diff options
author | Quentin <quentin@dufour.io> | 2021-01-18 08:18:21 +0100 |
---|---|---|
committer | Quentin <quentin@dufour.io> | 2021-01-18 08:18:21 +0100 |
commit | ad6017eea058f7cb6fdf078783f992a4f45a3e15 (patch) | |
tree | 6620bcc9e1ea61a5689b763b9ad8280275e35e76 /app/email/config/postfix | |
parent | 79b7273ff2a487d6721d393682c8ad3927467a75 (diff) | |
parent | c642370def01f09d966b3b9c643cfe416ea115cf (diff) | |
download | infrastructure-ad6017eea058f7cb6fdf078783f992a4f45a3e15.tar.gz infrastructure-ad6017eea058f7cb6fdf078783f992a4f45a3e15.zip |
Merge pull request 'Reorganize app/ and add script for secret management' (#29) from test_reorganize into master
Reviewed-on: https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/pulls/29
Diffstat (limited to 'app/email/config/postfix')
-rwxr-xr-x | app/email/config/postfix/certs.gen | 13 | ||||
-rw-r--r-- | app/email/config/postfix/dynamicmaps.cf | 9 | ||||
-rw-r--r-- | app/email/config/postfix/header_checks | 3 | ||||
-rw-r--r-- | app/email/config/postfix/ldap-account.cf.tpl | 12 | ||||
-rw-r--r-- | app/email/config/postfix/ldap-alias.cf.tpl | 9 | ||||
-rw-r--r-- | app/email/config/postfix/ldap-virtual-domains.cf.tpl | 12 | ||||
-rw-r--r-- | app/email/config/postfix/main.cf | 104 | ||||
-rw-r--r-- | app/email/config/postfix/master.cf | 114 | ||||
-rw-r--r-- | app/email/config/postfix/transport | 5 | ||||
-rw-r--r-- | app/email/config/postfix/transport.db | bin | 0 -> 12288 bytes |
10 files changed, 281 insertions, 0 deletions
diff --git a/app/email/config/postfix/certs.gen b/app/email/config/postfix/certs.gen new file mode 100755 index 0000000..f25439b --- /dev/null +++ b/app/email/config/postfix/certs.gen @@ -0,0 +1,13 @@ +#!/bin/bash + +TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr" +openssl req \ + -new \ + -newkey rsa:4096 \ + -days 3650 \ + -nodes \ + -x509 \ + -subj ${TLSINFO} \ + -keyout postfix.key \ + -out postfix.crt + diff --git a/app/email/config/postfix/dynamicmaps.cf b/app/email/config/postfix/dynamicmaps.cf new file mode 100644 index 0000000..32d8f62 --- /dev/null +++ b/app/email/config/postfix/dynamicmaps.cf @@ -0,0 +1,9 @@ +# Postfix dynamic maps configuration file. +# +# The first match found is the one that is used. Wildcards are not supported +# as of postfix 2.0.2 +# +#type location of .so file open function (mkmap func) +#==== ================================ ============= ============ +ldap postfix-ldap.so dict_ldap_open +sqlite postfix-sqlite.so dict_sqlite_open diff --git a/app/email/config/postfix/header_checks b/app/email/config/postfix/header_checks new file mode 100644 index 0000000..cad52ec --- /dev/null +++ b/app/email/config/postfix/header_checks @@ -0,0 +1,3 @@ +/^Received:/ IGNORE +/^X-Originating-IP:/ IGNORE +/^X-Mailer:/ IGNORE diff --git a/app/email/config/postfix/ldap-account.cf.tpl b/app/email/config/postfix/ldap-account.cf.tpl new file mode 100644 index 0000000..2575f10 --- /dev/null +++ b/app/email/config/postfix/ldap-account.cf.tpl @@ -0,0 +1,12 @@ +bind = yes +bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }} +bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }} +version = 3 +timeout = 20 +start_tls = no +tls_require_cert = no +server_host = ldap://bottin2.service.2.cluster.deuxfleurs.fr +scope = sub +search_base = ou=users,dc=deuxfleurs,dc=fr +query_filter = mail=%s +result_attribute = mail diff --git a/app/email/config/postfix/ldap-alias.cf.tpl b/app/email/config/postfix/ldap-alias.cf.tpl new file mode 100644 index 0000000..775c0ad --- /dev/null +++ b/app/email/config/postfix/ldap-alias.cf.tpl @@ -0,0 +1,9 @@ +server_host = bottin2.service.2.cluster.deuxfleurs.fr +server_port = 389 +search_base = dc=deuxfleurs,dc=fr +query_filter = (&(objectClass=inetOrgPerson)(memberOf=cn=%s,ou=mailing_lists,ou=groups,dc=deuxfleurs,dc=fr)) +result_attribute = mail +bind = yes +bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }} +bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }} +version = 3 diff --git a/app/email/config/postfix/ldap-virtual-domains.cf.tpl b/app/email/config/postfix/ldap-virtual-domains.cf.tpl new file mode 100644 index 0000000..e013953 --- /dev/null +++ b/app/email/config/postfix/ldap-virtual-domains.cf.tpl @@ -0,0 +1,12 @@ +bind = yes +bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }} +bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }} +version = 3 +timeout = 20 +start_tls = no +tls_require_cert = no +server_host = ldap://bottin2.service.2.cluster.deuxfleurs.fr +scope = sub +search_base = ou=domains,ou=groups,dc=deuxfleurs,dc=fr +query_filter = (&(objectclass=dNSDomain)(domain=%s)) +result_attribute = domain diff --git a/app/email/config/postfix/main.cf b/app/email/config/postfix/main.cf new file mode 100644 index 0000000..4204cb4 --- /dev/null +++ b/app/email/config/postfix/main.cf @@ -0,0 +1,104 @@ +#=== +# Base configuration +#=== +myhostname = smtp.deuxfleurs.fr +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +myorigin = /etc/mailname +mydestination = smtp.deuxfleurs.fr +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.0/24 +mailbox_size_limit = 0 +recipient_delimiter = + +inet_protocols = all +inet_interfaces = all +message_size_limit = 204800000 +smtpd_banner = $myhostname +biff = no +append_dot_mydomain = no +readme_directory = no +compatibility_level = 2 + +#=== +# TLS parameters +#=== +smtpd_tls_cert_file=/etc/ssl/certs/postfix.crt +smtpd_tls_key_file=/etc/ssl/private/postfix.key +smtpd_use_tls=yes +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy +smtp_tls_security_level = may + +#=== +# Remove privacy related content from emails +#=== +mime_header_checks = regexp:/etc/postfix/header_checks +header_checks = regexp:/etc/postfix/header_checks + +#=== +# Handle user authentication (handled by dovecot) +#=== +smtpd_sasl_auth_enable = yes +smtpd_sasl_path = inet:dovecot-auth.service.2.cluster.deuxfleurs.fr:1337 +smtpd_sasl_type = dovecot + +#=== +# Restrictions / Checks +#=== +# -- Inspired by: http://www.postfix.org/SMTPD_ACCESS_README.html#lists + +# Require a valid HELO +smtpd_helo_required = yes +# As we use the same postfix to send and receive, +# we can't enforce a valid HELO hostname... +#smtpd_helo_restrictions = +# reject_unknown_helo_hostname + +# Require that sender email has a valid domain +smtpd_sender_restrictions = + reject_unknown_sender_domain + +# Delivering email policy +# MyNetwork is required by sogo +smtpd_recipient_restrictions = + permit_sasl_authenticated + permit_mynetworks + reject_unauth_destination + reject_rbl_client zen.spamhaus.org + reject_rhsbl_reverse_client dbl.spamhaus.org + reject_rhsbl_helo dbl.spamhaus.org + reject_rhsbl_sender dbl.spamhaus.org + +# Sending email policy +# MyNetwork is required by sogo +smtpd_relay_restrictions = + permit_sasl_authenticated + permit_mynetworks + reject_unauth_destination + +smtpd_data_restrictions = reject_unauth_pipelining + +smtpd_client_connection_rate_limit = 2 + +#=== +# Rate limiting +#=== +slow_destination_recipient_limit = 20 +slow_destination_concurrency_limit = 2 + +#==== +# Transport configuration +#==== +transport_maps = hash:/etc/postfix/transport +virtual_mailbox_domains = ldap:/etc/postfix/ldap-virtual-domains.cf +virtual_mailbox_maps = ldap:/etc/postfix/ldap-account.cf +virtual_alias_maps = ldap:/etc/postfix/ldap-alias.cf +virtual_transport = lmtp:dovecot-lmtp.service.2.cluster.deuxfleurs.fr:24 + +#=== +# Mail filters +#=== +milter_default_action = accept +milter_protocol = 6 +smtpd_milters = inet:opendkim.service.2.cluster.deuxfleurs.fr:8999 +non_smtpd_milters = inet:opendkim.service.2.cluster.deuxfleurs.fr:8999 diff --git a/app/email/config/postfix/master.cf b/app/email/config/postfix/master.cf new file mode 100644 index 0000000..53bc601 --- /dev/null +++ b/app/email/config/postfix/master.cf @@ -0,0 +1,114 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master"). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (yes) (never) (100) +# ========================================================================== +smtp inet n - n - - smtpd +submission inet n - n - - smtpd + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING +smtps inet n - n - - smtpd + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING +slow unix - - n - 5 smtp + -o syslog_name=postfix-slow + -o smtp_destination_concurrency_limit=3 + -o slow_destination_rate_delay=1 + + +#628 inet n - - - - qmqpd +pickup fifo n - n 60 1 pickup +cleanup unix n - n - 0 cleanup +qmgr fifo n - n 300 1 qmgr +#qmgr fifo n - - 300 1 oqmgr +tlsmgr unix - - n 1000? 1 tlsmgr +rewrite unix - - n - - trivial-rewrite +bounce unix - - n - 0 bounce +defer unix - - n - 0 bounce +trace unix - - n - 0 bounce +verify unix - - n - 1 verify +flush unix n - n 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +# When relaying mail as backup MX, disable fallback_relay to avoid MX loops +smtp unix - - n - - smtp +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +relay unix - - n - - smtp + -o smtp_fallback_relay= +showq unix n - n - - showq +error unix - - n - - error +retry unix - - n - - error +discard unix - - n - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - n - - lmtp +anvil unix - - n - 1 anvil +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +scache unix - - n - 1 scache +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} diff --git a/app/email/config/postfix/transport b/app/email/config/postfix/transport new file mode 100644 index 0000000..68f62c5 --- /dev/null +++ b/app/email/config/postfix/transport @@ -0,0 +1,5 @@ +#wanadoo.com slow: +#wanadoo.fr slow: +#orange.com slow: +#orange.fr slow: +#smtp.orange.fr slow: diff --git a/app/email/config/postfix/transport.db b/app/email/config/postfix/transport.db Binary files differnew file mode 100644 index 0000000..487f394 --- /dev/null +++ b/app/email/config/postfix/transport.db |