From 64066f85b0ba6da48945a6c842a1c49f84fdd6d3 Mon Sep 17 00:00:00 2001 From: ljf Date: Tue, 13 Aug 2019 22:49:01 +0200 Subject: [PATCH 01/10] [enh] Allow admin to specify an smtp relay --- data/hooks/conf_regen/19-postfix | 12 +++++++++++- data/templates/postfix/main.cf | 20 ++++++++++++++++++++ src/yunohost/settings.py | 4 ++++ 3 files changed, 35 insertions(+), 1 deletion(-) diff --git a/data/hooks/conf_regen/19-postfix b/data/hooks/conf_regen/19-postfix index 68afe4bc9..235923b3d 100755 --- a/data/hooks/conf_regen/19-postfix +++ b/data/hooks/conf_regen/19-postfix @@ -23,7 +23,17 @@ do_pre_regen() { # Support different strategy for security configurations export compatibility="$(yunohost settings get 'security.postfix.compatibility')" - + + # Add possibility to specify a relay + # Could be useful with some isp with no 25 port open or more complex setup + export relay_host="$(yunohost settings get 'smtp.relay.host')" + if [ ! -z "${relay_host}" ]; then + export relay_port="$(yunohost settings get 'smtp.relay.port')" + export relay_user="$(yunohost settings get 'smtp.relay.user')" + relay_password="$(yunohost settings get 'smtp.relay.password')" + echo "[${relay_host}]:${relay_port} ${relay_user}:${relay_password}" > /etc/postfix/sasl_passwd + postmap /etc/postfix/sasl_passwd + fi export main_domain export domain_list="$YNH_DOMAINS" ynh_render_template "main.cf" "${postfix_dir}/main.cf" diff --git a/data/templates/postfix/main.cf b/data/templates/postfix/main.cf index 61cbfa2e6..8121ad3d9 100644 --- a/data/templates/postfix/main.cf +++ b/data/templates/postfix/main.cf @@ -72,7 +72,11 @@ alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases mydomain = {{ main_domain }} mydestination = localhost +{% if relay_host == "" %} relayhost = +{% else %} +relayhost = [{{ relay_host }}]:{{ relay_port }} +{% endif %} mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 @@ -178,3 +182,19 @@ default_destination_rate_delay = 5s # So it's easly possible to scan a server to know which email adress is valid # and after to send spam disable_vrfy_command = yes + +{% if relay_user != "" %} +# Relay email through an other smtp account +# enable SASL authentication +smtp_sasl_auth_enable = yes +# disallow methods that allow anonymous authentication. +smtp_sasl_security_options = noanonymous +# where to find sasl_passwd +smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd +{% if relay_port == "587" %} +# Enable STARTTLS encryption +smtp_use_tls = yes +{% endif %} +# where to find CA certificates +smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt +{% endif %} diff --git a/src/yunohost/settings.py b/src/yunohost/settings.py index c1edadb93..f40bb61af 100644 --- a/src/yunohost/settings.py +++ b/src/yunohost/settings.py @@ -71,6 +71,10 @@ DEFAULTS = OrderedDict([ "choices": ["intermediate", "modern"]}), ("pop3.enabled", {"type": "bool", "default": False}), ("smtp.allow_ipv6", {"type": "bool", "default": True}), + ("smtp.relay.host", {"type": "string", "default": ""}), + ("smtp.relay.port", {"type": "int", "default": 587}), + ("smtp.relay.user", {"type": "string", "default": ""}), + ("smtp.relay.password", {"type": "string", "default": ""}), ]) From 3a0104861ed04c554abfc57c4e52c9b7f020fe51 Mon Sep 17 00:00:00 2001 From: ljf Date: Wed, 29 Apr 2020 00:42:57 +0200 Subject: [PATCH 02/10] [fix] Don't modify directly files in regen conf --- data/hooks/conf_regen/19-postfix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/hooks/conf_regen/19-postfix b/data/hooks/conf_regen/19-postfix index 235923b3d..69790fd39 100755 --- a/data/hooks/conf_regen/19-postfix +++ b/data/hooks/conf_regen/19-postfix @@ -31,8 +31,8 @@ do_pre_regen() { export relay_port="$(yunohost settings get 'smtp.relay.port')" export relay_user="$(yunohost settings get 'smtp.relay.user')" relay_password="$(yunohost settings get 'smtp.relay.password')" - echo "[${relay_host}]:${relay_port} ${relay_user}:${relay_password}" > /etc/postfix/sasl_passwd - postmap /etc/postfix/sasl_passwd + echo "[${relay_host}]:${relay_port} ${relay_user}:${relay_password}" > ${postfix_dir}/sasl_passwd + postmap ${postfix_dir}/sasl_passwd fi export main_domain export domain_list="$YNH_DOMAINS" From fae6b3f3f474c7ba13d9e6f38ea8bb7270ec6ee6 Mon Sep 17 00:00:00 2001 From: ljf Date: Wed, 29 Apr 2020 00:53:52 +0200 Subject: [PATCH 03/10] [fix] Unrelevant obsolete config params --- data/templates/postfix/main.cf | 6 ------ 1 file