summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xcerts/gencerts.sh4
-rw-r--r--roles/common/files/etc/logcheck/ignore.d.server/postfix-local4
-rw-r--r--roles/common/templates/etc/fail2ban/jail.local.j22
-rw-r--r--roles/common/templates/etc/iptables/services.j21
-rw-r--r--roles/common/templates/etc/postfix/master.cf.j23
-rw-r--r--roles/wiki/files/var/www/fripost.org/autoconfig/mail/config-v1.1.xml4
6 files changed, 11 insertions, 7 deletions
diff --git a/certs/gencerts.sh b/certs/gencerts.sh
index f56e8f7..b796339 100755
--- a/certs/gencerts.sh
+++ b/certs/gencerts.sh
@@ -78,10 +78,10 @@ allfpr() {
[ "$typ" = mdwn ] && indent=' ' || indent=' '
header 'IMAP server'
- x509fpr '`imap.fripost.org:993` (IMAP over SSL), `sieve.fripost.org:4190` (ManageSieve, `STARTTLS`)'
+ x509fpr '`imap.fripost.org:993` (IMAP over TLS), `sieve.fripost.org:4190` (ManageSieve, `STARTTLS`)'
header 'SMTP servers'
- x509fpr '`smtp.fripost.org:587` (Mail Submission Agent, `STARTTLS`)'
+ x509fpr '`smtp.fripost.org:465` (Email Submission over TLS), `smtp.fripost.org:587` (Email Submission, `STARTTLS`)'
x509fpr '`mx1.fripost.org:25` (1st Mail eXchange, `STARTTLS`)'
x509fpr '`mx2.fripost.org:25` (2nd Mail eXchange, `STARTTLS`)'
diff --git a/roles/common/files/etc/logcheck/ignore.d.server/postfix-local b/roles/common/files/etc/logcheck/ignore.d.server/postfix-local
index 6a11392..f539c3a 100644
--- a/roles/common/files/etc/logcheck/ignore.d.server/postfix-local
+++ b/roles/common/files/etc/logcheck/ignore.d.server/postfix-local
@@ -7,7 +7,7 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/smtpd\[[[:digit:]]+\]: (dis)?connect from [^[:space:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/smtpd\[[[:digit:]]+\]: (NOQUEUE|[[:xdigit:]]+): reject: RCPT from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]: [45][[:digit:]][[:digit:]] [45](\.[[:digit:]]+){2} <[^>]+>: Recipient address rejected: ((unverified|undeliverable) address:|Domain not found;)
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/[ls]mtp\[[[:digit:]]+\]: [[:xdigit:]]+: to=<[^>]+>,( orig_to=<[^>]+>,)? relay=[._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\](:[[:digit:]]{1,5})?, (conn_use=[[:digit:]]+, )?delay=[.[:digit:]]+(, delays=([.[:digit:]]+/){3}[.[:digit:]]+)?(, dsn=2(\.[[:digit:]]+){2})?, status=(sent|deliverable) \(2[[:digit:]][[:digit:]] .+\)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/anvil\[[[:digit:]]+\]: statistics: max (message|recipient|connection) (count|rate) [/[:digit:]s]+ for \((\[[.:[:xdigit:]]+\]:)?(smtp[sd]?|25|submission|587)?:([.:[:xdigit:]]+|unknown)\) at \w{3} [ :[:digit:]]{11}$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/anvil\[[[:digit:]]+\]: statistics: max (message|recipient|connection) (count|rate) [/[:digit:]s]+ for \((\[[.:[:xdigit:]]+\]:)?(smtp[sd]?|25|submissions?|587|465)?:([.:[:xdigit:]]+|unknown)\) at \w{3} [ :[:digit:]]{11}$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/anvil\[[[:digit:]]+\]: statistics: max cache size [[:digit:]]+ at \w{3} [ :[:digit:]]{11}$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/scache\[[[:digit:]]+\]: statistics: start interval \w{3} [ :[:digit:]]{11}$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/scache\[[[:digit:]]+\]: statistics: (domain|address) lookup hits=[[:digit:]]+ miss=[[:digit:]]+ success=[[:digit:]]+%$
