|  | Commit message (Collapse) | Author | Age | Files | 
|---|
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | See http://www.postfix.org/POSTSCREEN_README.html and
    http://rob0.nodns4.us/postscreen.html
It's infortunate that smtpd(8) cannot be chrooted any longer, which
means that we have to un-chroot cleanup(8) as well.  Indeed, currently
smtpd(8) uses $virtual_alias_maps for recipient validation; later
cleanup(8) uses it again for rewriting.  So these processes need to be
both chrooted, or both not. | 
| | |  | 
| | |  | 
| | 
| 
| 
| | We've yet to get authenticated time, though. | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| | There are false-positive with that, for instead due to SOA records
pointing to non-existing subdomains. | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| | Those will be useful for the tools. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | On the MDA the domain is our 'mda.fripost.org', there is no need to
perform an extra DNS lookup.
The MSA does not perform local or virtual delivery, but relays
everything to the outgoing SMTP proxy.
On the MX, there is no need to check for recipient validity as we are
the final destination; but unsure that the RCPT TO address is a valid
recipient before doing the greylisting. | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Quoting postconf(5):
    smtpd_reject_unlisted_recipient (default: yes)
        Request that the Postfix SMTP server rejects mail for unknown recipient
        addresses, even when no explicit reject_unlisted_recipient access
        restriction is specified. This prevents the Postfix queue from filling
        up with undeliverable MAILER-DAEMON messages.
        An address is always considered "known" when it matches a virtual(5)
        alias or a canonical(5) mapping.
        […]
        * The recipient domain matches $virtual_alias_domains but the recipient
          is not listed in $virtual_alias_maps.
        * The recipient domain matches $virtual_mailbox_domains but the
          recipient is not listed in $virtual_mailbox_maps, and
          $virtual_mailbox_maps is not null.
Since we alias everything under special, "invalid", domains (mda.f.o and
mailman.f.o), our $virtual_mailbox_maps was null, which led to
reject_unlisted_recipient not being triggered for say, "noone@fripost.org".
However, replacing $virtual_mailbox_domains with $virtual_alias_domains fits
into the second point above. | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| | We can therefore spare some lookups on the MDA, and use static:all
instead. | 
| | 
| 
| 
| 
| 
| 
| 
| | Postfix interprets Error Code 32 (No Such Object) as lookup failures,
but that's ugly...
Also, make Postfix simple bind against
cn=postfix,ou=services,dc=fripost,dc=org. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | It turns out that in a policy bank, a *_by_ccat doesn't replace the
default but is merely merged into the default (if the keys overlap,
those in the bank take precedence of course).  Hence it's pointless to
use CC_CATCHALL in a bank unless all the other keys have been
overridden, for instance.
Also, treat unchecked (eg, encrypted) mails as clean in the OUTGOING
Policy Bank. | 
| | 
| 
| 
| | Namely, "DIGEST-MD5 common mech free".  See also bug #631932. | 
| | 
| 
| 
| 
| 
| 
| 
| | It looks as if the SyncRepl need read access on the 'entry' and
'objectClass' attributes of the entry being deleted, and the entry being
deleted no longer matches the ACL filters, so we have to grant access
globally. (We still have fine-grain control on the other attributes
which are not disclosed, though.) | 
| | 
| 
| 
| 
| | This decision is left to the MX (as for 'fripostIsStatusActive'), which
will set the envelope recipient accordingly. | 
| | |  | 
| | 
| 
| 
| | (It opens the key as root, but then drops the permissions.) | 
| | 
| 
| 
| 
| | First generate all certs (-t genkey), then build the TLS policy maps (
-t tls_policy). | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| | Use it to delete cn=admin,dc=fripost,dc=org, and to remove the rootDN on
the 'config' database. | 
| | 
| 
| 
| 
| | The SyncProv won't start if the file olcTLSCACertificateFile points to
doesn't exist. | 
| | 
| 
| 
| 
| 
| | So our suffix is now a mere 'dc=fripost,dc=org'.  We're also using the
default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it
before hand). | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| | 'if $l' is false when $l is 0, while 0@example.org is a perfectly valid
address. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | The clients are identified using their certificate, and connect securely
to the SyncProv.
There are a few workarounds (XXX) in the ACLs due to Postfix not
supporting SASL binds in Wheezy.
Overview:
  - Authentication (XXX: strong authentication) is required prior to any DIT
    operation (see 'olcRequires').
  - We force a Security Strength Factor of 128 or above for all operations (see
    'olcSecurity'), meaning one must use either a local connection (eg,
    ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at
    least 128 bits of security.
  - XXX: Services may not simple bind other than locally on a ldapi:// socket.
    If no remote access is needed, they should use SASL/EXTERNAL on a ldapi://
    socket whenever possible (if the service itself supports SASL binds).
    If remote access is needed, they should use SASL/EXTERNAL on a ldaps://
    socket, and their identity should be derived from the CN of the client
    certificate only (hence services may not simple bind).
  - Admins have restrictions similar to that of the services.
  - User access is only restricted by our global 'olcSecurity' attribute. | 
| | 
| 
| 
| | Also, it's now possible to reuse an existing private key (with -f). | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| | SMTP client connection caching was introduced in 2.6.0: the SMTP session is
held for the next task (in adaptative mode, only when there was a delay of only
5s between the two previous mails), but Postfix will terminate it if the next
mail doesn't come soon enough, or if amavis does't terminate it itself (usually
after 15s). | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | |  |