diff options
-rw-r--r-- | fripost-docs.org | 97 |
1 files changed, 78 insertions, 19 deletions
diff --git a/fripost-docs.org b/fripost-docs.org index 6ac5f96..7ea6cf0 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -1330,10 +1330,6 @@ TODO: add the necessary configuration files sudo aptitude install postfix postfix-ldap -**** /etc/postfix/main.cf - -TODO: add file contents - *** Configuring the Mail Submission Agent (MSA) We offer a SMTP relay for authenticated users (via SASL). Currently the MSA and @@ -1352,6 +1348,51 @@ In the rest of this section, we assume there is a tunnel from the master LDAP server to the machine that hosts SASLauthd (i.e., ldap://127.0.0.1:3890 on this machine actually speaks to the master). +**** Relay emails from trusted hosts. + + :: /etc/postfix/main.cf + + relay_clientcerts = hash:$config_directory/relay_clientcerts + [...] + smtpd_tls_fingerprint_digest = sha1 + smtpd_recipient_restrictions = + [...] + permit_mynetworks + permit_tls_clientcerts + [...] + +/etc/postfix/relay_clientcerts lists (SHA1) fingerprints and hostnames +of our trusted hosts. Fingerprints can be obtained with + + openssl x509 -fingerprint -sha1 -noout -in /path/to/pubkey.pem + + :: /etc/postfix/relay_clientcerts + E0:3C:E7:05:2D:2E:99:7B:EF:A1:D0:5A:A7:79:2C:6D:0B:66:FD:17 luxemburg.fripost.org + [...] + +Do not forget do update this file if the you change the hostname or certificate of the +trusted hosts! And to hash it afterwards: + + postmap /etc/postfix/relay_clientcerts + + +We need to force the trusted hosts (our MX:s and the webmail) to use TLS when talking to +the mailhub. For instance on mx1.fripost.org, + + :: /etc/postfix/main.cf + [...] + smtp_tls_security_level = may + smtp_tls_policy_maps = hash:$config_directory/tls_policy + smtp_tls_cert_file = /path/to/pubkey.pem + smtp_tls_key_file = /path/to/privkey.key + [...] + + :: /etc/postfix/tls_policy + smtp:[smtp.fripost.org]:25 secure + +We don't want to force the SMTP client to use encrypted connection regardless, as some +servers may not support it :-/ + **** Fixing CApath As of Debian Squeeze, Postfix doesn't copy the content of 'smtp_tls_CApath' and @@ -1407,18 +1448,19 @@ If everything goes through, it is now time to modify Postfix's main.cf: smtpd_sasl_auth_enable = no smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = fripost.org - # TODO:add sasl exceptions for our other clients - smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous - broken_sasl_auth_clients = yes + broken_sasl_auth_clients = no smtpd_sasl_type = cyrus smtpd_sasl_path = smtpd + [...] smtpd_recipient_restrictions = - [...] + reject_non_fqdn_recipient + reject_unknown_recipient_domain permit_mynetworks + permit_tls_clientcerts permit_sasl_authenticated - [...] + reject_unauth_destination [...] @@ -1431,7 +1473,6 @@ Finally, we can add the submission service to our master.cf, with customized pol -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject - -o milter_macro_daemon_name=ORIGINATING [...] We now have to restart Postfix: `/etc/init.d/postfix restart'. (Maybe `postfix reload' @@ -1985,8 +2026,10 @@ Reference: http://www.postfix.org/MULTI_INSTANCE_README.html myorigin = /etc/mailname myhostname = lists.fripost.org - mydestination = $myhostname - mynetworks = 127.0.0.0/8 + mydestination = $myhostname + mynetworks = 127.0.0.0/8 [::FFFF:127.0.0.0]/104 [::1]/128 + inet_interfaces = loopback-only + inet_protocols = all default_database_type = cdb @@ -2009,7 +2052,7 @@ Reference: http://www.postfix.org/MULTI_INSTANCE_README.html schleuder_destination_recipient_limit = 1 :: /etc/postfix-lists/master.cf - 127.0.0.1:2345 inet n - - - - smtpd + 2345 inet n - - - - smtpd ... mailman unix - n n - - pipe flags=FR user=list:list argv=/usr/lib/mailman/bin/postfix-to-mailman.py 127.0.0.1 ${user} @@ -2193,6 +2236,20 @@ EOF break EOF + sudo patch -p0 << EOF +--- Mailman/Handlers/Decorate.py ++++ mailman/Mailman/Handlers/Decorate.py +@@ -221,7 +221,7 @@ + d = SafeDict({'real_name' : mlist.real_name, + 'list_name' : mlist.local_part, + # For backwards compatibility +- '_internal_name': mlist.local_part, ++ '_internal_name': mlist._internal_name, + 'host_name' : mlist.host_name, + 'web_page_url' : mlist.web_page_url, + 'description' : mlist.description, +EOF + sudo find -L /var/lib/mailman -type f -a \( -name '*.orig' -o -name '*.rej' \) -delete **** Configuration @@ -2253,7 +2310,7 @@ dirty fix is to use a RewriteRule: <Directory /var/lib/mailman/archives/public/> RewriteEngine On RewriteBase / - RewriteRule ^([^@]+)@([^/]+)/ /pipermail/$2/$1/ [L] + RewriteRule ^([^@/]+)@([^/]+)/ /pipermail/$2/$1/ [R,L] ... </Directory> ... @@ -2275,10 +2332,10 @@ Documentation: https://schleuder2.nadir.org/ **** Installation sudo apt-get install schleuder - sudo chown 'root:schleuder' /etc/schleuder/lists/ - sudo chown ug+rwx,o-rwx /etc/schleuder/lists/ + sudo chown 'schleuder:schleuder' /etc/schleuder/lists/ + sudo chmod 0700 /etc/schleuder/lists/ -*** Configuration +**** Configuration :: /etc/schleuder/schleuder.conf smtp_host: smtp.fripost.org @@ -2388,11 +2445,13 @@ schleuder executable (it does it for us, but not when the list is fully qualifie The wrapper (postfix-to-schleuder.sh) is available in the fripost-admin repository. +TODO: bounces -> bounce + *** Tools We need two small scripts to create new lists (one for GNU Mailman, the other for Schleuder). Postfix will pipe email into them as 'list' and 'schleuder' user -respectively, hence the two files transport_mailman and transport_schleuder. +respectively, hence the two distinct files transport_mailman and transport_schleuder. These scripts should: - Ensure that the email is signed with the Admin WebPanel GPG key, @@ -2400,7 +2459,7 @@ These scripts should: - Append the new commands to transport_mailman or transport_schleuder, - Hash the transport file. -In the case of Schleuder we also, create the web.conf file with the provided +In the case of Schleuder we also create the web.conf file with the provided password. ** Logging |