@@ -27,7 +27,7 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/smtpd\[[[:digit:]]+\]: warning: [-._[:alnum:]]+\[[[:xdigit:].:]{3,39}\]: SASL (PLAIN|LOGIN) authentication (failed|aborted)(:[ [:alnum:]]*)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(msa|mx)/smtpd\[[[:digit:]]+\]: improper command pipelining after (EHLO|HELO|MAIL|QUIT) from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(msa|mx)/smtpd\[[[:digit:]]+\]: warning: hostname [._[:alnum:]-]+ does not resolve to address [[:xdigit:].:]{3,39}(: Name or service not known)?$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(msa|mx)/smtpd\[[[:digit:]]+\]: warning: Connection concurrency limit exceeded: [0-9]+ from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\] for service (submission|smtpd)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(msa|mx)/smtpd\[[[:digit:]]+\]: warning: Connection concurrency limit exceeded: [0-9]+ from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\] for service (submissions?|smtpd)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]: 5[[:digit:]]{2} 5(\.[[:digit:]]){2} <[^>]+>: Helo command rejected: need fully-qualified hostname;( from=<[^>]*> to=<[^>]+>)? proto=E?SMTP( helo=<[^>]+>)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]: 4[[:digit:]]{2} 4(\.[[:digit:]]){2} <[^>]+>: Sender address rejected: Domain not found;( from=<[^>]*> to=<[^>]+>)? proto=E?SMTP( helo=<[^>]+>)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]: 5[[:digit:]]{2} 5(\.[[:digit:]]){2} Service unavailable; (Unverified Client host|Sender address) \[\S+\] blocked using [._[:alnum:]-]+; https?://[^[:blank:];]+; from=<[^>]*> to=<[^>]+> proto=E?SMTP( helo=<[^>]+>)?$
diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2
index c493958..618fbd7 100644
--- a/roles/common/templates/etc/fail2ban/jail.local.j2
+++ b/roles/common/templates/etc/fail2ban/jail.local.j2
@@ -75,7 +75,7 @@ logpath = /var/log/mail.log
[sasl]
enabled = true
-port = submission
+port = submission,submissions
filter = postfix-sasl
logpath = /var/log/mail.warn
{% endif %}
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
index 93342cb..6dd5aae 100644
--- a/roles/common/templates/etc/iptables/services.j2
+++ b/roles/common/templates/etc/iptables/services.j2
@@ -36,6 +36,7 @@ in tcp 4190 # MANAGESIEVE
out tcp 2703 # Razor2
{% endif %}
{% if 'MSA' in group_names %}
+in tcp 465 # SMTP-AUTH
in tcp 587 # SMTP-AUTH
{% endif %}
{% if 'webmail' in group_names or 'lists' in group_names or 'wiki' in group_names or 'nextcloud' in group_names %}
diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2
index d9cb5d3..c481ad4 100644
--- a/roles/common/templates/etc/postfix/master.cf.j2
+++ b/roles/common/templates/etc/postfix/master.cf.j2
@@ -20,6 +20,9 @@ dnsblog unix - - y - 0 dnsblog
{% elif inst == 'MSA' %}
submission inet n - y - - smtpd
-o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
+submissions inet n - y - - smtpd
+ -o smtpd_tls_wrappermode=yes
+ -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
{% if groups.webmail | difference([inventory_hostname]) | length > 0 %}
[{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n - y - - smtpd
-o broken_sasl_auth_clients=no
diff --git a/roles/wiki/files/var/www/fripost.org/autoconfig/mail/config-v1.1.xml b/roles/wiki/files/var/www/fripost.org/autoconfig/mail/config-v1.1.xml
index 44d3732..00c2d0e 100644
--- a/roles/wiki/files/var/www/fripost.org/autoconfig/mail/config-v1.1.xml
+++ b/roles/wiki/files/var/www/fripost.org/autoconfig/mail/config-v1.1.xml
@@ -16,8 +16,8 @@
<outgoingServer type="smtp">
<hostname>smtp.fripost.org</hostname>
- <port>587</port>
- <socketType>STARTTLS</socketType>
+ <port>465</port>
+ <socketType>SSL</socketType>
<username>%EMAILADDRESS%</username>
<authentication>password-cleartext</authentication>
</outgoingServer>