diff options
author | Quentin Dufour <quentin@deuxfleurs.fr> | 2023-12-25 14:00:36 +0100 |
---|---|---|
committer | Quentin Dufour <quentin@deuxfleurs.fr> | 2023-12-25 14:00:36 +0100 |
commit | ac42e95f1ab8fbc2510e67746cc183b73e583479 (patch) | |
tree | 6185606fcadfd8e77e9c87489b592c1ce82e3c4b /cluster/prod/app/email | |
parent | 2472a6b61a587a3d92a731875ccf0b257c24189a (diff) | |
download | nixcfg-ac42e95f1ab8fbc2510e67746cc183b73e583479.tar.gz nixcfg-ac42e95f1ab8fbc2510e67746cc183b73e583479.zip |
update smtp server security conf
Diffstat (limited to 'cluster/prod/app/email')
-rw-r--r-- | cluster/prod/app/email/build/docker-compose.yml | 6 | ||||
-rw-r--r-- | cluster/prod/app/email/build/postfix/Dockerfile | 2 | ||||
-rw-r--r-- | cluster/prod/app/email/config/postfix/main.cf | 6 |
3 files changed, 9 insertions, 5 deletions
diff --git a/cluster/prod/app/email/build/docker-compose.yml b/cluster/prod/app/email/build/docker-compose.yml index 39d28bd..a726fb6 100644 --- a/cluster/prod/app/email/build/docker-compose.yml +++ b/cluster/prod/app/email/build/docker-compose.yml @@ -26,9 +26,9 @@ services: build: context: ./postfix args: - # https://packages.debian.org/fr/buster/postfix - VERSION: 3.4.14-0+deb10u1 - image: superboum/amd64_postfix:v3 + # https://packages.debian.org/fr/trixie/postfix + VERSION: 3.8.4-1 + image: superboum/amd64_postfix:v4 opendkim: build: diff --git a/cluster/prod/app/email/build/postfix/Dockerfile b/cluster/prod/app/email/build/postfix/Dockerfile index 0c74fdc..174b636 100644 --- a/cluster/prod/app/email/build/postfix/Dockerfile +++ b/cluster/prod/app/email/build/postfix/Dockerfile @@ -1,4 +1,4 @@ -FROM amd64/debian:buster +FROM amd64/debian:trixie ARG VERSION diff --git a/cluster/prod/app/email/config/postfix/main.cf b/cluster/prod/app/email/config/postfix/main.cf index a83e5ec..5593716 100644 --- a/cluster/prod/app/email/config/postfix/main.cf +++ b/cluster/prod/app/email/config/postfix/main.cf @@ -77,7 +77,11 @@ smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination -smtpd_data_restrictions = reject_unauth_pipelining +# Disable SMTP smuggling attacks +# https://www.postfix.org/smtp-smuggling.html +smtpd_forbid_unauth_pipelining = yes +smtpd_discard_ehlo_keywords = chunking +smtpd_forbid_bare_newline = yes smtpd_client_connection_rate_limit = 2 |