From 373d3223c4d86e3ee6c9b131d197b9fa97f1848e Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 15 Nov 2012 21:04:04 +0100 Subject: More precise documentation for the MSA. --- fripost-docs.org | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/fripost-docs.org b/fripost-docs.org index aa0ff35..f6296e3 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -159,9 +159,6 @@ sudo aptitude install logcheck syslog-summary # | There is no way to get rid of the warning `Fixed query_filter [...] is probably useless'. # It is harmless in our case, since the search base is precise enough. ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/(smtpd|cleanup|trivial-rewrite|postmap)\[[0-9]+\]: warning: dict_ldap_open: /etc/postfix/ldap/ldap_virtual_alias_catchall_maps.cf: Fixed query_filter \(\&\(ObjectClass=virtualAliases\)\(mailLocalAddress=\)\(isActive=TRUE\)\) is probably useless$ -# | Untrusted connections should be taken care of on the client's side. -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: Untrusted TLS connection established from -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [._[:alnum:]-]+\[[:[:xdigit:].]+\]: (Unt|T)rusted: subject_CN=.*, issuer=.*, fingerprint= # | Postfix reload ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/postfix-script\[[[:digit:]]+\]: refreshing the Postfix mail system$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/master\[[[:digit:]]+\]: reload -- version @@ -174,6 +171,8 @@ sudo aptitude install logcheck syslog-summary ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: client certificate verification failed for [._[:alnum:]-]+\[[:[:xdigit:].]+\]: certificate has expired$ # | On Benjamin ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ *[[:digit:]]+\.[[:digit:]]+\])? usb [[:digit:]]+-[.[:digit:]]+: (new|reset) (low|full|high) speed USB device using ([_[:alnum:]-]+ and )?address [[:digit:]]+$ +# | On the MSAs +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:alnum:]]+: replace: header Received: from ** Configuring aptitude and friends @@ -1362,7 +1361,18 @@ regardless, as some servers may not support it :-/ relay_clientcerts = hash:$config_directory/relay_clientcerts [...] - smtpd_tls_fingerprint_digest = sha1 + # TODO: should be "secure" on 25 + smtpd_tls_security_level = may + # TODO: proper certs + smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem + smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key + smtpd_tls_CApath = /etc/ssl/certs/ + smtpd_tls_session_cache_database= btree:${data_directory}/smtpd_tls_session_cache + smtpd_tls_received_header = yes + smtpd_tls_ask_ccert = yes + smtpd_tls_session_cache_timeout = 3600s + smtpd_tls_fingerprint_digest = sha1 + smtpd_tls_eecdh_grade = strong [...] smtpd_recipient_restrictions = [...] @@ -1397,7 +1407,7 @@ the mailhub. For instance on mx1.fripost.org, [...] :: /etc/postfix/tls_policy - smtp:[smtp.fripost.org]:25 secure + smtp:[smtp.fripost.org]:25 secure ciphers=high (Note: The `secure' TLS policy will not accept self-signed certificates, or certificates which CN doesn't match!) -- cgit v1.2.3