From d19fc96fdfc5cfd2dd0225d7437c8a61cb23ab9b Mon Sep 17 00:00:00 2001 From: kload Date: Tue, 29 Sep 2015 15:58:28 -0400 Subject: [PATCH] [enh] Postfix regen conf script --- data/hooks/conf_regen/19-postfix | 56 ++++++++ data/templates/postfix/main.cf-ipv4.j2 | 127 ------------------ .../postfix/{main.cf.j2 => main.cf.sed} | 39 ++++-- data/templates/postfix/smtp_reply_filter | 8 ++ .../postgrey => postgrey/postgrey.default} | 0 5 files changed, 93 insertions(+), 137 deletions(-) create mode 100644 data/hooks/conf_regen/19-postfix delete mode 100644 data/templates/postfix/main.cf-ipv4.j2 rename data/templates/postfix/{main.cf.j2 => main.cf.sed} (72%) create mode 100644 data/templates/postfix/smtp_reply_filter rename data/templates/{postfix/postgrey => postgrey/postgrey.default} (100%) diff --git a/data/hooks/conf_regen/19-postfix b/data/hooks/conf_regen/19-postfix new file mode 100644 index 000000000..38061ee63 --- /dev/null +++ b/data/hooks/conf_regen/19-postfix @@ -0,0 +1,56 @@ +#!/bin/bash +set -e + +force=$1 + +function safe_copy () { + if [[ "$force" == "True" ]]; then + sudo yunohost service safecopy \ + -s postfix \ + $1 $2 \ + --force + else + sudo yunohost service safecopy \ + -s postfix \ + $1 $2 + fi +} + +cd /usr/share/yunohost/templates/postfix + +# Copy plain single configuration files +files="header_check +ldap-accounts.cf +ldap-aliases.cf +ldap-domains.cf +master.cf +sender_canonical +smtp_reply_filter" + +for file in $files; do + safe_copy $file /etc/postfix/$file +done + +main_domain=$(cat /etc/yunohost/current_host) + +# Replace main domain in the main configuration file +cat main.cf.sed \ + | sed "s/{{ main_domain }}/$main_domain/g" \ + | sudo tee main.cf + +# And adapt it to IPv4-only hosts +if [ ! -f /proc/net/if_inet6 ]; then + sudo sed -i \ + 's/ \[::ffff:127.0.0.0\]\/104 \[::1\]\/128//g' \ + main.cf + + sudo sed -i \ + 's/inet_interfaces = all/inet_interfaces = all\ninet_protocols = ipv4/' \ + main.cf +fi + +if [[ $(safe_copy main.cf /etc/postfix/main.cf) == "True" ]]; then + sudo service postfix restart +else + sudo service postfix reload +fi diff --git a/data/templates/postfix/main.cf-ipv4.j2 b/data/templates/postfix/main.cf-ipv4.j2 deleted file mode 100644 index f2cf04579..000000000 --- a/data/templates/postfix/main.cf-ipv4.j2 +++ /dev/null @@ -1,127 +0,0 @@ -# See /usr/share/postfix/main.cf.dist for a commented, more complete version - - -# Debian specific: Specifying a file name will cause the first -# line of that file to be used as the name. The Debian default -# is /etc/mailname. -#myorigin = /etc/mailname - -smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) -biff = no - -# appending .domain is the MUA's job. -append_dot_mydomain = no - -# Uncomment the next line to generate "delayed mail" warnings -#delay_warning_time = 4h - -readme_directory = no - -# TLS parameters -smtpd_tls_cert_file=/etc/ssl/certs/yunohost_crt.pem -smtpd_tls_key_file=/etc/ssl/private/yunohost_key.pem -smtpd_tls_CAfile = /etc/ssl/certs/ca-yunohost_crt.pem -smtpd_use_tls=yes -smtpd_tls_exclude_ciphers = aNULL, MD5, DES, ADH -smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache -smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache - -# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for -# information on enabling SSL in the smtp client. - -myhostname = {{ domain }} -alias_maps = hash:/etc/aliases -alias_database = hash:/etc/aliases -mydomain = {{ domain }} -mydestination = localhost -relayhost = -mynetworks = 127.0.0.0/8 -mailbox_command = procmail -a "$EXTENSION" -mailbox_size_limit = 0 -recipient_delimiter = + -inet_interfaces = all -inet_protocols = ipv4 - -#### add yunohost #### -message_size_limit = 10240000 - -# Virtual Domains Control -virtual_mailbox_domains = ldap:/etc/postfix/ldap-domains.cf -virtual_mailbox_maps = ldap:/etc/postfix/ldap-accounts.cf -virtual_mailbox_base = -virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf -virtual_alias_domains = -virtual_minimum_uid = 100 -virtual_uid_maps = static:vmail -virtual_gid_maps = static:mail - -# Dovecot LDA -virtual_transport = dovecot -dovecot_destination_recipient_limit = 1 - -# Enable SASL authentication for the smtpd daemon -smtpd_sasl_auth_enable = yes -smtpd_sasl_type = dovecot -smtpd_sasl_path = private/auth -# Fix some outlook's bugs -broken_sasl_auth_clients = yes -# Reject anonymous connections -smtpd_sasl_security_options = noanonymous -smtpd_sasl_local_domain = - - -# Use AMaVis -content_filter = amavis:[127.0.0.1]:10024 - -# Wait until the RCPT TO command before evaluating restrictions -smtpd_delay_reject = yes - -# Basics Restrictions -smtpd_helo_required = yes -strict_rfc821_envelopes = yes - -# Requirements for the connecting server -smtpd_client_restrictions = - permit_mynetworks, - permit_sasl_authenticated, - reject_rbl_client bl.spamcop.net, - reject_rbl_client cbl.abuseat.org, - reject_rbl_client