fripost-ansible/roles/common/templates/etc/postfix, branch master

Prefix ‘ipaddr’ and ‘ipv4’ with ‘ansible.utils.’.

2022-10-11T11:57:22+00:00

This silences the following deprecation warning:

  Use 'ansible.utils.ipaddr' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01.
  Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

Postfix: pin key material to our MX:es for fripost.org and its subdomains.

2021-01-26T12:35:40+00:00

This solves an issue where an attacker would strip the STARTTLS keyword
from the EHLO response, thereby preventing connection upgrade; or spoof
DNS responses to route outgoing messages to an attacker-controlled
SMTPd, thereby allowing message MiTM'ing.  With key material pinning in
place, smtp(8postfix) immediately aborts the connection (before the MAIL
command) and places the message into the deferred queue instead:

    postfix-out/smtp[NNN]: … dsn=4.7.5, status=undeliverable (Server certificate not verified)

This applies to the smarthost as well as for verification probes on the
Mail Submission Agent.  Placing message into the deferred queue might
yield denial of service, but we argue that it's better than a privacy
leak.

This only covers *internal messages* (from Fripost to Fripost) though:
only messages with ‘fripost.org’ (or a subdomain of such) as recipient
domain.  Other domains, even those using mx[12].fripost.org as MX, are
not covered.  A scalable solution for arbitrary domains would involve
either DANE and TLSA records, or MTA-STS [RFC8461].  Regardless, there
is some merit in hardcoding our internal policy (when the client and
server are both under our control) in the configuration.  It for
instance enables us to harden TLS ciphers and protocols, and makes the
verification logic independent of DNS.

MSA: Update role to Debian Buster.

2020-05-19T04:36:36+00:00

For `ssl_cipher_list` we pick the suggested value from
https://ssl-config.mozilla.org/#server=postfix&version=3.4.10&config=intermediate&openssl=1.1.1d

At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’
to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.

AEAD ciphers: Add EECDH+CHACHA20 macro.

2020-05-18T02:34:17+00:00

This adds the following two ciphers:

  ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH  Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
  ECDHE-RSA-CHACHA20-POLY1305   TLSv1.2 Kx=ECDH  Au=RSA   Enc=CHACHA20/POLY1305(256) Mac=AEAD

Upgrade baseline to Debian 10.

2020-05-16T03:45:59+00:00

Postfix: disable DNS lookups on the internal SMTPds.

2020-01-23T01:26:35+00:00

Our internal IPs don't have a reverse PTR record, and skipping the
resolution speeds up mail delivery.
http://www.postfix.org/postconf.5.html#smtpd_peername_lookup

MSA: Open 465/TCP for Email Submission over TLS.

2019-03-19T01:27:42+00:00

See RFC 8314 sec. 3.3 "Cleartext Considered Obsolete".

submission: Prospective SPF checking.

2018-12-12T12:46:44+00:00

Cf. http://www.openspf.org/Best_Practices/Outbound .

MSA verification probes: enable opportunistic encryption.

2018-12-09T19:25:40+00:00

And use ‘noreply.fripost.org’ as HELO name rather than $myhostname
(i.e., ‘smtp.fripost.org’), so the same SPF policy can be used for ehlo
and envelope sender identities.

MX: chroot postscreen(8), smtpd(8) and cleanup(8) daemons.

2018-12-09T19:25:39+00:00

Unlike what we wrote in 2014 (cf. 4fb4be4d279dd94cab33fc778cfa318b93d6926f)
the postscreen(8) server can run chrooted, meaning we can also chroot
the smtpd(8), tlsproxy(8), dnsblog(8) and cleanup(8) daemons.