclude_ciphers = + aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, + EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA +smtpd_tls_ciphers = $smtpd_tls_mandatory_ciphers +smtpd_tls_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers +smtpd_tls_connection_reuse = yes + +#TLS smtp_tls_security_level = $smtpd_tls_security_level +#TLS comment out next +smtp_tls_security_level = may +#smtp_tls_wrappermode = yes +smtp_tls_fingerprint_digest = $smtpd_tls_fingerprint_digest +smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols +smtp_tls_protocols = $smtpd_tls_protocols +smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers +smtp_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers +smtp_tls_ciphers = $smtpd_tls_ciphers +smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers +smtp_tls_connection_reuse = $smtpd_tls_connection_reuse +smtp_tls_session_cache_database = lmdb:/var/lib/postfix-lmdb/smtp_scache +smtp_tls_session_cache_timeout = 3600s + +#smtpd_sasl_auth_enable = yes +smtpd_sasl_auth_enable = no +smtpd_sasl_type = dovecot +smtpd_sasl_path = private/auth +smtpd_sasl_local_domain = $myhostname +smtpd_sasl_security_options = noanonymous, noplaintext +smtpd_sasl_tls_security_options = noanonymous + +#smtp_sasl_auth_enable = $smtpd_sasl_auth_enable +#smtp_sasl_type = $smtpd_sasl_type +#smtp_sasl_path = $smtpd_sasl_path +#smtp_sasl_mechanism_filter = !external +#smtp_sasl_security_options = $smtpd_sasl_security_options +#smtp_sasl_tls_security_options = $smtpd_sasl_tls_security_options +#smtp_sasl_mechanism_filter = plain, login + +# For laptops etc, rely on smarthost to do real delivery. +# One or more destinations in the form of a domain name, hostname, +# hostname:port, [hostname]:port, [hostaddress] or [hostaddress]:port, +# separated by comma or whitespace. The form [hostname] turns off MX lookups +#SMART relayhost = [HOST]:submissions +#SMART smtp_tls_wrappermode = yes +#SMART smtp_tls_chain_files = $smtpd_tls_chain_files +#SMART smtp_tls_security_level = verify +# This requires a full chain, otherwise look around verify_depth +#SMART smtp_tls_CAfile = /etc/ssl/cert.pem +#SMART therefore OR (better, maybe) +#SMART smtp_tls_security_level = fingerprint +#SMART smtp_tls_fingerprint_cert_match = FINGERPRINT +# The following is not tested, really, and may not work with default config +#SMART disable_dns_lookups = yes +#SMART Authentication like that not tried, this from postfix SASL_README: +#smtp_sasl_auth_enable = yes +#smtp_sasl_tls_security_options = noanonymous +#smtp_sasl_password_maps = lmdb:/etc/postfix-lmdb/sasl_passwd +# /etc/postfix-lmdb/sasl_passwd: +# # destination credentials +# #user1@example.com username1:password1 +# #user2@example.net username2:password2 +# [mail.isp.example] username:password +# # Alternative form: +# # [mail.isp.example]:submission username:password +#SMART Even sender-specific, uncomment the user1 user2 entries above then +# sender_dependent_relayhost_maps = lmdb:/etc/postfix/sender_relay +# /etc/postfix/sender_relay: +# # Per-sender provider; see also /etc/postfix/sasl_passwd. +# user1@example.com [mail.example.com]:submission +# user2@example.net [mail.example.net] diff --git a/postfix-lmdb/master.patch b/postfix-lmdb/master.patch new file mode 100644 index 000000000..a2d6b32f5 --- /dev/null +++ b/postfix-lmdb/master.patch @@ -0,0 +1,16 @@ +--- master.cf 2021-02-10 01:28:29.091526626 +0100 ++++ master.cf.new 2021-02-10 01:30:19.998198603 +0100 +@@ -10,6 +10,13 @@ + # (yes) (yes) (no) (never) (100) + # ========================================================================== + smtp inet n - n - - smtpd ++#TLS -o smtpd_tls_security_level=none ++#TLS -o smtpd_sasl_auth_enable=no ++#TLS submission inet n - n - - smtpd ++#TLS -o smtpd_tls_security_level=encrypt ++#TLS submissions inet n - n - - smtpd ++#TLS -o smtpd_tls_wrappermode=yes ++tlsproxy unix - - n - 0 tlsproxy + #smtp inet n - n - 1 postscreen + #smtpd pass - - n - - smtpd + #dnsblog unix - - n - 0 dnsblog diff --git a/postfix-lmdb/post-install b/postfix-lmdb/post-install new file mode 100644 index 000000000..fa2e5bce7 --- /dev/null +++ b/postfix-lmdb/post-install @@ -0,0 +1,55 @@ +#!