From e75d58be86199cedfca46c093b45f8463052a9a4 Mon Sep 17 00:00:00 2001 From: Dominic Ricottone Date: Thu, 29 Jun 2023 16:54:43 -0500 Subject: [PATCH] Re-fixing encryption So while I will continue to prefer port 465, in order to support public-facing port 587, it really is best to enable wrapper mode only for the appropriate service. In which case, it should be enabled in `master.cf` NOT `main.cf`. Also, to better set relay restrictions, I'm fixing `mydestinations` and adding `relay_domains`. --- postfix/main.cf | 8 ++++---- postfix/main.cf.tls-in | 8 ++++---- postfix/main.cf.tls-out | 3 ++- postfix/master.cf | 4 ++-- 4 files changed, 12 insertions(+), 11 deletions(-) diff --git a/postfix/main.cf b/postfix/main.cf index 4b2cf0e..91a0dd6 100644 --- a/postfix/main.cf +++ b/postfix/main.cf @@ -10,8 +10,9 @@ inet_interfaces = all # Values for default settings mydomain = example.com myhostname = mail.example.com -mydestination = $myhostname, todo.$mydomain, lists.$mydomain, localhost, localhost.localdomain +mydestination = $myhostname, $mydomain, localhost, localhost.localdomain myorigin = $mydomain +relay_domains = $myhostname, $mydomain # Advertise host name after SMTP 200 smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) @@ -31,15 +32,14 @@ cyrus_sasl_config_path = /etc/sasl2/ smtp_sasl_auth_enable = yes smtp_sasl_password_maps = lmdb:/etc/postfix/sasl/sasl_passwd smtp_sasl_security_options = noanonymous +smtpd_relay_restrictions = reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $mydomain smtpd_sasl_path = smtpd -#smtpd_sasl_security_options = noanonymous, noplaintext -smtpd_sasl_security_options = noanonymous +smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_service = smtpd smtpd_sasl_tls_security_options = noanonymous smtpd_tls_auth_only = yes -smtpd_tls_wrappermode=yes # Encryption smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt diff --git a/postfix/main.cf.tls-in b/postfix/main.cf.tls-in index e290f7c..2042e9e 100644 --- a/postfix/main.cf.tls-in +++ b/postfix/main.cf.tls-in @@ -10,8 +10,9 @@ inet_interfaces = all # Values for default settings mydomain = example.com myhostname = mail.example.com -mydestination = $myhostname, todo.$mydomain, lists.$mydomain, localhost, localhost.localdomain +mydestination = $myhostname, $mydomain, localhost, localhost.localdomain myorigin = $mydomain +relay_domains = $myhostname, $mydomain # Advertise host name after SMTP 200 smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) @@ -29,15 +30,14 @@ maillog_file = /dev/stdout # Authentication cyrus_sasl_config_path = /etc/sasl2/ +smtpd_relay_restrictions = reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $mydomain smtpd_sasl_path = smtpd -#smtpd_sasl_security_options = noanonymous, noplaintext -smtpd_sasl_security_options = noanonymous +smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_service = smtpd smtpd_sasl_tls_security_options = noanonymous smtpd_tls_auth_only = yes -smtpd_tls_wrappermode=yes # Encryption smtpd_tls_chain_files = /var/letsencrypt/chain.pem diff --git a/postfix/main.cf.tls-out b/postfix/main.cf.tls-out index cfa8f03..6d8539c 100644 --- a/postfix/main.cf.tls-out +++ b/postfix/main.cf.tls-out @@ -10,8 +10,9 @@ mynetworks = 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 # Values for default settings mydomain = example.com myhostname = mail.example.com -mydestination = $myhostname, todo.$mydomain, lists.$mydomain, localhost, localhost.localdomain +mydestination = $myhostname, $mydomain, localhost, localhost.localdomain myorigin = $mydomain +relay_domains = $myhostname, $mydomain # Advertise host name after SMTP 200 smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) diff --git a/postfix/master.cf b/postfix/master.cf index 5137f04..e3f13a4 100644 --- a/postfix/master.cf +++ b/postfix/master.cf @@ -24,11 +24,11 @@ smtp inet n - n - - smtpd # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= - -o smtpd_relay_restrictions=permit +# -o smtpd_relay_restrictions=permit # -o milter_macro_daemon_name=ORIGINATING smtps inet n - n - - smtpd # -o syslog_name=postfix/smtps -# -o smtpd_tls_wrappermode=yes + -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions -- 2.45.2