diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2018-12-06 21:06:38 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2018-12-09 20:25:39 +0100 |
commit | 09cd9f998780fb7179b7fc23c593c305a12b050a (patch) | |
tree | 33dad72c3a5256347a0e9700b975612c8c477918 | |
parent | 37d64e4a05b32599405ed824316e73aa8d0880b2 (diff) |
MX: chroot postscreen(8), smtpd(8) and cleanup(8) daemons.
Unlike what we wrote in 2014 (cf. 4fb4be4d279dd94cab33fc778cfa318b93d6926f)
the postscreen(8) server can run chrooted, meaning we can also chroot
the smtpd(8), tlsproxy(8), dnsblog(8) and cleanup(8) daemons.
-rw-r--r-- | roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf | 2 | ||||
-rw-r--r-- | roles/MX/files/etc/postfix/virtual/alias.cf | 2 | ||||
-rw-r--r-- | roles/MX/files/etc/postfix/virtual/alias_domains.cf | 2 | ||||
-rw-r--r-- | roles/MX/files/etc/postfix/virtual/catchall.cf | 2 | ||||
-rw-r--r-- | roles/MX/files/etc/postfix/virtual/domains.cf | 2 | ||||
-rw-r--r-- | roles/MX/files/etc/postfix/virtual/list.cf | 2 | ||||
-rw-r--r-- | roles/MX/files/etc/postfix/virtual/mailbox.cf | 2 | ||||
-rw-r--r-- | roles/common/templates/etc/postfix/master.cf.j2 | 14 |
8 files changed, 12 insertions, 16 deletions
diff --git a/roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf b/roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf index 6969f75..1f61f4b 100644 --- a/roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf +++ b/roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf @@ -1,4 +1,4 @@ -server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/ +server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvd=%d,ou=virtual,dc=fripost,dc=org domain = static:all diff --git a/roles/MX/files/etc/postfix/virtual/alias.cf b/roles/MX/files/etc/postfix/virtual/alias.cf index 1c104a9..2e846ca 100644 --- a/roles/MX/files/etc/postfix/virtual/alias.cf +++ b/roles/MX/files/etc/postfix/virtual/alias.cf @@ -1,4 +1,4 @@ -server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/ +server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvd=%d,ou=virtual,dc=fripost,dc=org domain = static:all diff --git a/roles/MX/files/etc/postfix/virtual/alias_domains.cf b/roles/MX/files/etc/postfix/virtual/alias_domains.cf index 907166f..1108ea1 100644 --- a/roles/MX/files/etc/postfix/virtual/alias_domains.cf +++ b/roles/MX/files/etc/postfix/virtual/alias_domains.cf @@ -1,4 +1,4 @@ -server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/ +server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = ou=virtual,dc=fripost,dc=org domain = static:all diff --git a/roles/MX/files/etc/postfix/virtual/catchall.cf b/roles/MX/files/etc/postfix/virtual/catchall.cf index e0e6350..a67d39c 100644 --- a/roles/MX/files/etc/postfix/virtual/catchall.cf +++ b/roles/MX/files/etc/postfix/virtual/catchall.cf @@ -1,4 +1,4 @@ -server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/ +server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = ou=virtual,dc=fripost,dc=org domain = static:all diff --git a/roles/MX/files/etc/postfix/virtual/domains.cf b/roles/MX/files/etc/postfix/virtual/domains.cf index f5a7f25..88e17e2 100644 --- a/roles/MX/files/etc/postfix/virtual/domains.cf +++ b/roles/MX/files/etc/postfix/virtual/domains.cf @@ -1,5 +1,3 @@ -# XXX: How come we use a socked relative to the chroot here? smtpd(8) is -# not (can't be) chrooted... server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = ou=virtual,dc=fripost,dc=org diff --git a/roles/MX/files/etc/postfix/virtual/list.cf b/roles/MX/files/etc/postfix/virtual/list.cf index 99e2147..e2df119 100644 --- a/roles/MX/files/etc/postfix/virtual/list.cf +++ b/roles/MX/files/etc/postfix/virtual/list.cf @@ -1,4 +1,4 @@ -server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/ +server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvd=%d,ou=virtual,dc=fripost,dc=org domain = static:all diff --git a/roles/MX/files/etc/postfix/virtual/mailbox.cf b/roles/MX/files/etc/postfix/virtual/mailbox.cf index 7289670..36862db 100644 --- a/roles/MX/files/etc/postfix/virtual/mailbox.cf +++ b/roles/MX/files/etc/postfix/virtual/mailbox.cf @@ -1,4 +1,4 @@ -server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/ +server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvd=%d,ou=virtual,dc=fripost,dc=org domain = static:all diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2 index 10fc303..4356363 100644 --- a/roles/common/templates/etc/postfix/master.cf.j2 +++ b/roles/common/templates/etc/postfix/master.cf.j2 @@ -13,17 +13,15 @@ {% if inst is not defined %} [127.0.0.1]:16132 inet n - y - - smtpd {% elif inst == 'MX' %} -smtpd pass - - n - - smtpd - -o cleanup_service_name=cleanup_nochroot -smtp inet n - n - 1 postscreen -tlsproxy unix - - n - 0 tlsproxy -dnsblog unix - - n - 0 dnsblog -cleanup_nochroot unix n - n - 0 cleanup +smtpd pass - - y - - smtpd +smtp inet n - y - 1 postscreen +tlsproxy unix - - y - 0 tlsproxy +dnsblog unix - - y - 0 dnsblog {% elif inst == 'MSA' %} submission inet n - y - - smtpd -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL {% if groups.webmail | difference([inventory_hostname]) | length > 0 %} -[{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n - - - - smtpd +[{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n - y - - smtpd -o broken_sasl_auth_clients=no -o smtpd_tls_security_level=none -o smtpd_sasl_security_options=noanonymous @@ -31,7 +29,7 @@ submission inet n - y - - smtpd -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }} {% endif %} {% elif inst in ['IMAP', 'out', 'lists'] %} -[{{ postfix_instance[inst].addr }}]:{{ postfix_instance[inst].port }} inet n - - - - smtpd +[{{ postfix_instance[inst].addr }}]:{{ postfix_instance[inst].port }} inet n - y - - smtpd -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }} {% endif %} pickup unix n - y 60 1 pickup |