sbl-xbl.spamhaus.org, - permit - -# Requirements for the HELO statement -smtpd_helo_restrictions = - permit_mynetworks, - permit_sasl_authenticated, - reject_non_fqdn_hostname, - reject_invalid_hostname, - permit - -# Requirements for the sender address -smtpd_sender_restrictions = - permit_mynetworks, - permit_sasl_authenticated, - reject_non_fqdn_sender, - reject_unknown_sender_domain, - permit - -# Requirement for the recipient address -smtpd_recipient_restrictions = - permit_mynetworks, - permit_sasl_authenticated, - reject_non_fqdn_recipient, - reject_unknown_recipient_domain, - reject_unauth_destination, - check_policy_service unix:private/policy-spf - check_policy_service inet:127.0.0.1:10023 - permit - -# Use SPF -policy-spf_time_limit = 3600s - -# SRS -sender_canonical_maps = regexp:/etc/postfix/sender_canonical -sender_canonical_classes = envelope_sender - -# Ignore some headers -smtp_header_checks = regexp:/etc/postfix/header_checks diff --git a/data/templates/postfix/main.cf.j2 b/data/templates/postfix/main.cf.sed similarity index 72% rename from data/templates/postfix/main.cf.j2 rename to data/templates/postfix/main.cf.sed index 6c1052dc7..fd81ae64f 100644 --- a/data/templates/postfix/main.cf.j2 +++ b/data/templates/postfix/main.cf.sed @@ -6,7 +6,7 @@ # is /etc/mailname. #myorigin = /etc/mailname -smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +smtpd_banner = $myhostname Service ready biff = no # appending .domain is the MUA's job. @@ -17,22 +17,39 @@ append_dot_mydomain = no readme_directory = no -# TLS parameters +# -- TLS for incoming connections +# By default, TLS is disabled in the Postfix SMTP server, so no difference to +# plain Postfix is visible. Explicitly switch it on with "smtpd_tls_security_level = may". +smtpd_tls_security_level=may + +# Sending AUTH data over an unencrypted channel poses a security risk. +# When TLS layer encryption is optional ("smtpd_tls_security_level = may"), it +# may however still be useful to only offer AUTH when TLS is active. To maintain +# compatibility with non-TLS clients, the default is to accept AUTH without +# encryption. In order to change this behavior, we set "smtpd_tls_auth_only = yes". +smtpd_tls_auth_only=yes smtpd_tls_cert_file=/etc/ssl/certs/yunohost_crt.pem smtpd_tls_key_file=/etc/ssl/private/yunohost_key.pem smtpd_tls_CAfile = /etc/ssl/certs/ca-yunohost_crt.pem -smtpd_use_tls=yes -smtpd_tls_exclude_ciphers = aNULL, MD5, DES, ADH +smtpd_tls_exclude_ciphers = aNULL, MD5, DES, ADH, RC4 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtpd_tls_loglevel=1 +smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 +smtpd_tls_mandatory_ciphers=high + +# -- TLS for outgoing connections +# Use TLS if this is supported by the remote SMTP server, otherwise use plaintext. +smtp_tls_security_level=may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +smtp_tls_loglevel=1 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. -myhostname = {{ domain }} +myhostname = {{ main_domain }} alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases -mydomain = {{ domain }} +mydomain = {{ main_domain }} mydestination = localhost relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 @@ -41,8 +58,8 @@ mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all -#### add yunohost #### -message_size_limit = 10240000 +#### Fit to the maximum message size allowed by GMail or Yahoo #### +message_size_limit = 26214400 # Virtual Domains Control virtual_mailbox_domains = ldap:/etc/postfix/ldap-domains.cf @@ -85,7 +102,7 @@ smtpd_client_restrictions = permit_sasl_authenticated, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, - reject_rbl_client sbl-xbl.spamhaus.org, + reject_rbl_client zen.spamhaus.org, permit # Requirements for the HELO statement @@ -115,7 +132,7 @@ smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10023 permit -#Use SPF +# Use SPF policy-spf_time_limit = 3600s # SRS @@ -124,3 +141,5 @@ sender_canonical_classes = envelope_sender # Ignore some headers smtp_header_checks = regexp:/etc/postfix/header_checks + +smtp_reply_filter = pcre:/etc/postfix/smtp_reply_filter diff --git a/data/templates/postfix/smtp_reply_filter b/data/templates/postfix/smtp_reply_filter new file mode 100644 index 000000000..5f15648f1 --- /dev/null +++ b/data/templates/postfix/smtp_reply_filter @@ -0,0 +1,8 @@ +# Google Mail bounces email sent via IPv6, while this works ok with IPv4. +# +# Convert Google Mail IPv6 complaint permanent error into a temporary error. +# Turn 550 error containing gsmtp in the message into 450 error. +# This way Postfix will attempt to deliver this e-mail using another MX +# (via IPv4). +# +/^5(\d\d )5(.*information. \S+ - gsmtp.*)/ 4${1}4$2 diff --git a/data/templates/postfix/postgrey b/data/templates/postgrey/postgrey.default similarity index 100% rename from data/templates/postfix/postgrey rename to data/templates/postgrey/postgrey.default