/bin/sh - + +name=postfix-lmdb + +# owner +usr=postfix +usrgrp=${usr} +# group for mail submission and queue +queuegrp=_postfix_queue +# Default rights used by the local delivery agent for delivery +# to external file, used in absence of a recipient user context. +# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER. +defusr=_postfix_xlocal +defgrp=${defusr} + +getent group mail >/dev/null || groupadd -r mail + +getent group ${usrgrp} >/dev/null || groupadd -r ${usrgrp} +getent passwd ${usr} >/dev/null 2>&1 || { + useradd -r -g ${usrgrp} -d /var/spool/${usr} -s /bin/false ${usr} + passwd -l ${usr} +} + +getent group ${queuegrp} >/dev/null || groupadd -r ${queuegrp} + +getent group ${defgrp} >/dev/null || groupadd -r ${defgrp} +getent passwd ${defusr} >/dev/null 2>&1 || { + useradd -r -g ${defgrp} -d /var/spool/mail -s /sbin/nologin ${defusr} + passwd -l ${defusr} +} + +p_i() { + /usr/lib/${name}/post-install \ + install_root= \ + command_directory=/usr/sbin \ + config_directory=/etc/${name} \ + daemon_directory=/usr/lib/${name} \ + data_directory=/var/lib/${name} \ + html_directory=no \ + mail_spool_directory=/var/spool/mail \ + manpage_directory=/usr/share/man \ + meta_directory=/etc/${name} \ + queue_directory=/var/spool/${name} \ + readme_directory=no \ + shlib_directory=/usr/lib/${name} \ + "${@}" +} + +p_i create-missing +p_i upgrade-permissions + +/usr/sbin/postalias /etc/${name}/aliases + +/usr/sbin/postmap lmdb:/etc/${name}/sender_restrict +/usr/sbin/postmap lmdb:/etc/${name}/relay_clientcerts diff --git a/postfix-lmdb/postfix-install.patch b/postfix-lmdb/postfix-install.patch new file mode 100644 index 000000000..90d878c48 --- /dev/null +++ b/postfix-lmdb/postfix-install.patch @@ -0,0 +1,11 @@ +--- a/postfix-install ++++ b/postfix-install +@@ -832,7 +832,7 @@ + # the wrong place when Postfix is being upgraded. + + case "$mail_version" in +-"") mail_version="`bin/postconf -dhx mail_version`" || exit 1 ++"") mail_version="`bin/postconf -c $CONFIG_DIRECTORY -dhx mail_version`" || exit 1 + esac + + # Undo MAIL_VERSION expansion at the end of a parameter value. If diff --git a/postfix-lmdb/postfix.rc b/postfix-lmdb/postfix.rc new file mode 100755 index 000000000..887d12403 --- /dev/null +++ b/postfix-lmdb/postfix.rc @@ -0,0 +1,38 @@ +#!/bin/sh +#@ /etc/rc.d/postfix: start/stop postfix daemon + +PROG=/usr/sbin/postfix +OPTS= + +case "${1}" in +check) + exec ${PROG} ${OPTS} check + ;; +start) + exec ${PROG} ${OPTS} start + ;; +stop) + exec ${PROG} ${OPTS} stop + ;; +restart) + "${0}" stop + exec "${0}" start + ;; +reload) + exec ${PROG} ${OPTS} reload + ;; +abort) + exec ${PROG} ${OPTS} abort + ;; +flush) + exec ${PROG} ${OPTS} flush + ;; +status) + exec ${PROG} ${OPTS} status + ;; +*) + echo "usage: ${0} check|start|stop|restart|reload|abort|flush|status" + ;; +esac + +# s-sh-mode diff --git a/postfix-lmdb/relay_clientcerts b/postfix-lmdb/relay_clientcerts new file mode 100644 index 000000000..1d3fbb31c --- /dev/null +++ b/postfix-lmdb/relay_clientcerts @@ -0,0 +1 @@ +# FINGERPRINT any value diff --git a/postfix-lmdb/sender_restrict b/postfix-lmdb/sender_restrict new file mode 100644 index 000000000..13969bf13 --- /dev/null +++ b/postfix-lmdb/sender_restrict @@ -0,0 +1,3 @@ +# See access(5) for format + +qq.com reject