fripost-ansible/roles/out/templates, branch master Fripost ansible scripts Send internal system mails to root@f.o. 2025-09-10T13:14:45+00:00 Guilhem Moulin guilhem@fripost.org 2025-09-10T13:14:45+00:00 4b48f1b6dd799d1a69f0c9e2a157a007fcdcbe25 Instead of admin@f.o. Per msgid=<ad724342-b3bb-48d9-9984-6d277714910d@fripost.org>. 
Instead of admin@f.o. Per msgid=<ad724342-b3bb-48d9-9984-6d277714910d@fripost.org>.
Postfix: pin key material to our MX:es for fripost.org and its subdomains. 2021-01-26T12:35:40+00:00 Guilhem Moulin guilhem@fripost.org 2021-01-26T11:39:10+00:00 44100bab38d32596392a3bc7199b4daa202b4032 This solves an issue where an attacker would strip the STARTTLS keyword from the EHLO response, thereby preventing connection upgrade; or spoof DNS responses to route outgoing messages to an attacker-controlled SMTPd, thereby allowing message MiTM'ing. With key material pinning in place, smtp(8postfix) immediately aborts the connection (before the MAIL command) and places the message into the deferred queue instead: postfix-out/smtp[NNN]: … dsn=4.7.5, status=undeliverable (Server certificate not verified) This applies to the smarthost as well as for verification probes on the Mail Submission Agent. Placing message into the deferred queue might yield denial of service, but we argue that it's better than a privacy leak. This only covers *internal messages* (from Fripost to Fripost) though: only messages with ‘fripost.org’ (or a subdomain of such) as recipient domain. Other domains, even those using mx[12].fripost.org as MX, are not covered. A scalable solution for arbitrary domains would involve either DANE and TLSA records, or MTA-STS [RFC8461]. Regardless, there is some merit in hardcoding our internal policy (when the client and server are both under our control) in the configuration. It for instance enables us to harden TLS ciphers and protocols, and makes the verification logic independent of DNS. 
This solves an issue where an attacker would strip the STARTTLS keyword
from the EHLO response, thereby preventing connection upgrade; or spoof
DNS responses to route outgoing messages to an attacker-controlled
SMTPd, thereby allowing message MiTM'ing.  With key material pinning in
place, smtp(8postfix) immediately aborts the connection (before the MAIL
command) and places the message into the deferred queue instead:

    postfix-out/smtp[NNN]: … dsn=4.7.5, status=undeliverable (Server certificate not verified)

This applies to the smarthost as well as for verification probes on the
Mail Submission Agent.  Placing message into the deferred queue might
yield denial of service, but we argue that it's better than a privacy
leak.

This only covers *internal messages* (from Fripost to Fripost) though:
only messages with ‘fripost.org’ (or a subdomain of such) as recipient
domain.  Other domains, even those using mx[12].fripost.org as MX, are
not covered.  A scalable solution for arbitrary domains would involve
either DANE and TLSA records, or MTA-STS [RFC8461].  Regardless, there
is some merit in hardcoding our internal policy (when the client and
server are both under our control) in the configuration.  It for
instance enables us to harden TLS ciphers and protocols, and makes the
verification logic independent of DNS.
Outgoing SMTP: masquerade internal hostnames. 2018-12-12T12:46:44+00:00 Guilhem Moulin guilhem@fripost.org 2018-12-11T20:15:24+00:00 7beb915bb8dddac847ca3aca85c187e314a6c0fa Use admin@fripost.org instead. We were sending out (to the admin team) system messages with non-existing or invalid envelope sender addresses, such as <logcheck@antilop.fripost.org> or <root@mistral.fripost.org>. 
Use admin@fripost.org instead.  We were sending out (to the admin team)
system messages with non-existing or invalid envelope sender addresses,
such as <logcheck@antilop.fripost.org> or <root@mistral.fripost.org>.
Upgrade 'out' role to Debian Stretch. 2018-12-09T19:25:39+00:00 Guilhem Moulin guilhem@fripost.org 2018-12-06T22:54:31+00:00 d6ce377c2eea26b3ba708b70de942af81c94e813 






postfix: remove explicit default 'mail_owner = postfix'.
2018-12-06T18:22:29+00:00

Guilhem Moulin
guilhem@fripost.org

2018-12-06T18:22:29+00:00

5a407e715e6efc7da24b2902913a9da58d2bd19c












Postfix: replace cdb & btree tables with lmdb ones.
2018-12-03T02:43:41+00:00

Guilhem Moulin
guilhem@fripost.org

2018-12-03T02:18:56+00:00

dcdb8cd6b1b525fc8eacd509586da3396c068251

Cf. lmdb_table(5).





Cf. lmdb_table(5).







Perform recipient address verification on the MSA itself.
2018-04-04T14:11:20+00:00

Guilhem Moulin
guilhem@fripost.org

2018-04-04T14:11:20+00:00

b5a0be7a37e1bbc1aef2a7d1844a1da4aec5634f












Use blackhole subdomain for sender addresses of verify probes.
2017-05-15T23:29:28+00:00

Guilhem Moulin
guilhem@fripost.org

2017-05-15T21:31:13+00:00

45743fcc30ad310da0ef306d6319face3604ac4d

These addresses need to be accepted on the MX:es, as recipients
sometimes phone back during the SMTP session to check whether the sender
exists.

Since a time-dependent suffix is added to the local part (cf.
http://www.postfix.org/postconf.5.html#address_verify_sender_ttl) it's
not enough to drop incoming mails to ‘double-bounce@fripost.org’, and
it's impractical to do the same for /^double-bounce.*@fripost\.org$/.





These addresses need to be accepted on the MX:es, as recipients
sometimes phone back during the SMTP session to check whether the sender
exists.

Since a time-dependent suffix is added to the local part (cf.
http://www.postfix.org/postconf.5.html#address_verify_sender_ttl) it's
not enough to drop incoming mails to ‘double-bounce@fripost.org’, and
it's impractical to do the same for /^double-bounce.*@fripost\.org$/.







postfix: Remove obsolete templates tls_policy/relay_clientcerts.
2016-07-12T14:23:09+00:00

Guilhem Moulin
guilhem@fripost.org

2016-07-12T14:22:25+00:00

ab90bbd0a1983d8571a030fcd9d95d8576a0e8bc












postfix: commit the master.cf symlinks.
2016-07-12T01:18:12+00:00

Guilhem Moulin
guilhem@fripost.org

2016-07-12T01:18:12+00:00

b3ca9b22c47b1369ac5bb2fa946b84247c4b81ff