diff options
-rw-r--r-- | konfigurera.mdwn | 136 |
1 files changed, 96 insertions, 40 deletions
diff --git a/konfigurera.mdwn b/konfigurera.mdwn index db4fbdf..9ba1e3a 100644 --- a/konfigurera.mdwn +++ b/konfigurera.mdwn @@ -142,58 +142,114 @@ password XXXXXXXX ## Postfix för utgående e-post -Kör följande kommandon: +You can either use single relayhost for all messages, or configure +multiple relayhosts and let Postfix choose based on the envelope sender +address. Pick (only one) of the following sections. + +### Single relayhost (`smtp.fripost.org:587`) for all outgoing messages + +Create a file `/etc/postfix/sasl/passwd` sudo install -m 0400 /dev/null /etc/postfix/sasl/passwd -Lägg in följande rad i /etc/postfix/sasl/passwd +(it should only be readable by the superuser). Edit it and enter your +credentials in the following format: [smtp.fripost.org]:587 USERNAME@fripost.org:XXXXXXXX -Kör följande kommandon: +Now you need to hash the file using `postmap(1)`: sudo postmap hash:/etc/postfix/sasl/passwd -Lägg in följande i main.cf: +(Postfix doesn't read the file directly, but the compiled lookup table. +Thus you'll have to run that command again whenever the file is updated.) + +Now add the following to `/etc/postfix/main.cf`: + + mynetworks_style = host + inet_interfaces = loopback-only + relayhost = [smtp.fripost.org]:587 - inet_interfaces = loopback-only - relayhost = [smtp.fripost.org]:587 - smtp_sasl_auth_enable = yes - smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd + smtp_sasl_auth_enable = yes + smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd smtp_sasl_security_options = noanonymous, noplaintext smtp_sasl_tls_security_options = noanonymous - smtp_tls_security_level = fingerprint - smtp_tls_fingerprint_digest = sha256 - smtp_tls_mandatory_ciphers = high - smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 + smtp_tls_security_level = fingerprint + smtp_tls_fingerprint_digest = sha256 + smtp_tls_mandatory_ciphers = high + smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_fingerprint_cert_match = 92:BF:5E:D5:B0:4E:10:19:20:08:C4:70:D6:F3:F7:EC:5F:6E:75:D2:1F:9B:FF:4D:49:BD:B0:8A:68:90:49:BF -Guilhems kommentar: - -> Jag gissar att jag inte är den enda som föredrar att skilja mellan arbete och privatliv -> när det gäller e-postkonton. Själv gör jag det genom att redigera det sista stycket i -> main.cf ovan så att det står så här: -> -> /etc/postfix/main.cf -> […] -> smtp_tls_policy_maps = hash:$config_directory/tls_policy -> smtp_sender_dependent_authentication = yes -> sender_dependent_relayhost_maps = hash:$config_directory/relayhost_map -> smtp_tls_fingerprint_digest = sha256 -> -> /etc/postfix/tls_policy -> [smtp.example.org]:587 secure ciphers=high protocols=!SSLv2:!SSLv3 -> [smtp.fripost.org]:587 fingerprint ciphers=high protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1 -> match=92:BF:5E:D5:B0:4E:10:19:20:08:C4:70:D6:F3:F7:EC:5F:6E:75:D2:1F:9B:FF:4D:49:BD:B0:8A:68:90:49:BF -> -> /etc/postfix/relayhost_map -> @fripost.org [smtp.fripost.org]:587 -> @example.org [smtp.example.org]:587 -> -> /etc/postfix/sasl/passwd -> [smtp.fripost.org]:587 USERNAME1:XXXXXXXX -> [smtp.example.org]:587 USERNAME2:XXXXXXXX - -The fingerprint of the server certificate can also be found -[here](https://fripost.org/certs.asc). +(See `postconf(5)` for details on the SSL/TLS client policy. +The fingerprint of our [server certificate](http://git.fripost.org/fripost-ansible/plain/certs/public/smtp.fripost.org.pem)'s +public key can be found [here](https://fripost.org/certs.asc).) + +Be sure to reload (or even restart) Postfix after changing the +configuration. In doubt, run `service postfix restart` or `systemctl +restart postfix`. + +### Sender-dependent relayhost + +This is slightly more advanced than the previous configuration. The +point here is to configure multiple relayhosts and let Postfix choose +based on the envelope sender address. This is useful if you want to use +`smtp.fripost.org:587` for personal messages and a corporate relayhost +`smtp.example.org:587` for professional messages, for instance. + +Create a file `/etc/postfix/sasl/passwd` as before (ensure that only the +superuser can read it!), and enter all your credentials: + + [smtp.fripost.org]:587 USERNAME1@fripost.org:XXXXXXXX + [smtp.example.org]:587 USERNAME2@example.org:XXXXXXXX + +Next, write your SSL/TLS client policy in `/etc/postfix/tls_policy` + + [smtp.example.org]:587 secure ciphers=high protocols=!SSLv2:!SSLv3 + [smtp.fripost.org]:587 fingerprint ciphers=high protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1 + match=92:BF:5E:D5:B0:4E:10:19:20:08:C4:70:D6:F3:F7:EC:5F:6E:75:D2:1F:9B:FF:4D:49:BD:B0:8A:68:90:49:BF + +(see `postconf(5)` for details; +the fingerprint of our [server certificate](http://git.fripost.org/fripost-ansible/plain/certs/public/smtp.fripost.org.pem)'s +public key can be found [here](https://fripost.org/certs.asc)), +and your relayhost policy in `/etc/postfix/relayhost_map` + + @fripost.org [smtp.fripost.org]:587 + @example.org [smtp.example.org]:587 + +Here, we tell Postfix to use the `smtp.fripost.org:587` relayhost for +which the envelope sender address is under the `fripost.org` domain, and +the `smtp.example.org:587` relayhost for which the envelope sender +address is under the `example.org` domain. +(The brackets around the hostname tell Postfix not perform MX lookups.) + +Ensure to compile the lookup tables for all files that have been edited: + + sudo postmap hash:/etc/postfix/sasl/passwd + sudo postmap hash:/etc/postfix/tls_policy + sudo postmap hash:/etc/postfix/relayhost_map + +The configuration in `/etc/postfix/main.cf` is like that of the previous +section, except that we're replacing the `smtp_tls_*` options by +`smtp_tls_policy_maps`. We also keep a default `relayhost` value for +envelope sender addresses that don't map the `relayhost_map` lookup +table. + + mynetworks_style = host + inet_interfaces = loopback-only + relayhost = [smtp.fripost.org]:587 + + smtp_sender_dependent_authentication = yes + sender_dependent_relayhost_maps = hash:$config_directory/relayhost_map + + smtp_sasl_auth_enable = yes + smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd + smtp_sasl_security_options = noanonymous, noplaintext + smtp_sasl_tls_security_options = noanonymous + + smtp_tls_policy_maps = hash:$config_directory/tls_policy + smtp_tls_fingerprint_digest = sha256 + +Be sure to reload (or even restart) Postfix after changing the +configuration. In doubt, run `service postfix restart` or `systemctl +restart postfix`. |