changed, 6 deletions(-) diff --git a/data/templates/postfix/main.cf b/data/templates/postfix/main.cf index 8121ad3d9..b15964241 100644 --- a/data/templates/postfix/main.cf +++ b/data/templates/postfix/main.cf @@ -191,10 +191,4 @@ smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous # where to find sasl_passwd smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd -{% if relay_port == "587" %} -# Enable STARTTLS encryption -smtp_use_tls = yes -{% endif %} -# where to find CA certificates -smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt {% endif %} From c1fddb312dec74c1d471279819a5bdc297bc8ea0 Mon Sep 17 00:00:00 2001 From: ljf Date: Wed, 29 Apr 2020 01:11:25 +0200 Subject: [PATCH 04/10] [enh] Add settings description --- locales/en.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/locales/en.json b/locales/en.json index 25712e8cd..e81505efd 100644 --- a/locales/en.json +++ b/locales/en.json @@ -322,6 +322,10 @@ "global_settings_unknown_setting_from_settings_file": "Unknown key in settings: '{setting_key:s}', discard it and save it in /etc/yunohost/settings-unknown.json", "global_settings_setting_service_ssh_allow_deprecated_dsa_hostkey": "Allow the use of (deprecated) DSA hostkey for the SSH daemon configuration", "global_settings_setting_smtp_allow_ipv6": "Allow the use of IPv6 to receive and send mail", + "global_settings_setting_smtp_relay_host": "SMTP relay host to use in order to send mail instead of this yunohost instance. Useful if you are in one of this situation: your 25 port is blocked by your ISP or VPS provider, you have a residential IP listed on DUHL, you are not able to configure reverse DNS or this server is not directly exposed on the internet and you want use an other one to send mails.", + "global_settings_setting_smtp_relay_port": "SMTP relay port", + "global_settings_setting_smtp_relay_user": "SMTP relay user account", + "global_settings_setting_smtp_relay_password": "SMTP relay host password", "global_settings_unknown_type": "Unexpected situation, the setting {setting:s} appears to have the type {unknown_type:s} but it is not a type supported by the system.", "good_practices_about_admin_password": "You are now about to define a new administration password. The password should be at least 8 characters long—though it is good practice to use a longer password (i.e. a passphrase) and/or to use a variation of characters (uppercase, lowercase, digits and special characters).", "good_practices_about_user_password": "You are now about to define a new user password. The password should be at least 8 characters long—though it is good practice to use a longer password (i.e. a passphrase) and/or to a variation of characters (uppercase, lowercase, digits and special characters).", From 94eb9246bbed517d003c410aa4253da8b1e8ce64 Mon Sep 17 00:00:00 2001 From: ljf Date: Wed, 29 Apr 2020 03:12:52 +0200 Subject: [PATCH 05/10] [fix] Avoid sasl account reachable from other users --- data/hooks/conf_regen/19-postfix | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/data/hooks/conf_regen/19-postfix b/data/hooks/conf_regen/19-postfix index 69790fd39..3a8117a61 100755 --- a/data/hooks/conf_regen/19-postfix +++ b/data/hooks/conf_regen/19-postfix @@ -31,8 +31,21 @@ do_pre_regen() { export relay_port="$(yunohost settings get 'smtp.relay.port')" export relay_user="$(yunohost settings get 'smtp.relay.user')" relay_password="$(yunohost settings get 'smtp.relay.password')" - echo "[${relay_host}]:${relay_port} ${relay_user}:${relay_password}" > ${postfix_dir}/sasl_passwd + + # Avoid to display "Relay account paswword" to other users + touch ${postfix_dir}/sasl_passwd + chmod o=--- ${postfix_dir}/sasl_passwd + touch ${postfix_dir}/sasl_passwd.db + chmod o=--- ${postfix_dir}/sasl_passwd.db + # Avoid "postmap: warning: removing zero-length database file" + chown postfix ${pending_dir}/etc/postfix + chown postfix ${pending_dir}/etc/postfix/sasl_passwd + chown postfix ${pending_dir}/etc/postfix/sasl_passwd.db + + cat <<< "[${relay_host}]:${relay_port} ${relay_user}:${relay_password}" > ${postfix_dir}/sasl_passwd postmap ${postfix_dir}/sasl_passwd + + fi export main_domain export domain_list="$YNH_DOMAINS" @@ -57,6 +70,8 @@ do_pre_regen() { do_post_regen() { regen_conf_files=$1 + chmod o=--- /etc/postfix/sasl_passwd + chmod o=--- /etc/postfix/sasl_passwd.db [[ -z "$regen_conf_files" ]] \ || { service postfix restart && service postsrsd restart; } From ff0a2192b9d29b072e00582dcf31062af3a0da70 Mon Sep 17 00:00:00 2001 From: ljf Date: Wed, 29 Apr 2020 03:13:30 +0200 Subject: [PATCH 06/10] [enh] Automatic regenconf after editing smtp settings --- src/yunohost/settings.