From 330107d05b21df18a781b3e8db9d61d0cf879651 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem.moulin@fripost.org>
Date: Thu, 3 Dec 2015 19:12:48 +0100
Subject: Improve Postfix config.

---
 konfigurera.mdwn | 136 +++++++++++++++++++++++++++++++++++++++----------------
 1 file changed, 96 insertions(+), 40 deletions(-)

(limited to 'konfigurera.mdwn')

diff --git a/konfigurera.mdwn b/konfigurera.mdwn
index db4fbdf..9ba1e3a 100644
--- a/konfigurera.mdwn
+++ b/konfigurera.mdwn
@@ -142,58 +142,114 @@ password      XXXXXXXX
 
 ## Postfix för utgående e-post
 
-Kör följande kommandon:
+You can either use single relayhost for all messages, or configure
+multiple relayhosts and let Postfix choose based on the envelope sender
+address.  Pick (only one) of the following sections.
+
+### Single relayhost (`smtp.fripost.org:587`) for all outgoing messages
+
+Create a file `/etc/postfix/sasl/passwd`
 
     sudo install -m 0400 /dev/null /etc/postfix/sasl/passwd
 
-Lägg in följande rad i /etc/postfix/sasl/passwd
+(it should only be readable by the superuser).  Edit it and enter your
+credentials in the following format:
 
     [smtp.fripost.org]:587    USERNAME@fripost.org:XXXXXXXX
 
-Kör följande kommandon:
+Now you need to hash the file using `postmap(1)`:
 
     sudo postmap hash:/etc/postfix/sasl/passwd
 
-Lägg in följande i main.cf:
+(Postfix doesn't read the file directly, but the compiled lookup table.
+Thus you'll have to run that command again whenever the file is updated.)
+
+Now add the following to `/etc/postfix/main.cf`:
+
+    mynetworks_style    = host
+    inet_interfaces     = loopback-only
+    relayhost           = [smtp.fripost.org]:587
 
-    inet_interfaces = loopback-only
-    relayhost = [smtp.fripost.org]:587
-    smtp_sasl_auth_enable = yes
-    smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
+    smtp_sasl_auth_enable          = yes
+    smtp_sasl_password_maps        = hash:/etc/postfix/sasl/passwd
     smtp_sasl_security_options     = noanonymous, noplaintext
     smtp_sasl_tls_security_options = noanonymous
 
-    smtp_tls_security_level = fingerprint
-    smtp_tls_fingerprint_digest = sha256
-    smtp_tls_mandatory_ciphers = high
-    smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+    smtp_tls_security_level         = fingerprint
+    smtp_tls_fingerprint_digest     = sha256
+    smtp_tls_mandatory_ciphers      = high
+    smtp_tls_mandatory_protocols    = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
     smtp_tls_fingerprint_cert_match = 92:BF:5E:D5:B0:4E:10:19:20:08:C4:70:D6:F3:F7:EC:5F:6E:75:D2:1F:9B:FF:4D:49:BD:B0:8A:68:90:49:BF
 
