aboutsummaryrefslogtreecommitdiff
path: root/app/email/config/postfix
diff options
context:
space:
mode:
authorQuentin <quentin@dufour.io>2021-01-18 08:18:21 +0100
committerQuentin <quentin@dufour.io>2021-01-18 08:18:21 +0100
commitad6017eea058f7cb6fdf078783f992a4f45a3e15 (patch)
tree6620bcc9e1ea61a5689b763b9ad8280275e35e76 /app/email/config/postfix
parent79b7273ff2a487d6721d393682c8ad3927467a75 (diff)
parentc642370def01f09d966b3b9c643cfe416ea115cf (diff)
downloadinfrastructure-ad6017eea058f7cb6fdf078783f992a4f45a3e15.tar.gz
infrastructure-ad6017eea058f7cb6fdf078783f992a4f45a3e15.zip
Merge pull request 'Reorganize app/ and add script for secret management' (#29) from test_reorganize into master
Reviewed-on: https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/pulls/29
Diffstat (limited to 'app/email/config/postfix')
-rwxr-xr-xapp/email/config/postfix/certs.gen13
-rw-r--r--app/email/config/postfix/dynamicmaps.cf9
-rw-r--r--app/email/config/postfix/header_checks3
-rw-r--r--app/email/config/postfix/ldap-account.cf.tpl12
-rw-r--r--app/email/config/postfix/ldap-alias.cf.tpl9
-rw-r--r--app/email/config/postfix/ldap-virtual-domains.cf.tpl12
-rw-r--r--app/email/config/postfix/main.cf104
-rw-r--r--app/email/config/postfix/master.cf114
-rw-r--r--app/email/config/postfix/transport5
-rw-r--r--app/email/config/postfix/transport.dbbin0 -> 12288 bytes
10 files changed, 281 insertions, 0 deletions
diff --git a/app/email/config/postfix/certs.gen b/app/email/config/postfix/certs.gen
new file mode 100755
index 0000000..f25439b
--- /dev/null
+++ b/app/email/config/postfix/certs.gen
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr"
+openssl req \
+ -new \
+ -newkey rsa:4096 \
+ -days 3650 \
+ -nodes \
+ -x509 \
+ -subj ${TLSINFO} \
+ -keyout postfix.key \
+ -out postfix.crt
+
diff --git a/app/email/config/postfix/dynamicmaps.cf b/app/email/config/postfix/dynamicmaps.cf
new file mode 100644
index 0000000..32d8f62
--- /dev/null
+++ b/app/email/config/postfix/dynamicmaps.cf
@@ -0,0 +1,9 @@
+# Postfix dynamic maps configuration file.
+#
+# The first match found is the one that is used. Wildcards are not supported
+# as of postfix 2.0.2
+#
+#type location of .so file open function (mkmap func)
+#==== ================================ ============= ============
+ldap postfix-ldap.so dict_ldap_open
+sqlite postfix-sqlite.so dict_sqlite_open
diff --git a/app/email/config/postfix/header_checks b/app/email/config/postfix/header_checks
new file mode 100644
index 0000000..cad52ec
--- /dev/null
+++ b/app/email/config/postfix/header_checks
@@ -0,0 +1,3 @@
+/^Received:/ IGNORE
+/^X-Originating-IP:/ IGNORE
+/^X-Mailer:/ IGNORE
diff --git a/app/email/config/postfix/ldap-account.cf.tpl b/app/email/config/postfix/ldap-account.cf.tpl
new file mode 100644
index 0000000..2575f10
--- /dev/null
+++ b/app/email/config/postfix/ldap-account.cf.tpl
@@ -0,0 +1,12 @@
+bind = yes
+bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }}
+bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }}
+version = 3
+timeout = 20
+start_tls = no
+tls_require_cert = no
+server_host = ldap://bottin2.service.2.cluster.deuxfleurs.fr
+scope = sub
+search_base = ou=users,dc=deuxfleurs,dc=fr
+query_filter = mail=%s
+result_attribute = mail
diff --git a/app/email/config/postfix/ldap-alias.cf.tpl b/app/email/config/postfix/ldap-alias.cf.tpl
new file mode 100644
index 0000000..775c0ad
--- /dev/null
+++ b/app/email/config/postfix/ldap-alias.cf.tpl
@@ -0,0 +1,9 @@
+server_host = bottin2.service.2.cluster.deuxfleurs.fr
+server_port = 389
+search_base = dc=deuxfleurs,dc=fr
+query_filter = (&(objectClass=inetOrgPerson)(memberOf=cn=%s,ou=mailing_lists,ou=groups,dc=deuxfleurs,dc=fr))
+result_attribute = mail
+bind = yes
+bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }}
+bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }}
+version = 3
diff --git a/app/email/config/postfix/ldap-virtual-domains.cf.tpl b/app/email/config/postfix/ldap-virtual-domains.cf.tpl
new file mode 100644
index 0000000..e013953
--- /dev/null
+++ b/app/email/config/postfix/ldap-virtual-domains.cf.tpl
@@ -0,0 +1,12 @@
+bind = yes
+bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }}
+bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }}
+version = 3
+timeout = 20
+start_tls = no
+tls_require_cert = no
+server_host = ldap://bottin2.service.2.cluster.deuxfleurs.fr
+scope = sub
+search_base = ou=domains,ou=groups,dc=deuxfleurs,dc=fr
+query_filter = (&(objectclass=dNSDomain)(domain=%s))
+result_attribute = domain
diff --git a/app/email/config/postfix/main.cf b/app/email/config/postfix/main.cf
new file mode 100644
index 0000000..4204cb4
--- /dev/null
+++ b/app/email/config/postfix/main.cf
@@ -0,0 +1,104 @@
+#===
+# Base configuration
+#===
+myhostname = smtp.deuxfleurs.fr
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = /etc/mailname
+mydestination = smtp.deuxfleurs.fr
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.0/24
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_protocols = all
+inet_interfaces = all
+message_size_limit = 204800000
+smtpd_banner = $myhostname
+biff = no
+append_dot_mydomain = no
+readme_directory = no
+compatibility_level = 2
+
+#===
+# TLS parameters
+#===
+smtpd_tls_cert_file=/etc/ssl/certs/postfix.crt
+smtpd_tls_key_file=/etc/ssl/private/postfix.key
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
+smtp_tls_security_level = may
+
+#===
+# Remove privacy related content from emails
+#===
+mime_header_checks = regexp:/etc/postfix/header_checks
+header_checks = regexp:/etc/postfix/header_checks
+
+#===
+# Handle user authentication (handled by dovecot)
+#===
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_path = inet:dovecot-auth.service.2.cluster.deuxfleurs.fr:1337
+smtpd_sasl_type = dovecot
+
+#===
+# Restrictions / Checks
+#===
+# -- Inspired by: http://www.postfix.org/SMTPD_ACCESS_README.html#lists
+
+# Require a valid HELO
+smtpd_helo_required = yes
+# As we use the same postfix to send and receive,
+# we can't enforce a valid HELO hostname...
+#smtpd_helo_restrictions =
+# reject_unknown_helo_hostname
+
+# Require that sender email has a valid domain
+smtpd_sender_restrictions =
+ reject_unknown_sender_domain
+
+# Delivering email policy
+# MyNetwork is required by sogo
+smtpd_recipient_restrictions =
+ permit_sasl_authenticated
+ permit_mynetworks
+ reject_unauth_destination
+ reject_rbl_client zen.spamhaus.org
+ reject_rhsbl_reverse_client dbl.spamhaus.org
+ reject_rhsbl_helo dbl.spamhaus.org
+ reject_rhsbl_sender dbl.spamhaus.org
+
+# Sending email policy
+# MyNetwork is required by sogo
+smtpd_relay_restrictions =
+ permit_sasl_authenticated
+ permit_mynetworks
+ reject_unauth_destination
+
+smtpd_data_restrictions = reject_unauth_pipelining
+
+smtpd_client_connection_rate_limit = 2
+
+#===
+# Rate limiting
+#===
+slow_destination_recipient_limit = 20
+slow_destination_concurrency_limit = 2
+
+#====
+# Transport configuration
+#====
+transport_maps = hash:/etc/postfix/transport
+virtual_mailbox_domains = ldap:/etc/postfix/ldap-virtual-domains.cf
+virtual_mailbox_maps = ldap:/etc/postfix/ldap-account.cf
+virtual_alias_maps = ldap:/etc/postfix/ldap-alias.cf
+virtual_transport = lmtp:dovecot-lmtp.service.2.cluster.deuxfleurs.fr:24
+
+#===
+# Mail filters
+#===
+milter_default_action = accept
+milter_protocol = 6
+smtpd_milters = inet:opendkim.service.2.cluster.deuxfleurs.fr:8999
+non_smtpd_milters = inet:opendkim.service.2.cluster.deuxfleurs.fr:8999
diff --git a/app/email/config/postfix/master.cf b/app/email/config/postfix/master.cf
new file mode 100644
index 0000000..53bc601
--- /dev/null
+++ b/app/email/config/postfix/master.cf
@@ -0,0 +1,114 @@
+#
+# Postfix master process configuration file. For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master").
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type private unpriv chroot wakeup maxproc command + args
+# (yes) (yes) (yes) (never) (100)
+# ==========================================================================
+smtp inet n - n - - smtpd
+submission inet n - n - - smtpd
+ -o smtpd_tls_security_level=encrypt
+ -o smtpd_sasl_auth_enable=yes
+ -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+ -o milter_macro_daemon_name=ORIGINATING
+smtps inet n - n - - smtpd
+ -o smtpd_tls_wrappermode=yes
+ -o smtpd_sasl_auth_enable=yes
+ -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+ -o milter_macro_daemon_name=ORIGINATING
+slow unix - - n - 5 smtp
+ -o syslog_name=postfix-slow
+ -o smtp_destination_concurrency_limit=3
+ -o slow_destination_rate_delay=1
+
+
+#628 inet n - - - - qmqpd
+pickup fifo n - n 60 1 pickup
+cleanup unix n - n - 0 cleanup
+qmgr fifo n - n 300 1 qmgr
+#qmgr fifo n - - 300 1 oqmgr
+tlsmgr unix - - n 1000? 1 tlsmgr
+rewrite unix - - n - - trivial-rewrite
+bounce unix - - n - 0 bounce
+defer unix - - n - 0 bounce
+trace unix - - n - 0 bounce
+verify unix - - n - 1 verify
+flush unix n - n 1000? 0 flush
+proxymap unix - - n - - proxymap
+proxywrite unix - - n - 1 proxymap
+# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
+smtp unix - - n - - smtp
+# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+relay unix - - n - - smtp
+ -o smtp_fallback_relay=
+showq unix n - n - - showq
+error unix - - n - - error
+retry unix - - n - - error
+discard unix - - n - - discard
+local unix - n n - - local
+virtual unix - n n - - virtual
+lmtp unix - - n - - lmtp
+anvil unix - - n - 1 anvil
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent. See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+scache unix - - n - 1 scache
+maildrop unix - n n - - pipe
+ flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+# mailbox_transport = lmtp:inet:localhost
+# virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus unix - n n - - pipe
+# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix - n n - - pipe
+# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp unix - n n - - pipe
+ flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail unix - n n - - pipe
+ flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp unix - n n - - pipe
+ flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix - n n - 2 pipe
+ flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman unix - n n - - pipe
+ flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+ ${nexthop} ${user}
diff --git a/app/email/config/postfix/transport b/app/email/config/postfix/transport
new file mode 100644
index 0000000..68f62c5
--- /dev/null
+++ b/app/email/config/postfix/transport
@@ -0,0 +1,5 @@
+#wanadoo.com slow:
+#wanadoo.fr slow:
+#orange.com slow:
+#orange.fr slow:
+#smtp.orange.fr slow:
diff --git a/app/email/config/postfix/transport.db b/app/email/config/postfix/transport.db
new file mode 100644
index 0000000..487f394
--- /dev/null
+++ b/app/email/config/postfix/transport.db
Binary files differ