aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorQuentin Dufour <quentin@deuxfleurs.fr>2023-12-25 14:00:36 +0100
committerQuentin Dufour <quentin@deuxfleurs.fr>2023-12-25 14:00:36 +0100
commitac42e95f1ab8fbc2510e67746cc183b73e583479 (patch)
tree6185606fcadfd8e77e9c87489b592c1ce82e3c4b
parent2472a6b61a587a3d92a731875ccf0b257c24189a (diff)
downloadnixcfg-ac42e95f1ab8fbc2510e67746cc183b73e583479.tar.gz
nixcfg-ac42e95f1ab8fbc2510e67746cc183b73e583479.zip
update smtp server security conf
-rw-r--r--cluster/prod/app/email/build/docker-compose.yml6
-rw-r--r--cluster/prod/app/email/build/postfix/Dockerfile2
-rw-r--r--cluster/prod/app/email/config/postfix/main.cf6
3 files changed, 9 insertions, 5 deletions
diff --git a/cluster/prod/app/email/build/docker-compose.yml b/cluster/prod/app/email/build/docker-compose.yml
index 39d28bd..a726fb6 100644
--- a/cluster/prod/app/email/build/docker-compose.yml
+++ b/cluster/prod/app/email/build/docker-compose.yml
@@ -26,9 +26,9 @@ services:
build:
context: ./postfix
args:
- # https://packages.debian.org/fr/buster/postfix
- VERSION: 3.4.14-0+deb10u1
- image: superboum/amd64_postfix:v3
+ # https://packages.debian.org/fr/trixie/postfix
+ VERSION: 3.8.4-1
+ image: superboum/amd64_postfix:v4
opendkim:
build:
diff --git a/cluster/prod/app/email/build/postfix/Dockerfile b/cluster/prod/app/email/build/postfix/Dockerfile
index 0c74fdc..174b636 100644
--- a/cluster/prod/app/email/build/postfix/Dockerfile
+++ b/cluster/prod/app/email/build/postfix/Dockerfile
@@ -1,4 +1,4 @@
-FROM amd64/debian:buster
+FROM amd64/debian:trixie
ARG VERSION
diff --git a/cluster/prod/app/email/config/postfix/main.cf b/cluster/prod/app/email/config/postfix/main.cf
index a83e5ec..5593716 100644
--- a/cluster/prod/app/email/config/postfix/main.cf
+++ b/cluster/prod/app/email/config/postfix/main.cf
@@ -77,7 +77,11 @@ smtpd_relay_restrictions =
permit_mynetworks
reject_unauth_destination
-smtpd_data_restrictions = reject_unauth_pipelining
+# Disable SMTP smuggling attacks
+# https://www.postfix.org/smtp-smuggling.html
+smtpd_forbid_unauth_pipelining = yes
+smtpd_discard_ehlo_keywords = chunking
+smtpd_forbid_bare_newline = yes
smtpd_client_connection_rate_limit = 2