|  | Commit message (Collapse) | Author | Age | Files | 
|---|
| | |  | 
| | 
| 
| 
| | Run as a dedicated user, not ‘postfix’. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | This provides better isolation opportunity as the service doesn't need
to run as ‘vmail’ user.  We use a dedicated system user instead, and
LDAP ACLs to limit its access to the strict minimum.
The new solution is also more robust to quoting/escaping, and doesn't
depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID
instead of %d/%n at some point to make user renaming simpler).
OTOH we no longer lists users that have been removed from LDAP but still
have a mailstore lingering around.  This is fair. | 
| | |  | 
| | 
| 
| 
| | This was forgotten after a092bfd947773281a23419ee0ab62358371b7166. | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | The following policy is now implemented:
    * users can use their SASL login name as sender address;
    * alias and/or list owners can use the address as envelope sender;
    * domain postmasters can use arbitrary sender addresses under their
      domains;
    * domain owners can use arbitrary sender addresses under their domains,
      unless it is also an existing account name;
    * for known domains without owner or postmasters, other sender addresses
      are not allowed; and
    * arbitrary sender addresses under unknown domains are allowed. | 
| | |  | 
| | 
| 
| 
| 
| | We don't use the provided 'slapd_' Munin plugin because it doesn't
support SASL binds. | 
| | 
| 
| 
| 
| | Which is now possible since all LDAP clients and servers have been
upgraded to Jessie, and Postfix is now able to perform SASL binds. | 
| | 
| 
| 
| 
| 
| | In particular, since Postfix is now able to perform LDAP lookups using
SASL, previous hacks with simble binds on cn=postfix,ou=services,… can
now be removed. | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| | Those will be useful for the tools. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| | Postfix interprets Error Code 32 (No Such Object) as lookup failures,
but that's ugly...
Also, make Postfix simple bind against
cn=postfix,ou=services,dc=fripost,dc=org. | 
| | 
| 
| 
| 
| 
| 
| 
| | It looks as if the SyncRepl need read access on the 'entry' and
'objectClass' attributes of the entry being deleted, and the entry being
deleted no longer matches the ACL filters, so we have to grant access
globally. (We still have fine-grain control on the other attributes
which are not disclosed, though.) | 
| | 
| 
| 
| 
| | This decision is left to the MX (as for 'fripostIsStatusActive'), which
will set the envelope recipient accordingly. | 
| | |  | 
| | 
| 
| 
| 
| 
| | So our suffix is now a mere 'dc=fripost,dc=org'.  We're also using the
default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it
before hand). | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | The clients are identified using their certificate, and connect securely
to the SyncProv.
There are a few workarounds (XXX) in the ACLs due to Postfix not
supporting SASL binds in Wheezy.
Overview:
  - Authentication (XXX: strong authentication) is required prior to any DIT
    operation (see 'olcRequires').
  - We force a Security Strength Factor of 128 or above for all operations (see
    'olcSecurity'), meaning one must use either a local connection (eg,
    ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at
    least 128 bits of security.
  - XXX: Services may not simple bind other than locally on a ldapi:// socket.
    If no remote access is needed, they should use SASL/EXTERNAL on a ldapi://
    socket whenever possible (if the service itself supports SASL binds).
    If remote access is needed, they should use SASL/EXTERNAL on a ldaps://
    socket, and their identity should be derived from the CN of the client
    certificate only (hence services may not simple bind).
  - Admins have restrictions similar to that of the services.
  - User access is only restricted by our global 'olcSecurity' attribute. | 
| | |  | 
| | 
| 
| 
| 
| 
| | E.g., ldap.fripost.org, ntp.fripost.org, etc.  (Ideally the DNS zone
would be provisioned by ansible, too.)  It's a bit unclear how to index
the subdomains (mx{1,2,3}, etc), though. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | We introduce a limitation on the domain-aliases: they can't have
children (e.g., lists or users) any longer.
The whole alias resolution, including catch-alls and domain aliases, is
now done in 'virtual_alias_maps'. We stop the resolution by returning a
dummy alias A -> A for mailboxes, before trying the catch-all maps.
We're still using transport_maps for lists. If it turns out to be a
bottleneck due to the high-latency coming from LDAP maps, (and the fact
that there is a single qmgr(8) daemon), we could rewrite lists to a
dummy subdomain and use a static transport_maps instead:
  virtual_alias_maps:
    mylist@example.org -> mylist#example.org@mlmmj.localhost.localdomain
  transport_maps:
    mlmmj.localhost.localdomain mlmmj: | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | Right now the list server cannot be hosted with a MX, due to bug 51:
    http://mlmmj.org/bugs/bug.php?id=51
Web archive can be compiled with MHonArc, but the web server
configuration is not there yet. | 
| | 
| 
| 
| 
| 
| | They were only a dirty hack for list commands à la Mailman such as
mylist-request. If we are to use another list manager such as mlmmj,
which uses a VERP delimiter instead, the problem disappears. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Instead, we pretend that lists are valid users (via a match in the
mailbox_transport_maps) but choose a different transport (with the same
request in transport_maps).
The advantage is that we get rid of the ugly hack for list transport…
A minor drawback is that we now have two LDAP lookups instead of one for
non local addresses (ie, everything but reserved addresses). Hopefully
the requests are cached; but even if they aren't, querying a local LDAP
server is supposed to be cheap. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Mails to be retrained are stored in the spooldir /home/mail/spamspool;
later a daemon catches them up and feed them to sa-learn(1p). (On busy
systems batch-process the learning should be much more efficient.)
The folder transisition matrix along with the corresponding actions can
be found there:
  http://hg.dovecot.org/dovecot-antispam-plugin/raw-file/5ebc6aae4d7c/doc/dovecot-antispam.7.txt
See also dovecot-antispam(7). | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Antispam & antivirus, using ClamAV and SpamAssassin through Amavisd-new.
Each user has his/her amavis preferences, and own Bayes filter (to
maximize privacy).
One question remains, though: how to set spamassassin's trusted_networks
/ internal_networks / msa_networks? It seems not obivious to get it
write with IPSec and dynamic IPs.
(Cf. https://wiki.apache.org/spamassassin/AwlWrongWay) | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| | As of 2.9.6 (2.10), at least. See bug #730848. | 
| | |  | 
| | 
| 
| 
| 
| 
| | "username=postfix,cn=peercred,cn=external,cn=auth" is replaced by
"gidNumber=106+uidNumber=102,cn=peercred,cn=external,cn=auth" where 102
is postfix's UID and 106 its primary GID (looked up from /etc/passwd). | 
|  |  |