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/yunohost/settings.py b/src/yunohost/settings.py index f40bb61af..3dea458f1 100644 --- a/src/yunohost/settings.py +++ b/src/yunohost/settings.py @@ -326,6 +326,10 @@ def reconfigure_ssh(setting_name, old_value, new_value): service_regen_conf(names=['ssh']) @post_change_hook("smtp.allow_ipv6") +@post_change_hook("smtp.relay.host") +@post_change_hook("smtp.relay.port") +@post_change_hook("smtp.relay.user") +@post_change_hook("smtp.relay.password") @post_change_hook("security.postfix.compatibility") def reconfigure_postfix(setting_name, old_value, new_value): if old_value != new_value: From d51b126df85e7a74884a5dc4ebd9a4d7f9ca8001 Mon Sep 17 00:00:00 2001 From: ljf Date: Wed, 29 Apr 2020 03:23:30 +0200 Subject: [PATCH 07/10] [fix] postmap: warning: removing zero-length database file --- data/hooks/conf_regen/19-postfix | 3 --- 1 file changed, 3 deletions(-) diff --git a/data/hooks/conf_regen/19-postfix b/data/hooks/conf_regen/19-postfix index 3a8117a61..1a1b88a25 100755 --- a/data/hooks/conf_regen/19-postfix +++ b/data/hooks/conf_regen/19-postfix @@ -35,12 +35,9 @@ do_pre_regen() { # Avoid to display "Relay account paswword" to other users touch ${postfix_dir}/sasl_passwd chmod o=--- ${postfix_dir}/sasl_passwd - touch ${postfix_dir}/sasl_passwd.db - chmod o=--- ${postfix_dir}/sasl_passwd.db # Avoid "postmap: warning: removing zero-length database file" chown postfix ${pending_dir}/etc/postfix chown postfix ${pending_dir}/etc/postfix/sasl_passwd - chown postfix ${pending_dir}/etc/postfix/sasl_passwd.db cat <<< "[${relay_host}]:${relay_port} ${relay_user}:${relay_password}" > ${postfix_dir}/sasl_passwd postmap ${postfix_dir}/sasl_passwd From a5ecf52c30955ab3c1f8092a1d2f1952eec10131 Mon Sep 17 00:00:00 2001 From: ljf Date: Wed, 29 Apr 2020 03:38:10 +0200 Subject: [PATCH 08/10] [fix] chown postfix to avoid warning --- data/hooks/conf_regen/19-postfix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/hooks/conf_regen/19-postfix b/data/hooks/conf_regen/19-postfix index 1a1b88a25..67ca22991 100755 --- a/data/hooks/conf_regen/19-postfix +++ b/data/hooks/conf_regen/19-postfix @@ -67,8 +67,8 @@ do_pre_regen() { do_post_regen() { regen_conf_files=$1 - chmod o=--- /etc/postfix/sasl_passwd - chmod o=--- /etc/postfix/sasl_passwd.db + chmod o=--- /etc/postfix/sasl_passwd* + chown postfix /etc/postfix/sasl_passwd* [[ -z "$regen_conf_files" ]] \ || { service postfix restart && service postsrsd restart; } From ce9689e0ef79182204314646bdeb7c52ac791903 Mon Sep 17 00:00:00 2001 From: "ljf (zamentur)" Date: Thu, 10 Sep 2020 03:27:13 +0200 Subject: [PATCH 09/10] [enh] Force encrypt if we are using an smtp relay Thanks to @khimaros for this suggestion --- data/templates/postfix/main.cf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/data/templates/postfix/main.cf b/data/templates/postfix/main.cf index b15964241..43151e672 100644 --- a/data/templates/postfix/main.cf +++ b/data/templates/postfix/main.cf @@ -52,8 +52,12 @@ smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_loglevel=1 # -- TLS for outgoing connections +{% if smtp_relayhost %} +smtp_tls_security_level = encrypt +{% else %} # Use TLS if this is supported by the remote SMTP server, otherwise use plaintext. -smtp_tls_security_level=may +smtp_tls_security_level = may +{% endif %} smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_exclude_ciphers = aNULL, MD5, DES, ADH, RC4, 3DES smtp_tls_mandatory_ciphers= high From bc2de62c7bf97f4bde4e3be6e9eb0c8a2307a696 Mon Sep 17 00:00:00 2001 From: "ljf (zamentur)" Date: Thu, 10 Sep 2020 03:29:09 +0200 Subject: [PATCH 10/10] [fix] Typo in setting name --- data/templates/postfix/main.cf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/templates/postfix/main.cf b/data/templates/postfix/main.cf index 43151e672..4d27498c4 100644 --- a/data/templates/postfix/main.cf +++ b/data/templates/postfix/main.cf @@ -52,7 +52,7 @@ smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_loglevel=1 # -- TLS for outgoing connections -{% if smtp_relayhost %} +{% if relay_host != "" %} smtp_tls_security_level = encrypt {% else %} # Use TLS if this is supported by the remote SMTP server, otherwise use plaintext.