| Commit message (Collapse) | Author | Age | Files |
|
|
|
|
|
|
|
| |
Following Viktor Dukhovni's 2015-08-06 recommendation
http://article.gmane.org/gmane.mail.postfix.user/251935
(We're using stronger ciphers and protocols in our own infrastructure.)
|
|
|
|
|
|
| |
Following Viktor Dukhovni's 2015-08-06 recommendation for Postfix >= 2.11
http://article.gmane.org/gmane.mail.postfix.user/251935
|
|
|
|
|
|
|
|
|
|
| |
Ideally we we should also increase the Diffie-Hellman group size from
2048-bit to 3072-bit, as per ENISA 2014 report.
https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014
But we postpone that for now until we are reasonably certain that older
client won't be left out.
|
| |
|
|
|
|
| |
cert itself.
|
|
|
|
|
| |
Put all relay restrictions under smtpd_relay_restrictions and leave
smtpd_recipient_restrictions empty, since we don't do DNSBL.
|
| |
|
|
|
|
|
|
|
| |
We don't want to bounce messages for which the recipient(s)' MTA replies
451 due to some greylisting in place. We would like to accept 451
alone, but unfortunately it's not possible to bounce unverified
recipients due to DNS or networking errors.
|
|
|
|
|
| |
Interhost communications are protected by stunnel4. The graphs are only
visible on the master itself, and content is generated by Fast CGI.
|
|
|
|
|
|
|
| |
This is specially useful for mailing lists and the webmail, since it
prevents our outgoing gateway from accepting mails known to be bouncing.
However the downside is that it adds a delay of up to 6s after the
RCPT TO command.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We already removed it from the MX:es (see 32e605d4); we need to remove
it from the MDA and outgoing SMTP as well, otherwise mails could bounce
or get stuck in the middle (the're rejected with 450: deferred by
default).
However we can keep the restriction on the entry points (MSA and
webmail).
|
|
|
|
|
|
|
|
|
|
|
| |
See http://www.postfix.org/POSTSCREEN_README.html and
http://rob0.nodns4.us/postscreen.html
It's infortunate that smtpd(8) cannot be chrooted any longer, which
means that we have to un-chroot cleanup(8) as well. Indeed, currently
smtpd(8) uses $virtual_alias_maps for recipient validation; later
cleanup(8) uses it again for rewriting. So these processes need to be
both chrooted, or both not.
|
| |
|
|
|
|
|
| |
First generate all certs (-t genkey), then build the TLS policy maps (
-t tls_policy).
|
| |
|
|
|
|
|
|
| |
(Unless a new instance is created, or the master.cf change is modified.)
Changing some variables, such as inet_protocols, require a full restart,
but most of the time it's overkill.
|
|
|
|
|
|
| |
And don't restart or reload either upon change of pcre: files that are
used by smtpd(8), cleanup(8) or local(8), following the suggestion from
http://www.postfix.org/DATABASE_README.html#detect .
|
|
|
|
| |
For DKIM signing and virus checking.
|
|
|
|
|
| |
For some reason giraff doesn't like IPSec. App-level TLS sessions are
less efficient, but thanks to ansible it still scales well.
|
|
|