aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--fripost-docs.org56
1 files changed, 42 insertions, 14 deletions
diff --git a/fripost-docs.org b/fripost-docs.org
index 6ecc47c..13a772f 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -293,9 +293,9 @@ LDAP server = the server that stores users credentials and various other informa
smarthost = the server receiving email from the internet (configured as MX)
-outgoing SMTP = the message transfer agent (MTA), that will relay emails originating from our network.
+outgoing SMTP = the Message Transfer Agent (MTA), that will relay emails originating from our network.
-incoming SMTP = the mail submission agent (MSA), that will receive emails from our users (via ESMTPSA).
+incoming SMTP = the Mail Submission Agent (MSA), that will receive emails from our users (via ESMTPSA).
*** Configuring an SSH tunnel between two hosts
@@ -1399,8 +1399,29 @@ the mailhub. For instance on mx1.fripost.org,
:: /etc/postfix/tls_policy
smtp:[smtp.fripost.org]:25 secure
-We don't want to force the SMTP client to use encrypted connection regardless, as some
-servers may not support it :-/
+(Note: The `secure' TLS policy will not accept self-signed certificates, or
+certificates which CN doesn't match!)
+
+We don't want to force the SMTP client to use encrypted connection
+regardless, as some servers may not support it :-/
+
+*** Configuring the Mail Submission Agent (MSA)
+
+We offer a SMTP relay for authenticated users (via SASL). Currently the MSA and
+MTA are hosted on the same machine (gnu).
+
+Firewall: The MSA needs 587/TCP in, and the MTA 25/TCP both in and out.
+
+**** Install packages
+
+sudo apt-get install sasl2-bin libsasl2-modules
+
+(Scrictly speaking sasl2-bin is not necessary, but it offers some programs to
+test our installation.)
+
+In the rest of this section, we assume there is a tunnel from the master
+LDAP server to the machine that hosts SASLauthd (i.e., ldap://127.0.0.1:3890 on
+this machine actually speaks to the master).
**** Fixing CApath
@@ -1411,7 +1432,7 @@ To do it by hand, copy the files (don't forget the symlink targets) under
'/var/spool/postfix/etc/ssl/certs' and c_rehash this last directory.
The issue is fixed under Postfix 2.8. For the time being, a script to automatize
-the above process is available in the fripost-admin repository.
+the above process can be found in the fripost-admin repository.
**** Configure SASLauthd
@@ -1443,7 +1464,7 @@ access on the user's entry (except his/her password, of course). TODO: maybe
After restarting saslauthd (`/etc/init.d/saslauthd restart'), we can test the
authentication:
- testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u user@fripost.org -p password
+ sudo testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u user@fripost.org -p password
(The password cannot be prompted, so you may want to create a dummy user.)
@@ -1464,10 +1485,7 @@ If everything goes through, it is now time to modify Postfix's main.cf:
smtpd_sasl_path = smtpd
[...]
smtpd_recipient_restrictions =
- reject_non_fqdn_recipient
- reject_unknown_recipient_domain
- permit_mynetworks
- permit_tls_clientcerts
+ [...]
permit_sasl_authenticated
reject_unauth_destination
[...]
@@ -1482,8 +1500,15 @@ Finally, we can add the submission service to our master.cf, with customized pol
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
+ -o smtpd_helo_restrictions=reject_invalid_helo_hostname
[...]
+(We don't reject soon-to-be authenticated clients for having a non-FQDN hostame.)
+
+Postfix needs to be added to the `sasl' group to talk to SASLauthd:
+
+ $~ adduser postfix sasl
+
We now have to restart Postfix: `/etc/init.d/postfix restart'. (Maybe `postfix reload'
is enough actually.)
@@ -1663,10 +1688,13 @@ responsability to masquerade it I suppose.
/^X-Originating-IP:/ IGNORE
- :: /etc/postfix/main.cf
-
- smtp_header_checks = pcre:$config_directory/smtp_anonymize_sender.pcre
-
+ :: /etc/postfix/master.cf
+ submission inet n - - - - smtpd
+ [...]
+ -o cleanup_service_name=cleanup2
+ [...]
+ cleanup2 unix n - - - 0 cleanup
+ -o header_checks=pcre:$config_directory/smtpd_anonymize_sender.pcre
By default, postfix logs the header checks (or rewrites in our case).
For privacy reasons, we drop these when they entery syslog: