| Commit message (Collapse) | Author | Age | Files |
|---|
| |
|
|
|
|
|
|
| |
For `ssl_cipher_list` we pick the suggested value from
https://ssl-config.mozilla.org/#server=postfix&version=3.4.10&config=intermediate&openssl=1.1.1d
At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’
to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
|
| |
|
|
|
|
|
| |
This adds the following two ciphers:
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
|
| | |
|
| |
|
|
|
|
| |
Our internal IPs don't have a reverse PTR record, and skipping the
resolution speeds up mail delivery.
http://www.postfix.org/postconf.5.html#smtpd_peername_lookup
|
| |
|
|
| |
See RFC 8314 sec. 3.3 "Cleartext Considered Obsolete".
|
| |
|
|
| |
Cf. http://www.openspf.org/Best_Practices/Outbound .
|
| |
|
|
|
|
| |
And use ‘noreply.fripost.org’ as HELO name rather than $myhostname
(i.e., ‘smtp.fripost.org’), so the same SPF policy can be used for ehlo
and envelope sender identities.
|
| |
|
|
|
|
| |
Unlike what we wrote in 2014 (cf. 4fb4be4d279dd94cab33fc778cfa318b93d6926f)
the postscreen(8) server can run chrooted, meaning we can also chroot
the smtpd(8), tlsproxy(8), dnsblog(8) and cleanup(8) daemons.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following policy is now implemented:
* users can use their SASL login name as sender address;
* alias and/or list owners can use the address as envelope sender;
* domain postmasters can use arbitrary sender addresses under their
domains;
* domain owners can use arbitrary sender addresses under their domains,
unless it is also an existing account name;
* for known domains without owner or postmasters, other sender addresses
are not allowed; and
* arbitrary sender addresses under unknown domains are allowed.
|
| | |
|
| |
|
