~dricottone/container-images

e75d58be86199cedfca46c093b45f8463052a9a4 — Dominic Ricottone 1 year, 4 months ago 5e6531c 
Re-fixing encryption

So while I will continue to prefer port 465, in order to support
public-facing port 587, it really is best to enable wrapper mode only
for the appropriate service. In which case, it should be enabled in
`master.cf` NOT `main.cf`.

Also, to better set relay restrictions, I'm fixing `mydestinations` and
adding `relay_domains`.
patch browse .tar.gz 
4 files changed, 12 insertions(+), 11 deletions(-)

M postfix/main.cf
M postfix/main.cf.tls-in
M postfix/main.cf.tls-out
M postfix/master.cf

M postfix/main.cf => postfix/main.cf +4 -4
@@ 10,8 10,9 @@ inet_interfaces = all
# Values for default settings
mydomain = example.com
myhostname = mail.example.com
mydestination = $myhostname, todo.$mydomain, lists.$mydomain, localhost, localhost.localdomain
mydestination = $myhostname, $mydomain, localhost, localhost.localdomain
myorigin = $mydomain
relay_domains = $myhostname, $mydomain

# Advertise host name after SMTP 200
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)


@@ 31,15 32,14 @@ cyrus_sasl_config_path = /etc/sasl2/
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = lmdb:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options = noanonymous
smtpd_relay_restrictions = reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = smtpd
#smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_security_options = noanonymous
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_service = smtpd
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_tls_wrappermode=yes

# Encryption
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt


M postfix/main.cf.tls-in => postfix/main.cf.tls-in +4 -4
@@ 10,8 10,9 @@ inet_interfaces = all
# Values for default settings
mydomain = example.com
myhostname = mail.example.com
mydestination = $myhostname, todo.$mydomain, lists.$mydomain, localhost, localhost.localdomain
mydestination = $myhostname, $mydomain, localhost, localhost.localdomain
myorigin = $mydomain
relay_domains = $myhostname, $mydomain

# Advertise host name after SMTP 200
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)


@@ 29,15 30,14 @@ maillog_file = /dev/stdout

# Authentication
cyrus_sasl_config_path = /etc/sasl2/
smtpd_relay_restrictions = reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = smtpd
#smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_security_options = noanonymous
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_service = smtpd
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_tls_wrappermode=yes

# Encryption
smtpd_tls_chain_files = /var/letsencrypt/chain.pem


M postfix/main.cf.tls-out => postfix/main.cf.tls-out +2 -1
@@ 10,8 10,9 @@ mynetworks = 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
# Values for default settings
mydomain = example.com
myhostname = mail.example.com
mydestination = $myhostname, todo.$mydomain, lists.$mydomain, localhost, localhost.localdomain
mydestination = $myhostname, $mydomain, localhost, localhost.localdomain
myorigin = $mydomain
relay_domains = $myhostname, $mydomain

# Advertise host name after SMTP 200
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)


M postfix/master.cf => postfix/master.cf +2 -2
@@ 24,11 24,11 @@ smtp      inet  n       -       n       -       -       smtpd
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit
#  -o smtpd_relay_restrictions=permit
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions