| Commit message (Collapse) | Author | Age | Files |
| |
|
| |
|
|
|
|
|
|
|
| |
This silences the following deprecation warning:
Use 'ansible.utils.ipaddr' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01.
Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This solves an issue where an attacker would strip the STARTTLS keyword
from the EHLO response, thereby preventing connection upgrade; or spoof
DNS responses to route outgoing messages to an attacker-controlled
SMTPd, thereby allowing message MiTM'ing. With key material pinning in
place, smtp(8postfix) immediately aborts the connection (before the MAIL
command) and places the message into the deferred queue instead:
postfix-out/smtp[NNN]: … dsn=4.7.5, status=undeliverable (Server certificate not verified)
This applies to the smarthost as well as for verification probes on the
Mail Submission Agent. Placing message into the deferred queue might
yield denial of service, but we argue that it's better than a privacy
leak.
This only covers *internal messages* (from Fripost to Fripost) though:
only messages with ‘fripost.org’ (or a subdomain of such) as recipient
domain. Other domains, even those using mx[12].fripost.org as MX, are
not covered. A scalable solution for arbitrary domains would involve
either DANE and TLSA records, or MTA-STS [RFC8461]. Regardless, there
is some merit in hardcoding our internal policy (when the client and
server are both under our control) in the configuration. It for
instance enables us to harden TLS ciphers and protocols, and makes the
verification logic independent of DNS.
|
|
|
|
|
|
| |
And drop -ldap from all roles other than MX. -lmdb is included in
roles/common but it can be helpful to have it individual roles as well
as they can be run individually.
|
|
|
|
| |
Run as a dedicated user, not ‘postfix’.
|
|
|
|
|
|
|
|
| |
For `ssl_cipher_list` we pick the suggested value from
https://ssl-config.mozilla.org/#server=postfix&version=3.4.10&config=intermediate&openssl=1.1.1d
At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’
to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
|
|
|
|
| |
Cf. http://www.openspf.org/Best_Practices/Outbound .
|
|
|
|
|
|
| |
And use ‘noreply.fripost.org’ as HELO name rather than $myhostname
(i.e., ‘smtp.fripost.org’), so the same SPF policy can be used for ehlo
and envelope sender identities.
|
| |
|
| |
|
|
|
|
| |
And remove ‘ReadOnlyDirectories=/’ as it's implied by ‘ProtectSystem=strict’.
|
| |
|
| |
|
|
|
|
| |
Cf. lmdb_table(5).
|
| |
|
|
|
|
|
|
| |
Users can add an extension (following postconf(5)'s
$recipient_delimiter) to the local part of any envelope sender address
already allowed.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
release ressources.
|
| |
|
|
|
|
|
| |
On Linux perl's allow multiple children to block in a call to accept(2)
so we don't need to place a lock around the call.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following policy is now implemented:
* users can use their SASL login name as sender address;
* alias and/or list owners can use the address as envelope sender;
* domain postmasters can use arbitrary sender addresses under their
domains;
* domain owners can use arbitrary sender addresses under their domains,
unless it is also an existing account name;
* for known domains without owner or postmasters, other sender addresses
are not allowed; and
* arbitrary sender addresses under unknown domains are allowed.
|
|
|
|
|
|
|
|
|
|
|
| |
These addresses need to be accepted on the MX:es, as recipients
sometimes phone back during the SMTP session to check whether the sender
exists.
Since a time-dependent suffix is added to the local part (cf.
http://www.postfix.org/postconf.5.html#address_verify_sender_ttl) it's
not enough to drop incoming mails to ‘double-bounce@fripost.org’, and
it's impractical to do the same for /^double-bounce.*@fripost\.org$/.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
certificate.
See postconf(5). This avoids the “(Client did not present a
certificate)” messages in the Received headers.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
To avoid new commits upon cert renewal.
|
|
|
|
|
| |
In order to avoid ‘double-bounce@’ ending up on spammer mailing lists.
See http://www.postfix.org/ADDRESS_VERIFICATION_README.html .
|
|
|
|
|
|
|
|
| |
Following Viktor Dukhovni's 2015-08-06 recommendation
http://article.gmane.org/gmane.mail.postfix.user/251935
(We're using stronger ciphers and protocols in our own infrastructure.)
|
|
|
|
|
|
| |
Following Viktor Dukhovni's 2015-08-06 recommendation for Postfix >= 2.11
http://article.gmane.org/gmane.mail.postfix.user/251935
|
|
|
|
|
|
|
|
|
|
| |
Ideally we we should also increase the Diffie-Hellman group size from
2048-bit to 3072-bit, as per ENISA 2014 report.
https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014
But we postpone that for now until we are reasonably certain that older
client won't be left out.
|
|
|
|
| |
That is, on the MSA and in our local infrastructure.
|
|
|
|
|
|
| |
locally.
And use this to fetch all X.509 leaf certificates.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Put all relay restrictions under smtpd_relay_restrictions and leave
smtpd_recipient_restrictions empty, since we don't do DNSBL.
|
| |
|
|
|
|
|
|
|
| |
We don't want to bounce messages for which the recipient(s)' MTA replies
451 due to some greylisting in place. We would like to accept 451
alone, but unfortunately it's not possible to bounce unverified
recipients due to DNS or networking errors.
|
|
|
|
|
| |
Interhost communications are protected by stunnel4. The graphs are only
visible on the master itself, and content is generated by Fast CGI.
|