| Commit message (Collapse) | Author | Age | Files |
| |
|
|
|
|
|
|
|
| |
This silences the following deprecation warning:
Use 'ansible.utils.ipaddr' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01.
Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
|
| |
|
|
|
|
|
|
|
|
| |
For postfix, don't defer if "abused legit". (I.e., DBL return code in
the 127.0.1.100+ range.) This used to work for Postfix 3.1.14 (Stretch)
but for 3.4.8 (Buster) the 'defer_if_reject' also applies to
$smtpd_relay_restrictions, to reject_unauth_destination &
reject_unlisted_recipient in particular.
|
|
|
|
|
|
|
|
| |
On the infrastructure boundary. We don't reject/quarantine as it would
affect members who forward their mail sent to <user@example.com> to
<user@fripost.org>. Members can install Sieve rules to send any
messages with failed Authentication-Results headers directly in their
spambox.
|
|
|
|
|
|
| |
Unlike what we wrote in 2014 (cf. 4fb4be4d279dd94cab33fc778cfa318b93d6926f)
the postscreen(8) server can run chrooted, meaning we can also chroot
the smtpd(8), tlsproxy(8), dnsblog(8) and cleanup(8) daemons.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Cf. lmdb_table(5).
|
| |
|
| |
|
|
|
|
|
| |
So being listed on that BL doesn't yield a flat reject if the IP isn't
also listed to other lists.
|
|
|
|
|
|
|
|
|
|
|
| |
These addresses need to be accepted on the MX:es, as recipients
sometimes phone back during the SMTP session to check whether the sender
exists.
Since a time-dependent suffix is added to the local part (cf.
http://www.postfix.org/postconf.5.html#address_verify_sender_ttl) it's
not enough to drop incoming mails to ‘double-bounce@fripost.org’, and
it's impractical to do the same for /^double-bounce.*@fripost\.org$/.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
certificate.
See postconf(5). This avoids the “(Client did not present a
certificate)” messages in the Received headers.
|
| |
|
| |
|
| |
|
|
|
|
| |
To avoid new commits upon cert renewal.
|
|
|
|
|
|
|
|
| |
Following Viktor Dukhovni's 2015-08-06 recommendation
http://article.gmane.org/gmane.mail.postfix.user/251935
(We're using stronger ciphers and protocols in our own infrastructure.)
|
|
|
|
|
|
| |
Following Viktor Dukhovni's 2015-08-06 recommendation for Postfix >= 2.11
http://article.gmane.org/gmane.mail.postfix.user/251935
|
|
|
|
|
|
|
|
|
|
| |
Ideally we we should also increase the Diffie-Hellman group size from
2048-bit to 3072-bit, as per ENISA 2014 report.
https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014
But we postpone that for now until we are reasonably certain that older
client won't be left out.
|
|
|
|
| |
That is, on the MSA and in our local infrastructure.
|
|
|
|
|
|
| |
locally.
And use this to fetch all X.509 leaf certificates.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Put all relay restrictions under smtpd_relay_restrictions and leave
smtpd_recipient_restrictions empty, since we don't do DNSBL.
|
|
|
|
|
|
|
| |
We don't want to bounce messages for which the recipient(s)' MTA replies
451 due to some greylisting in place. We would like to accept 451
alone, but unfortunately it's not possible to bounce unverified
recipients due to DNS or networking errors.
|
|
|
|
|
| |
Interhost communications are protected by stunnel4. The graphs are only
visible on the master itself, and content is generated by Fast CGI.
|
|
|
|
|
| |
‘noreply@’ aliases can be added by routing them to
‘@discard.fripost.org’.
|
|
|
|
|
|
| |
In particular, since Postfix is now able to perform LDAP lookups using
SASL, previous hacks with simble binds on cn=postfix,ou=services,… can
now be removed.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
See http://www.postfix.org/POSTSCREEN_README.html and
http://rob0.nodns4.us/postscreen.html
It's infortunate that smtpd(8) cannot be chrooted any longer, which
means that we have to un-chroot cleanup(8) as well. Indeed, currently
smtpd(8) uses $virtual_alias_maps for recipient validation; later
cleanup(8) uses it again for rewriting. So these processes need to be
both chrooted, or both not.
|
| |
|
|
|
|
|
| |
There are false-positive with that, for instead due to SOA records
pointing to non-existing subdomains.
|
| |
|
| |
|