MSA verification probes: enable opportunistic encryption.

And use ‘noreply.fripost.org’ as HELO name rather than $myhostname (i.e., ‘smtp.fripost.org’), so the same SPF policy can be used for ehlo and envelope sender identities.
author: Guilhem Moulin <guilhem@fripost.org> 2018-12-09 19:03:16 +0100
committer: Guilhem Moulin <guilhem@fripost.org> 2018-12-09 20:25:40 +0100
commit: 1d2a6bfc7062c60cfe61fd74c2af23a5c828c440 (patch)
tree: 4b7f1938cd09305cef3b8e4f532e8a50c6593511
parent: 9039847b88dd737de1b92b08cba67cbfe9a2d840 (diff)
2 files changed, 10 insertions, 0 deletions
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index 50ea6b0..a48a327 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -75,40 +75,41 @@ smtpd_sasl_local_domain         =
 smtpd_sasl_exceptions_networks  = $mynetworks
 smtpd_sasl_security_options     = noanonymous, noplaintext
 smtpd_sasl_tls_security_options = noanonymous
 broken_sasl_auth_clients        = yes
 smtpd_sasl_type                 = dovecot
 smtpd_sasl_path                 = unix:private/dovecot-auth
 
 
 strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
 
 address_verify_sender                = $double_bounce_sender@noreply.$mydomain
 address_verify_poll_count            = 3
 address_verify_relayhost             =
 address_verify_sender_ttl            = 8069m
 address_verify_negative_refresh_time = 5m
 unverified_recipient_defer_code      = 250
 unverified_recipient_reject_code     = 550
 address_verify_map                   = lmdb:$data_directory/verify_cache
+address_verify_default_transport     = smtp_verify
 
 smtpd_client_restrictions =
     permit_sasl_authenticated
     reject
 
 smtpd_helo_required     = yes
 smtpd_helo_restrictions =
     reject_invalid_helo_hostname
 
 smtpd_sender_login_maps   = socketmap:unix:private/sender-login:sender_login
 smtpd_sender_restrictions =
     reject_non_fqdn_sender
     reject_unknown_sender_domain
     check_sender_access lmdb:$config_directory/check_sender_access
     reject_known_sender_login_mismatch
 
 smtpd_relay_restrictions =
     reject_non_fqdn_recipient
     reject_unknown_recipient_domain
     reject_unverified_recipient
diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2
index 4356363..905c82e 100644
--- a/roles/common/templates/etc/postfix/master.cf.j2
+++ b/roles/common/templates/etc/postfix/master.cf.j2
@@ -29,40 +29,49 @@ submission inet n       -       y       -       -       smtpd
   -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }}
 {% endif %}
 {% elif inst in ['IMAP', 'out', 'lists'] %}
 [{{ postfix_instance[inst].addr }}]:{{ postfix_instance[inst].port }} inet n       -       y       -       -       smtpd
   -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }}
 {% endif %}
 pickup    unix  n       -       y       60      1       pickup
 cleanup   unix  n       -       y       -       0       cleanup
 qmgr      unix  n       -       n       300     1       qmgr
 tlsmgr    unix  -       -       y       1000?   1       tlsmgr
 rewrite   unix  -       -       y       -       -       trivial-rewrite
 bounce    unix  -       -       y       -       0       bounce
 defer     unix  -       -       y       -       0       bounce
 trace     unix  -       -       y       -       0       bounce
 verify    unix  -       -       y       -       1       verify
 flush     unix  n       -       y       1000?   0       flush
 proxymap  unix  -       -       n       -       -       proxymap
 proxywrite unix -       -       n       -       1       proxymap
 smtp      unix  -       -       y       -       -       smtp
 #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+{% if inst is defined and inst == 'MSA' %}
+smtp_verify unix -      -       y       -       -       smtp
+  -o smtp_helo_name=noreply.$mydomain
+  -o smtp_tls_security_level=may
+  -o smtp_tls_ciphers=medium
+  -o smtp_tls_protocols=!SSLv2,!SSLv3
+  -o smtp_tls_note_starttls_offer=yes
+  -o smtp_tls_session_cache_database=lmdb:$data_directory/smtp_tls_session_cache
+{% endif %}
 relay     unix  -       -       y       -       -       smtp
 showq     unix  n       -       y       -       -       showq
 error     unix  -       -       y       -       -       error
 retry     unix  -       -       y       -       -       error
 discard   unix  -       -       y       -       -       discard
 local     unix  -       n       n       -       -       local
 virtual   unix  -       n       n       -       -       virtual
 lmtp      unix  -       -       y       -       -       lmtp
 anvil     unix  -       -       y       -       1       anvil
 scache    unix  -       -       y       -       1       scache
 {% if inst is defined and inst == 'MX' %}
 reserved-alias unix  -  n       n       -       -       pipe
   flags=Rhu user=nobody argv=/usr/local/bin/reserved-alias.pl ${sender} ${original_recipient} @fripost.org
 {% endif %}
 {% if inst is defined and inst == 'lists' %}
 sympa     unix  -       n       n       -       -       pipe
   flags=Rhu user=sympa argv=/usr/local/bin/sympa-queue ${user}
 {% endif %}
 
 {% if inst is defined and inst == 'out' %}
author	Guilhem Moulin <guilhem@fripost.org>	2018-12-09 19:03:16 +0100
committer	Guilhem Moulin <guilhem@fripost.org>	2018-12-09 20:25:40 +0100
commit	1d2a6bfc7062c60cfe61fd74c2af23a5c828c440 (patch)
tree	4b7f1938cd09305cef3b8e4f532e8a50c6593511
parent	9039847b88dd737de1b92b08cba67cbfe9a2d840 (diff)