summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--konfigurera.mdwn136
1 files changed, 96 insertions, 40 deletions
diff --git a/konfigurera.mdwn b/konfigurera.mdwn
index db4fbdf..9ba1e3a 100644
--- a/konfigurera.mdwn
+++ b/konfigurera.mdwn
@@ -142,58 +142,114 @@ password XXXXXXXX
## Postfix för utgående e-post
-Kör följande kommandon:
+You can either use single relayhost for all messages, or configure
+multiple relayhosts and let Postfix choose based on the envelope sender
+address. Pick (only one) of the following sections.
+
+### Single relayhost (`smtp.fripost.org:587`) for all outgoing messages
+
+Create a file `/etc/postfix/sasl/passwd`
sudo install -m 0400 /dev/null /etc/postfix/sasl/passwd
-Lägg in följande rad i /etc/postfix/sasl/passwd
+(it should only be readable by the superuser). Edit it and enter your
+credentials in the following format:
[smtp.fripost.org]:587 USERNAME@fripost.org:XXXXXXXX
-Kör följande kommandon:
+Now you need to hash the file using `postmap(1)`:
sudo postmap hash:/etc/postfix/sasl/passwd
-Lägg in följande i main.cf:
+(Postfix doesn't read the file directly, but the compiled lookup table.
+Thus you'll have to run that command again whenever the file is updated.)
+
+Now add the following to `/etc/postfix/main.cf`:
+
+ mynetworks_style = host
+ inet_interfaces = loopback-only
+ relayhost = [smtp.fripost.org]:587
- inet_interfaces = loopback-only
- relayhost = [smtp.fripost.org]:587
- smtp_sasl_auth_enable = yes
- smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
+ smtp_sasl_auth_enable = yes
+ smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous
- smtp_tls_security_level = fingerprint
- smtp_tls_fingerprint_digest = sha256
- smtp_tls_mandatory_ciphers = high
- smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+ smtp_tls_security_level = fingerprint
+ smtp_tls_fingerprint_digest = sha256
+ smtp_tls_mandatory_ciphers = high
+ smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_fingerprint_cert_match = 92:BF:5E:D5:B0:4E:10:19:20:08:C4:70:D6:F3:F7:EC:5F:6E:75:D2:1F:9B:FF:4D:49:BD:B0:8A:68:90:49:BF
-Guilhems kommentar:
-
-> Jag gissar att jag inte är den enda som föredrar att skilja mellan arbete och privatliv
-> när det gäller e-postkonton. Själv gör jag det genom att redigera det sista stycket i
-> main.cf ovan så att det står så här:
->
-> /etc/postfix/main.cf
-> […]
-> smtp_tls_policy_maps = hash:$config_directory/tls_policy
-> smtp_sender_dependent_authentication = yes
-> sender_dependent_relayhost_maps = hash:$config_directory/relayhost_map
-> smtp_tls_fingerprint_digest = sha256
->
-> /etc/postfix/tls_policy
-> [smtp.example.org]:587 secure ciphers=high protocols=!SSLv2:!SSLv3
-> [smtp.fripost.org]:587 fingerprint ciphers=high protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1
-> match=92:BF:5E:D5:B0:4E:10:19:20:08:C4:70:D6:F3:F7:EC:5F:6E:75:D2:1F:9B:FF:4D:49:BD:B0:8A:68:90:49:BF
->
-> /etc/postfix/relayhost_map
-> @fripost.org [smtp.fripost.org]:587
-> @example.org [smtp.example.org]:587
->
-> /etc/postfix/sasl/passwd
-> [smtp.fripost.org]:587 USERNAME1:XXXXXXXX
-> [smtp.example.org]:587 USERNAME2:XXXXXXXX
-
-The fingerprint of the server certificate can also be found
-[here](https://fripost.org/certs.asc).
+(See `postconf(5)` for details on the SSL/TLS client policy.
+The fingerprint of our [server certificate](http://git.fripost.org/fripost-ansible/plain/certs/public/smtp.fripost.org.pem)'s
+public key can be found [here](https://fripost.org/certs.asc).)
+
+Be sure to reload (or even restart) Postfix after changing the
+configuration. In doubt, run `service postfix restart` or `systemctl
+restart postfix`.
+
+### Sender-dependent relayhost
+
+This is slightly more advanced than the previous configuration. The
+point here is to configure multiple relayhosts and let Postfix choose
+based on the envelope sender address. This is useful if you want to use
+`smtp.fripost.org:587` for personal messages and a corporate relayhost
+`smtp.example.org:587` for professional messages, for instance.
+
+Create a file `/etc/postfix/sasl/passwd` as before (ensure that only the
+superuser can read it!), and enter all your credentials:
+
+ [smtp.fripost.org]:587 USERNAME1@fripost.org:XXXXXXXX
+ [smtp.example.org]:587 USERNAME2@example.org:XXXXXXXX
+
+Next, write your SSL/TLS client policy in `/etc/postfix/tls_policy`
+
+ [smtp.example.org]:587 secure ciphers=high protocols=!SSLv2:!SSLv3
+ [smtp.fripost.org]:587 fingerprint ciphers=high protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1
+ match=92:BF:5E:D5:B0:4E:10:19:20:08:C4:70:D6:F3:F7:EC:5F:6E:75:D2:1F:9B:FF:4D:49:BD:B0:8A:68:90:49:BF
+
+(see `postconf(5)` for details;
+the fingerprint of our [server certificate](http://git.fripost.org/fripost-ansible/plain/certs/public/smtp.fripost.org.pem)'s
+public key can be found [here](https://fripost.org/certs.asc)),
+and your relayhost policy in `/etc/postfix/relayhost_map`
+
+ @fripost.org [smtp.fripost.org]:587
+ @example.org [smtp.example.org]:587
+
+Here, we tell Postfix to use the `smtp.fripost.org:587` relayhost for
+which the envelope sender address is under the `fripost.org` domain, and
+the `smtp.example.org:587` relayhost for which the envelope sender
+address is under the `example.org` domain.
+(The brackets around the hostname tell Postfix not perform MX lookups.)
+
+Ensure to compile the lookup tables for all files that have been edited:
+
+ sudo postmap hash:/etc/postfix/sasl/passwd
+ sudo postmap hash:/etc/postfix/tls_policy
+ sudo postmap hash:/etc/postfix/relayhost_map
+
+The configuration in `/etc/postfix/main.cf` is like that of the previous
+section, except that we're replacing the `smtp_tls_*` options by
+`smtp_tls_policy_maps`. We also keep a default `relayhost` value for
+envelope sender addresses that don't map the `relayhost_map` lookup
+table.
+
+ mynetworks_style = host
+ inet_interfaces = loopback-only
+ relayhost = [smtp.fripost.org]:587
+
+ smtp_sender_dependent_authentication = yes
+ sender_dependent_relayhost_maps = hash:$config_directory/relayhost_map
+
+ smtp_sasl_auth_enable = yes
+ smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
+ smtp_sasl_security_options = noanonymous, noplaintext
+ smtp_sasl_tls_security_options = noanonymous
+
+ smtp_tls_policy_maps = hash:$config_directory/tls_policy
+ smtp_tls_fingerprint_digest = sha256
+
+Be sure to reload (or even restart) Postfix after changing the
+configuration. In doubt, run `service postfix restart` or `systemctl
+restart postfix`.