aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--fripost-docs.org20
1 files changed, 15 insertions, 5 deletions
diff --git a/fripost-docs.org b/fripost-docs.org
index aa0ff35..f6296e3 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -159,9 +159,6 @@ sudo aptitude install logcheck syslog-summary
# | There is no way to get rid of the warning `Fixed query_filter [...] is probably useless'.
# It is harmless in our case, since the search base is precise enough.
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/(smtpd|cleanup|trivial-rewrite|postmap)\[[0-9]+\]: warning: dict_ldap_open: /etc/postfix/ldap/ldap_virtual_alias_catchall_maps.cf: Fixed query_filter \(\&\(ObjectClass=virtualAliases\)\(mailLocalAddress=\)\(isActive=TRUE\)\) is probably useless$
-# | Untrusted connections should be taken care of on the client's side.
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: Untrusted TLS connection established from
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [._[:alnum:]-]+\[[:[:xdigit:].]+\]: (Unt|T)rusted: subject_CN=.*, issuer=.*, fingerprint=
# | Postfix reload
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/postfix-script\[[[:digit:]]+\]: refreshing the Postfix mail system$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/master\[[[:digit:]]+\]: reload -- version
@@ -174,6 +171,8 @@ sudo aptitude install logcheck syslog-summary
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: client certificate verification failed for [._[:alnum:]-]+\[[:[:xdigit:].]+\]: certificate has expired$
# | On Benjamin
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ *[[:digit:]]+\.[[:digit:]]+\])? usb [[:digit:]]+-[.[:digit:]]+: (new|reset) (low|full|high) speed USB device using ([_[:alnum:]-]+ and )?address [[:digit:]]+$
+# | On the MSAs
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:alnum:]]+: replace: header Received: from
** Configuring aptitude and friends
@@ -1362,7 +1361,18 @@ regardless, as some servers may not support it :-/
relay_clientcerts = hash:$config_directory/relay_clientcerts
[...]
- smtpd_tls_fingerprint_digest = sha1
+ # TODO: should be "secure" on 25
+ smtpd_tls_security_level = may
+ # TODO: proper certs
+ smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+ smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+ smtpd_tls_CApath = /etc/ssl/certs/
+ smtpd_tls_session_cache_database= btree:${data_directory}/smtpd_tls_session_cache
+ smtpd_tls_received_header = yes
+ smtpd_tls_ask_ccert = yes
+ smtpd_tls_session_cache_timeout = 3600s
+ smtpd_tls_fingerprint_digest = sha1
+ smtpd_tls_eecdh_grade = strong
[...]
smtpd_recipient_restrictions =
[...]
@@ -1397,7 +1407,7 @@ the mailhub. For instance on mx1.fripost.org,
[...]
:: /etc/postfix/tls_policy
- smtp:[smtp.fripost.org]:25 secure
+ smtp:[smtp.fripost.org]:25 secure ciphers=high
(Note: The `secure' TLS policy will not accept self-signed certificates, or
certificates which CN doesn't match!)