From 803140e1108752ea009e332b528725667816612f Mon Sep 17 00:00:00 2001
From: skangas <skangas@web>
Date: Sat, 12 Jan 2013 19:02:32 +0100
Subject: Update postfix instructions

---
 konfigurera.mdwn | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 51 insertions(+), 6 deletions(-)

(limited to 'konfigurera.mdwn')

diff --git a/konfigurera.mdwn b/konfigurera.mdwn
index 886c838..9cea457 100644
--- a/konfigurera.mdwn
+++ b/konfigurera.mdwn
@@ -136,17 +136,23 @@ password      uSerS_paSSword
 
 ## Postfix för utgående e-post
 
+Kör följande kommandon:
+
+<pre>
+touch /etc/postfix/sasl/passwd
+sudo chown root:root /etc/postfix/sasl/passwd
+sudo chmod 0400 /etc/postfix/sasl/passwd
+</pre>
+
 Lägg in följande rad i /etc/postfix/sasl/passwd
 
 <pre>
-smtp.fripost.org    USERNAME@fripost.org:PASSWORD
+[smtp.fripost.org]:587    USERNAME@fripost.org:PASSWORD
 </pre>
 
 Kör följande kommandon:
 
 <pre>
-sudo chown root:root /etc/postfix/sasl/passwd
-sudo chmod 0400 /etc/postfix/sasl/passwd
 sudo postmap hash:/etc/postfix/sasl/passwd
 </pre>
 
@@ -156,9 +162,48 @@ Lägg in följande i main.cf:
 mydomain = fripost.org
 myorigin = $mydomain
 myhostname = USERNAME.$mydomain
-relayhost = smtp.fripost.org:587
+relayhost = [smtp.fripost.org]:587
 smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
-smtp_sasl_security_options = 
-smtp_tls_security_level = may
+smtp_sasl_security_options     = noanonymous, noplaintext
+smtp_sasl_tls_security_options = noanonymous
+
+smtp_tls_security_level = fingerprint
+smtp_tls_fingerprint_digest = sha1
+smtp_tls_mandatory_ciphers = high
+smtp_tls_fingerprint_cert_match = 6B:75:B6:CA:6F:6C:DD:F7:7C:FD:5A:98:89:80:3B:82:FD:82:0E:8B
 </pre>
+
+Guilhem comments:
+
+> I guess I'm not the only one who prefers to separate personal and 
+> professional e-mail accounts. I do it as follows:
+>
+>     /etc/postfix/main.cf
+>       smtp_tls_policy_maps                 = hash:$config_directory/tls_policy
+>       smtp_sender_dependent_authentication = yes
+>       sender_dependent_relayhost_maps      = hash:$config_directory/relayhost_map
+>       smtp_tls_fingerprint_digest          = sha1
+>
+>     /etc/postfix/tls_policy
+>       [mail.chalmers.se]:587  secure ciphers=high
+>       [smtp.fripost.org]:587  fingerprint
+>           match=6B:75:B6:CA:6F:6C:DD:F7:7C:FD:5A:98:89:80:3B:82:FD:82:0E:8B
+>           ciphers=high
+>     
+>     /etc/postfix/relayhost_map
+>       @fripost.org                [smtp.fripost.org]:587
+>       guilhem.moulin@chalmers.se  [mail.chalmers.se]:587
+>
+>     /etc/postfix/sasl/passwd
+>       [mail.chalmers.se]:587  mouling:xxxxxx
+>       [smtp.fripost.org]:587  guilhem:xxxxxx
+
+Guilhem adds:
+
+> Also, note that if you want to switch to the ‘secure’ TLS policy under 
+> Postfix < 2.8, you have to manually populate the chroot's CApath with 
+> trusted CAs (the bug was fixed in Postfix 2.8.). I wrote a script anyway 
+> which can be found at
+>
+>   git://git.guilhem.org/fripost-ansible scripts/postfix-fixcerts.sh
-- 
cgit v1.2.3