From a3178e8a0d48d44f56bc427ef79ebcfa550d38cc Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem.moulin@fripost.org>
Date: Wed, 19 Sep 2012 21:11:59 +0200
Subject: Relay emails from trusted hosts.

---
 fripost-docs.org | 97 +++++++++++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 78 insertions(+), 19 deletions(-)

diff --git a/fripost-docs.org b/fripost-docs.org
index 6ac5f96..7ea6cf0 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -1330,10 +1330,6 @@ TODO: add the necessary configuration files
 
 sudo aptitude install postfix postfix-ldap
 
-**** /etc/postfix/main.cf
-
-TODO: add file contents
-
 *** Configuring the Mail Submission Agent (MSA)
 
 We offer a SMTP relay for authenticated users (via SASL). Currently the MSA and
@@ -1352,6 +1348,51 @@ In the rest of this section, we assume there is a tunnel from the master
 LDAP server to the machine that hosts SASLauthd (i.e., ldap://127.0.0.1:3890 on
 this machine actually speaks to the master).
 
+**** Relay emails from trusted hosts.
+
+  :: /etc/postfix/main.cf
+
+    relay_clientcerts = hash:$config_directory/relay_clientcerts
+    [...]
+    smtpd_tls_fingerprint_digest = sha1
+    smtpd_recipient_restrictions =
+        [...]
+        permit_mynetworks
+        permit_tls_clientcerts
+        [...]
+
+/etc/postfix/relay_clientcerts lists (SHA1) fingerprints and hostnames
+of our trusted hosts. Fingerprints can be obtained with
+
+  openssl x509 -fingerprint -sha1 -noout -in /path/to/pubkey.pem
+
+    :: /etc/postfix/relay_clientcerts
+    E0:3C:E7:05:2D:2E:99:7B:EF:A1:D0:5A:A7:79:2C:6D:0B:66:FD:17 luxemburg.fripost.org
+    [...]
+
+Do not forget do update this file if the you change the hostname or certificate of the
+trusted hosts! And to hash it afterwards:
+
+  postmap /etc/postfix/relay_clientcerts
+
+
+We need to force the trusted hosts (our MX:s and the webmail) to use TLS when talking to
+the mailhub. For instance on mx1.fripost.org,
+
+  :: /etc/postfix/main.cf
+    [...]
+    smtp_tls_security_level = may
+    smtp_tls_policy_maps = hash:$config_directory/tls_policy
+    smtp_tls_cert_file      = /path/to/pubkey.pem
+    smtp_tls_key_file       = /path/to/privkey.key
+    [...]
+
+  :: /etc/postfix/tls_policy
+    smtp:[smtp.fripost.org]:25 secure
+
+We don't want to force the SMTP client to use encrypted connection regardless, as some
+servers may not support it :-/
+
 **** Fixing CApath
 
 As of Debian Squeeze, Postfix doesn't copy the content of 'smtp_tls_CApath' and
@@ -1407,18 +1448,19 @@ If everything goes through, it is now time to modify Postfix's main.cf:
     smtpd_sasl_auth_enable          = no
     smtpd_sasl_authenticated_header = yes
     smtpd_sasl_local_domain         = fripost.org
-    # TODO:add sasl exceptions for our other clients
-    smtpd_sasl_exceptions_networks  = $mynetworks
     smtpd_sasl_security_options     = noanonymous, noplaintext
     smtpd_sasl_tls_security_options = noanonymous
-    broken_sasl_auth_clients        = yes
+    broken_sasl_auth_clients        = no
     smtpd_sasl_type                 = cyrus
     smtpd_sasl_path                 = smtpd
+    [...]
     smtpd_recipient_restrictions =
-            [...]
+            reject_non_fqdn_recipient
+            reject_unknown_recipient_domain
             permit_mynetworks
+            permit_tls_clientcerts   
             permit_sasl_authenticated
-            [...]
+            reject_unauth_destination
     [...]
 
 
@@ -1431,7 +1473,6 @@ Finally, we can add the submission service to our master.cf, with customized pol
       -o smtpd_tls_security_level=encrypt
       -o smtpd_sasl_auth_enable=yes
       -o smtpd_client_restrictions=permit_sasl_authenticated,reject
-      -o milter_macro_daemon_name=ORIGINATING
     [...]
 
