From e8d6590b9658d7f7705341f6e8e8bf30a93d8061 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem.moulin@ens-lyon.org>
Date: Tue, 13 Nov 2012 21:46:19 +0100
Subject: Better distinction MTA vs. MSA

---
 fripost-docs.org | 56 ++++++++++++++++++++++++++++++++++++++++++--------------
 1 file changed, 42 insertions(+), 14 deletions(-)

diff --git a/fripost-docs.org b/fripost-docs.org
index 6ecc47c..13a772f 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -293,9 +293,9 @@ LDAP server = the server that stores users credentials and various other informa
 
 smarthost = the server receiving email from the internet (configured as MX)
 
-outgoing SMTP = the message transfer agent (MTA), that will relay emails originating from our network.
+outgoing SMTP = the Message Transfer Agent (MTA), that will relay emails originating from our network.
 
-incoming SMTP = the mail submission agent (MSA), that will receive emails from our users (via ESMTPSA).
+incoming SMTP = the Mail Submission Agent (MSA), that will receive emails from our users (via ESMTPSA).
 
 *** Configuring an SSH tunnel between two hosts
 
@@ -1399,8 +1399,29 @@ the mailhub. For instance on mx1.fripost.org,
   :: /etc/postfix/tls_policy
     smtp:[smtp.fripost.org]:25 secure
 
-We don't want to force the SMTP client to use encrypted connection regardless, as some
-servers may not support it :-/
+(Note: The `secure' TLS policy will not accept self-signed certificates, or
+certificates which CN doesn't match!)
+
+We don't want to force the SMTP client to use encrypted connection
+regardless, as some servers may not support it :-/
+
+*** Configuring the Mail Submission Agent (MSA)
+
+We offer a SMTP relay for authenticated users (via SASL). Currently the MSA and
+MTA are hosted on the same machine (gnu).
+
+Firewall: The MSA needs 587/TCP in, and the MTA 25/TCP both in and out.
+
+**** Install packages
+
+sudo apt-get install sasl2-bin libsasl2-modules
+
+(Scrictly speaking sasl2-bin is not necessary, but it offers some programs to
+test our installation.)
+
+In the rest of this section, we assume there is a tunnel from the master
+LDAP server to the machine that hosts SASLauthd (i.e., ldap://127.0.0.1:3890 on
+this machine actually speaks to the master).
 
 **** Fixing CApath
 
@@ -1411,7 +1432,7 @@ To do it by hand, copy the files (don't forget the symlink targets) under
 '/var/spool/postfix/etc/ssl/certs' and c_rehash this last directory.
 
 The issue is fixed under Postfix 2.8. For the time being, a script to automatize
-the above process is available in the fripost-admin repository.
+the above process can be found in the fripost-admin repository.
 
 **** Configure SASLauthd
 
@@ -1443,7 +1464,7 @@ access on the user's entry (except his/her password, of course). TODO: maybe
 After restarting saslauthd (`/etc/init.d/saslauthd restart'), we can test the
 authentication:
 
-    testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u user@fripost.org -p password
+    sudo testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u user@fripost.org -p password
 
 (The password cannot be prompted, so you may want to create a dummy user.)
 
@@ -1464,10 +1485,7 @@ If everything goes through, it is now time to modify Postfix's main.cf:
     smtpd_sasl_path                 = smtpd
     [...]
     smtpd_recipient_restrictions =
-            reject_non_fqdn_recipient
-            reject_unknown_recipient_domain
-            permit_mynetworks
-            permit_tls_clientcerts   
+            [...]
             permit_sasl_authenticated
             reject_unauth_destination
     [...]
@@ -1482,8 +1500,15 @@ Finally, we can add the submission service to our master.cf, with customized pol
       -o smtpd_tls_security_level=encrypt
       -o smtpd_sasl_auth_enable=yes
       -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+      -o smtpd_helo_restrictions=reject_invalid_helo_hostname
     [...]
 
+(We don't reject soon-to-be authenticated clients for having a non-FQDN hostame.)
+
+Postfix needs to be added to the `sasl' group to talk to SASLauthd:
+
+  $~ adduser postfix sasl
+
 We now have to restart Postfix: `/etc/init.d/postfix restart'. (Maybe `postfix reload'
 is enough actually.)
 
@@ -1663,10 +1688,13 @@ responsability to masquerade it I suppose.
     /^X-Originating-IP:/    IGNORE
 
 
-  :: /etc/postfix/main.cf
-  
-    smtp_header_checks = pcre:$config_directory/smtp_anonymize_sender.pcre
-
+  :: /etc/postfix/master.cf
+    submission inet n       -       -       -       -       smtpd
+        [...]
+        -o cleanup_service_name=cleanup2
+    [...]
+    cleanup2   unix  n       -       -       -       0       cleanup
+        -o header_checks=pcre:$config_directory/smtpd_anonymize_sender.pcre
 
 By default, postfix logs the header checks (or rewrites in our case).
 For privacy reasons, we drop these when they entery syslog:
-- 
cgit v1.2.3