-Guilhems kommentar:
-
-> Jag gissar att jag inte är den enda som föredrar att skilja mellan arbete och privatliv
-> när det gäller e-postkonton. Själv gör jag det genom att redigera det sista stycket i
-> main.cf ovan så att det står så här:
->
->     /etc/postfix/main.cf
->       […]
->       smtp_tls_policy_maps                 = hash:$config_directory/tls_policy
->       smtp_sender_dependent_authentication = yes
->       sender_dependent_relayhost_maps      = hash:$config_directory/relayhost_map
->       smtp_tls_fingerprint_digest          = sha256
->
->     /etc/postfix/tls_policy
->       [smtp.example.org]:587  secure ciphers=high protocols=!SSLv2:!SSLv3
->       [smtp.fripost.org]:587  fingerprint ciphers=high protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1
->           match=92:BF:5E:D5:B0:4E:10:19:20:08:C4:70:D6:F3:F7:EC:5F:6E:75:D2:1F:9B:FF:4D:49:BD:B0:8A:68:90:49:BF
->
->     /etc/postfix/relayhost_map
->       @fripost.org  [smtp.fripost.org]:587
->       @example.org  [smtp.example.org]:587
->
->     /etc/postfix/sasl/passwd
->       [smtp.fripost.org]:587  USERNAME1:XXXXXXXX
->       [smtp.example.org]:587  USERNAME2:XXXXXXXX
-
-The fingerprint of the server certificate can also be found
-[here](https://fripost.org/certs.asc).
+(See `postconf(5)` for details on the SSL/TLS client policy.
+The fingerprint of our [server certificate](http://git.fripost.org/fripost-ansible/plain/certs/public/smtp.fripost.org.pem)'s
+public key can be found [here](https://fripost.org/certs.asc).)
+
+Be sure to reload (or even restart) Postfix after changing the
+configuration.  In doubt, run `service postfix restart` or `systemctl
+restart postfix`.
+
+### Sender-dependent relayhost
+
+This is slightly more advanced than the previous configuration.  The
+point here is to configure multiple relayhosts and let Postfix choose
+based on the envelope sender address.  This is useful if you want to use
+`smtp.fripost.org:587` for personal messages and a corporate relayhost
+`smtp.example.org:587` for professional messages, for instance.
+
+Create a file `/etc/postfix/sasl/passwd` as before (ensure that only the
+superuser can read it!), and enter all your credentials:
+
+    [smtp.fripost.org]:587    USERNAME1@fripost.org:XXXXXXXX
+    [smtp.example.org]:587    USERNAME2@example.org:XXXXXXXX
+
+Next, write your SSL/TLS client policy in `/etc/postfix/tls_policy`
+
+    [smtp.example.org]:587  secure ciphers=high protocols=!SSLv2:!SSLv3
+    [smtp.fripost.org]:587  fingerprint ciphers=high protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1
+        match=92:BF:5E:D5:B0:4E:10:19:20:08:C4:70:D6:F3:F7:EC:5F:6E:75:D2:1F:9B:FF:4D:49:BD:B0:8A:68:90:49:BF
+
+(see `postconf(5)` for details;
+the fingerprint of our [server certificate](http://git.fripost.org/fripost-ansible/plain/certs/public/smtp.fripost.org.pem)'s
+public key can be found [here](https://fripost.org/certs.asc)),
+and your relayhost policy in `/etc/postfix/relayhost_map`
+
+    @fripost.org  [smtp.fripost.org]:587
+    @example.org  [smtp.example.org]:587
+
+Here, we tell Postfix to use the `smtp.fripost.org:587` relayhost for
+which the envelope sender address is under the `fripost.org` domain, and
+the `smtp.example.org:587` relayhost for which the envelope sender
+address is under the `example.org` domain.
+(The brackets around the hostname tell Postfix not perform MX lookups.)
+
+Ensure to compile the lookup tables for all files that have been edited:
+
+    sudo postmap hash:/etc/postfix/sasl/passwd
+    sudo postmap hash:/etc/postfix/tls_policy
+    sudo postmap hash:/etc/postfix/relayhost_map
+
+The configuration in `/etc/postfix/main.cf` is like that of the previous
+section, except that we're replacing the `smtp_tls_*` options by
+`smtp_tls_policy_maps`.  We also keep a default `relayhost` value for
+envelope sender addresses that don't map the `relayhost_map` lookup
+table.
+
+    mynetworks_style    = host
+    inet_interfaces     = loopback-only
+    relayhost           = [smtp.fripost.org]:587
+
+    smtp_sender_dependent_authentication = yes
+    sender_dependent_relayhost_maps      = hash:$config_directory/relayhost_map
+
+    smtp_sasl_auth_enable          = yes
+    smtp_sasl_password_maps        = hash:/etc/postfix/sasl/passwd
+    smtp_sasl_security_options     = noanonymous, noplaintext
+    smtp_sasl_tls_security_options = noanonymous
+
+    smtp_tls_policy_maps        = hash:$config_directory/tls_policy
+    smtp_tls_fingerprint_digest = sha256
+
+Be sure to reload (or even restart) Postfix after changing the
+configuration.  In doubt, run `service postfix restart` or `systemctl
+restart postfix`.
-- 
cgit v1.2.3