 We now have to restart Postfix: `/etc/init.d/postfix restart'. (Maybe `postfix reload'
@@ -1985,8 +2026,10 @@ Reference: http://www.postfix.org/MULTI_INSTANCE_README.html
     myorigin     = /etc/mailname    
     myhostname   = lists.fripost.org
     
-    mydestination = $myhostname
-    mynetworks    = 127.0.0.0/8
+    mydestination    = $myhostname
+    mynetworks       = 127.0.0.0/8 [::FFFF:127.0.0.0]/104 [::1]/128
+    inet_interfaces  = loopback-only
+    inet_protocols   = all
     
     default_database_type = cdb
     
@@ -2009,7 +2052,7 @@ Reference: http://www.postfix.org/MULTI_INSTANCE_README.html
     schleuder_destination_recipient_limit = 1
 
   :: /etc/postfix-lists/master.cf
-    127.0.0.1:2345 inet  n  -       -       -       -       smtpd
+    2345      inet  n       -       -       -       -       smtpd
     ...
     mailman   unix  -       n       n       -       -       pipe
         flags=FR user=list:list argv=/usr/lib/mailman/bin/postfix-to-mailman.py 127.0.0.1 ${user}
@@ -2193,6 +2236,20 @@ EOF
              break
 EOF
 
+  sudo patch -p0 << EOF
+--- Mailman/Handlers/Decorate.py
++++ mailman/Mailman/Handlers/Decorate.py
+@@ -221,7 +221,7 @@
+     d = SafeDict({'real_name'     : mlist.real_name,
+                   'list_name'     : mlist.local_part,
+                   # For backwards compatibility
+-                  '_internal_name': mlist.local_part,
++                  '_internal_name': mlist._internal_name,
+                   'host_name'     : mlist.host_name,
+                   'web_page_url'  : mlist.web_page_url,
+                   'description'   : mlist.description,
+EOF
+
   sudo find -L /var/lib/mailman -type f -a \( -name '*.orig' -o -name '*.rej' \) -delete
 
 **** Configuration
@@ -2253,7 +2310,7 @@ dirty fix is to use a RewriteRule:
     <Directory /var/lib/mailman/archives/public/>
       RewriteEngine On
       RewriteBase /
-      RewriteRule ^([^@]+)@([^/]+)/ /pipermail/$2/$1/ [L]
+      RewriteRule ^([^@/]+)@([^/]+)/ /pipermail/$2/$1/ [R,L]
       ...
     </Directory>
     ...
@@ -2275,10 +2332,10 @@ Documentation: https://schleuder2.nadir.org/
 **** Installation
 
   sudo apt-get install schleuder
-  sudo chown 'root:schleuder' /etc/schleuder/lists/
-  sudo chown ug+rwx,o-rwx /etc/schleuder/lists/
+  sudo chown 'schleuder:schleuder' /etc/schleuder/lists/
+  sudo chmod 0700 /etc/schleuder/lists/
 
-*** Configuration
+**** Configuration
 
   :: /etc/schleuder/schleuder.conf
     smtp_host: smtp.fripost.org
@@ -2388,11 +2445,13 @@ schleuder executable (it does it for us, but not when the list is fully qualifie
 
 The wrapper (postfix-to-schleuder.sh) is available in the fripost-admin repository.
 
+TODO: bounces -> bounce
+
 *** Tools
 
 We need two small scripts to create new lists (one for GNU Mailman, the other
 for Schleuder). Postfix will pipe email into them as 'list' and 'schleuder' user
-respectively, hence the two files transport_mailman and transport_schleuder.
+respectively, hence the two distinct files transport_mailman and transport_schleuder.
 
 These scripts should:
 - Ensure that the email is signed with the Admin WebPanel GPG key,
@@ -2400,7 +2459,7 @@ These scripts should:
 - Append the new commands to transport_mailman or transport_schleuder,
 - Hash the transport file.
 
-In the case of Schleuder we also, create the web.conf file with the provided
+In the case of Schleuder we also create the web.conf file with the provided
 password.
 
 ** Logging
-- 
cgit v1.2.3