diff options
| author | Guilhem Moulin <guilhem.moulin@ens-lyon.org> | 2012-11-13 21:46:19 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem.moulin@ens-lyon.org> | 2012-11-13 21:46:30 +0100 |
| commit | e8d6590b9658d7f7705341f6e8e8bf30a93d8061 (patch) | |
| tree | 509ec6978713544b8b837b661c5a36a48afd0d52 | |
| parent | 91a22fb1b6463523d990faeab61c2bd2b3e82000 (diff) | |
Better distinction MTA vs. MSA
| -rw-r--r-- | fripost-docs.org | 56 |
1 files changed, 42 insertions, 14 deletions
diff --git a/fripost-docs.org b/fripost-docs.org index 6ecc47c..13a772f 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -293,9 +293,9 @@ LDAP server = the server that stores users credentials and various other informa smarthost = the server receiving email from the internet (configured as MX) -outgoing SMTP = the message transfer agent (MTA), that will relay emails originating from our network. +outgoing SMTP = the Message Transfer Agent (MTA), that will relay emails originating from our network. -incoming SMTP = the mail submission agent (MSA), that will receive emails from our users (via ESMTPSA). +incoming SMTP = the Mail Submission Agent (MSA), that will receive emails from our users (via ESMTPSA). *** Configuring an SSH tunnel between two hosts @@ -1399,8 +1399,29 @@ the mailhub. For instance on mx1.fripost.org, :: /etc/postfix/tls_policy smtp:[smtp.fripost.org]:25 secure -We don't want to force the SMTP client to use encrypted connection regardless, as some -servers may not support it :-/ +(Note: The `secure' TLS policy will not accept self-signed certificates, or +certificates which CN doesn't match!) + +We don't want to force the SMTP client to use encrypted connection +regardless, as some servers may not support it :-/ + +*** Configuring the Mail Submission Agent (MSA) + +We offer a SMTP relay for authenticated users (via SASL). Currently the MSA and +MTA are hosted on the same machine (gnu). + +Firewall: The MSA needs 587/TCP in, and the MTA 25/TCP both in and out. + +**** Install packages + +sudo apt-get install sasl2-bin libsasl2-modules + +(Scrictly speaking sasl2-bin is not necessary, but it offers some programs to +test our installation.) + +In the rest of this section, we assume there is a tunnel from the master +LDAP server to the machine that hosts SASLauthd (i.e., ldap://127.0.0.1:3890 on +this machine actually speaks to the master). **** Fixing CApath @@ -1411,7 +1432,7 @@ To do it by hand, copy the files (don't forget the symlink targets) under '/var/spool/postfix/etc/ssl/certs' and c_rehash this last directory. The issue is fixed under Postfix 2.8. For the time being, a script to automatize -the above process is available in the fripost-admin repository. +the above process can be found in the fripost-admin repository. **** Configure SASLauthd @@ -1443,7 +1464,7 @@ access on the user's entry (except his/her password, of course). TODO: maybe After restarting saslauthd (`/etc/init.d/saslauthd restart'), we can test the authentication: - testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u user@fripost.org -p password + sudo testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u user@fripost.org -p password (The password cannot be prompted, so you may want to create a dummy user.) @@ -1464,10 +1485,7 @@ If everything goes through, it is now time to modify Postfix's main.cf: smtpd_sasl_path = smtpd [...] smtpd_recipient_restrictions = - reject_non_fqdn_recipient - reject_unknown_recipient_domain - permit_mynetworks - permit_tls_clientcerts + [...] permit_sasl_authenticated reject_unauth_destination [...] @@ -1482,8 +1500,15 @@ Finally, we can add the submission service to our master.cf, with customized pol -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o smtpd_helo_restrictions=reject_invalid_helo_hostname [...] +(We don't reject soon-to-be authenticated clients for having a non-FQDN hostame.) + +Postfix needs to be added to the `sasl' group to talk to SASLauthd: + + $~ adduser postfix sasl + We now have to restart Postfix: `/etc/init.d/postfix restart'. (Maybe `postfix reload' is enough actually.) @@ -1663,10 +1688,13 @@ responsability to masquerade it I suppose. /^X-Originating-IP:/ IGNORE - :: /etc/postfix/main.cf - - smtp_header_checks = pcre:$config_directory/smtp_anonymize_sender.pcre - + :: /etc/postfix/master.cf + submission inet n - - - - smtpd + [...] + -o cleanup_service_name=cleanup2 + [...] + cleanup2 unix n - - - 0 cleanup + -o header_checks=pcre:$config_directory/smtpd_anonymize_sender.pcre By default, postfix logs the header checks (or rewrites in our case). For privacy reasons, we drop these when they entery syslog: |