summaryrefslogtreecommitdiffstats
path: root/roles/out/templates/etc/postfix/main.cf.j2
Commit message (Collapse)AuthorAgeFiles
* Postfix: pin key material to our MX:es for fripost.org and its subdomains.Guilhem Moulin2021-01-261
| | | | | | | | | | | | | | | | | | | | | | | | | | This solves an issue where an attacker would strip the STARTTLS keyword from the EHLO response, thereby preventing connection upgrade; or spoof DNS responses to route outgoing messages to an attacker-controlled SMTPd, thereby allowing message MiTM'ing. With key material pinning in place, smtp(8postfix) immediately aborts the connection (before the MAIL command) and places the message into the deferred queue instead: postfix-out/smtp[NNN]: … dsn=4.7.5, status=undeliverable (Server certificate not verified) This applies to the smarthost as well as for verification probes on the Mail Submission Agent. Placing message into the deferred queue might yield denial of service, but we argue that it's better than a privacy leak. This only covers *internal messages* (from Fripost to Fripost) though: only messages with ‘fripost.org’ (or a subdomain of such) as recipient domain. Other domains, even those using mx[12].fripost.org as MX, are not covered. A scalable solution for arbitrary domains would involve either DANE and TLSA records, or MTA-STS [RFC8461]. Regardless, there is some merit in hardcoding our internal policy (when the client and server are both under our control) in the configuration. It for instance enables us to harden TLS ciphers and protocols, and makes the verification logic independent of DNS.
* Outgoing SMTP: masquerade internal hostnames.Guilhem Moulin2018-12-121
| | | | | | Use admin@fripost.org instead. We were sending out (to the admin team) system messages with non-existing or invalid envelope sender addresses, such as <logcheck@antilop.fripost.org> or <root@mistral.fripost.org>.
* Upgrade 'out' role to Debian Stretch.Guilhem Moulin2018-12-091
|
* postfix: remove explicit default 'mail_owner = postfix'.Guilhem Moulin2018-12-061
|
* Postfix: replace cdb & btree tables with lmdb ones.Guilhem Moulin2018-12-031
| | | | Cf. lmdb_table(5).
* Perform recipient address verification on the MSA itself.Guilhem Moulin2018-04-041
|
* Use blackhole subdomain for sender addresses of verify probes.Guilhem Moulin2017-05-161
| | | | | | | | | | | These addresses need to be accepted on the MX:es, as recipients sometimes phone back during the SMTP session to check whether the sender exists. Since a time-dependent suffix is added to the local part (cf. http://www.postfix.org/postconf.5.html#address_verify_sender_ttl) it's not enough to drop incoming mails to ‘double-bounce@fripost.org’, and it's impractical to do the same for /^double-bounce.*@fripost\.org$/.
* Route all internal SMTP traffic through IPsec.Guilhem Moulin2016-07-101
|
* Postfix: don't share the master.cf between the instances.Guilhem Moulin2016-07-101
|
* postfix: Don't explicitly set inet_interfaces=all as it's the default.Guilhem Moulin2016-07-101
|
* Route SMTP traffic from the webmail through IPsec.Guilhem Moulin2016-07-101
|
* postfix: rotate the sender address for verify probes.Guilhem Moulin2016-06-021
| | | | | In order to avoid ‘double-bounce@’ ending up on spammer mailing lists. See http://www.postfix.org/ADDRESS_VERIFICATION_README.html .
* postfix: Update to recommended TLS settings.Guilhem Moulin2016-05-181
| | | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation http://article.gmane.org/gmane.mail.postfix.user/251935 (We're using stronger ciphers and protocols in our own infrastructure.)
* postfix: unset 'smtpd_tls_session_cache_database'.Guilhem Moulin2016-05-181
| | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation for Postfix >= 2.11 http://article.gmane.org/gmane.mail.postfix.user/251935
* Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public.Guilhem Moulin2016-05-181
| | | | | | | | | | Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out.
* Remove SMTP message size limit on non public MTAs.Guilhem Moulin2016-03-211
|
* Fix address verification probes on the MSA.Guilhem Moulin2015-09-161
| | | | | Put all relay restrictions under smtpd_relay_restrictions and leave smtpd_recipient_restrictions empty, since we don't do DNSBL.
* Use 'double-bounce@fripost.org' as envelope sender for verification probes.Guilhem Moulin2015-06-111
|
* Don't bounce unverified recipients upon 4xx errors.Guilhem Moulin2015-06-111
| | | | | | | We don't want to bounce messages for which the recipient(s)' MTA replies 451 due to some greylisting in place. We would like to accept 451 alone, but unfortunately it's not possible to bounce unverified recipients due to DNS or networking errors.
* Use recipient address verification probes.Guilhem Moulin2015-06-071
| | | | | | | This is specially useful for mailing lists and the webmail, since it prevents our outgoing gateway from accepting mails known to be bouncing. However the downside is that it adds a delay of up to 6s after the RCPT TO command.
* logjam mitigation.Guilhem Moulin2015-06-071
|
* Upgrade Postfix config to Jessie (MSA & outgoing proxy).Guilhem Moulin2015-06-071
|
* Remove reject_unknown_sender_domain from the MDA and outgoing SMTP.Guilhem Moulin2015-06-071
| | | | | | | | | | We already removed it from the MX:es (see 32e605d4); we need to remove it from the MDA and outgoing SMTP as well, otherwise mails could bounce or get stuck in the middle (the're rejected with 450: deferred by default). However we can keep the restriction on the entry points (MSA and webmail).
* Tell vim the underlying filetype of templates for syntax highlighting.Guilhem Moulin2015-06-071
|
* Install amavisd-new on the outgoing SMTP proxy.Guilhem Moulin2015-06-071
| | | | For DKIM signing and virus checking.
* Replace IPSec tunnels by app-level ephemeral TLS sessions.Guilhem Moulin2015-06-071
| | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well.
* Outgoing SMTP proxy.Guilhem Moulin2015-06-071