aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--fripost-docs.org97
1 files changed, 78 insertions, 19 deletions
diff --git a/fripost-docs.org b/fripost-docs.org
index 6ac5f96..7ea6cf0 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -1330,10 +1330,6 @@ TODO: add the necessary configuration files
sudo aptitude install postfix postfix-ldap
-**** /etc/postfix/main.cf
-
-TODO: add file contents
-
*** Configuring the Mail Submission Agent (MSA)
We offer a SMTP relay for authenticated users (via SASL). Currently the MSA and
@@ -1352,6 +1348,51 @@ In the rest of this section, we assume there is a tunnel from the master
LDAP server to the machine that hosts SASLauthd (i.e., ldap://127.0.0.1:3890 on
this machine actually speaks to the master).
+**** Relay emails from trusted hosts.
+
+ :: /etc/postfix/main.cf
+
+ relay_clientcerts = hash:$config_directory/relay_clientcerts
+ [...]
+ smtpd_tls_fingerprint_digest = sha1
+ smtpd_recipient_restrictions =
+ [...]
+ permit_mynetworks
+ permit_tls_clientcerts
+ [...]
+
+/etc/postfix/relay_clientcerts lists (SHA1) fingerprints and hostnames
+of our trusted hosts. Fingerprints can be obtained with
+
+ openssl x509 -fingerprint -sha1 -noout -in /path/to/pubkey.pem
+
+ :: /etc/postfix/relay_clientcerts
+ E0:3C:E7:05:2D:2E:99:7B:EF:A1:D0:5A:A7:79:2C:6D:0B:66:FD:17 luxemburg.fripost.org
+ [...]
+
+Do not forget do update this file if the you change the hostname or certificate of the
+trusted hosts! And to hash it afterwards:
+
+ postmap /etc/postfix/relay_clientcerts
+
+
+We need to force the trusted hosts (our MX:s and the webmail) to use TLS when talking to
+the mailhub. For instance on mx1.fripost.org,
+
+ :: /etc/postfix/main.cf
+ [...]
+ smtp_tls_security_level = may
+ smtp_tls_policy_maps = hash:$config_directory/tls_policy
+ smtp_tls_cert_file = /path/to/pubkey.pem
+ smtp_tls_key_file = /path/to/privkey.key
+ [...]
+
+ :: /etc/postfix/tls_policy
+ smtp:[smtp.fripost.org]:25 secure
+
+We don't want to force the SMTP client to use encrypted connection regardless, as some
+servers may not support it :-/
+
**** Fixing CApath
As of Debian Squeeze, Postfix doesn't copy the content of 'smtp_tls_CApath' and
@@ -1407,18 +1448,19 @@ If everything goes through, it is now time to modify Postfix's main.cf:
smtpd_sasl_auth_enable = no
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = fripost.org
- # TODO:add sasl exceptions for our other clients
- smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
- broken_sasl_auth_clients = yes
+ broken_sasl_auth_clients = no
smtpd_sasl_type = cyrus
smtpd_sasl_path = smtpd
+ [...]
smtpd_recipient_restrictions =
- [...]
+ reject_non_fqdn_recipient
+ reject_unknown_recipient_domain
permit_mynetworks
+ permit_tls_clientcerts
permit_sasl_authenticated
- [...]
+ reject_unauth_destination
[...]
@@ -1431,7 +1473,6 @@ Finally, we can add the submission service to our master.cf, with customized pol
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
- -o milter_macro_daemon_name=ORIGINATING
[...]
We now have to restart Postfix: `/etc/init.d/postfix restart'. (Maybe `postfix reload'
@@ -1985,8 +2026,10 @@ Reference: http://www.postfix.org/MULTI_INSTANCE_README.html
myorigin = /etc/mailname
myhostname = lists.fripost.org
- mydestination = $myhostname
- mynetworks = 127.0.0.0/8
+ mydestination = $myhostname
+ mynetworks = 127.0.0.0/8 [::FFFF:127.0.0.0]/104 [::1]/128
+ inet_interfaces = loopback-only
+ inet_protocols = all
default_database_type = cdb
@@ -2009,7 +2052,7 @@ Reference: http://www.postfix.org/MULTI_INSTANCE_README.html
schleuder_destination_recipient_limit = 1
:: /etc/postfix-lists/master.cf
- 127.0.0.1:2345 inet n - - - - smtpd
+ 2345 inet n - - - - smtpd
...
mailman unix - n n - - pipe
flags=FR user=list:list argv=/usr/lib/mailman/bin/postfix-to-mailman.py 127.0.0.1 ${user}
@@ -2193,6 +2236,20 @@ EOF
break
EOF
+ sudo patch -p0 << EOF
+--- Mailman/Handlers/Decorate.py
++++ mailman/Mailman/Handlers/Decorate.py
+@@ -221,7 +221,7 @@
+ d = SafeDict({'real_name' : mlist.real_name,
+ 'list_name' : mlist.local_part,
+ # For backwards compatibility
+- '_internal_name': mlist.local_part,
++ '_internal_name': mlist._internal_name,
+ 'host_name' : mlist.host_name,
+ 'web_page_url' : mlist.web_page_url,
+ 'description' : mlist.description,
+EOF
+
sudo find -L /var/lib/mailman -type f -a \( -name '*.orig' -o -name '*.rej' \) -delete
**** Configuration
@@ -2253,7 +2310,7 @@ dirty fix is to use a RewriteRule:
<Directory /var/lib/mailman/archives/public/>
RewriteEngine On
RewriteBase /
- RewriteRule ^([^@]+)@([^/]+)/ /pipermail/$2/$1/ [L]
+ RewriteRule ^([^@/]+)@([^/]+)/ /pipermail/$2/$1/ [R,L]
...
</Directory>
...
@@ -2275,10 +2332,10 @@ Documentation: https://schleuder2.nadir.org/
**** Installation
sudo apt-get install schleuder
- sudo chown 'root:schleuder' /etc/schleuder/lists/
- sudo chown ug+rwx,o-rwx /etc/schleuder/lists/
+ sudo chown 'schleuder:schleuder' /etc/schleuder/lists/
+ sudo chmod 0700 /etc/schleuder/lists/
-*** Configuration
+**** Configuration
:: /etc/schleuder/schleuder.conf
smtp_host: smtp.fripost.org
@@ -2388,11 +2445,13 @@ schleuder executable (it does it for us, but not when the list is fully qualifie
The wrapper (postfix-to-schleuder.sh) is available in the fripost-admin repository.
+TODO: bounces -> bounce
+
*** Tools
We need two small scripts to create new lists (one for GNU Mailman, the other
for Schleuder). Postfix will pipe email into them as 'list' and 'schleuder' user
-respectively, hence the two files transport_mailman and transport_schleuder.
+respectively, hence the two distinct files transport_mailman and transport_schleuder.
These scripts should:
- Ensure that the email is signed with the Admin WebPanel GPG key,
@@ -2400,7 +2459,7 @@ These scripts should:
- Append the new commands to transport_mailman or transport_schleuder,
- Hash the transport file.
-In the case of Schleuder we also, create the web.conf file with the provided
+In the case of Schleuder we also create the web.conf file with the provided
password.
** Logging