~dricottone/container-images: postfix/main.cf.tls-in 9077dcc92954b810700ba1c67692d462dca7b61e

9077dcc9 — Dominic Ricottone 1 year, 2 months ago

Restrictions on postfix

Adding rate limiting and proper security to the postfix images by
default.

e75d58be — Dominic Ricottone 1 year, 4 months ago

Re-fixing encryption

So while I will continue to prefer port 465, in order to support
public-facing port 587, it really is best to enable wrapper mode only
for the appropriate service. In which case, it should be enabled in
`master.cf` NOT `main.cf`.

Also, to better set relay restrictions, I'm fixing `mydestinations` and
adding `relay_domains`.

5e6531c8 — Dominic Ricottone 1 year, 4 months ago

Fix encryption setup

Configuration was a bit confused on account of running both SMTPD and
Submission ports. I am going to prefer port 465 with implicit TLS, and
to correctly support that mode I am setting wrapper mode on.

e93c6cce — Dominic Ricottone 1 year, 4 months ago

Adding recipient_canonical maps to Postfix

a7203db0 — Dominic Ricottone 1 year, 4 months ago

Continuation of Postfix redesign

It took frustratingly long to realize that the widely publicized home
for SASL (database in `/etc/sasldb2`, configurations in
`/etc/postfix/sasl`) are at least completely wrong for Alpine Linux, and
probably completely wrong for most distributions. (Everything is in
`/etc/sasl2`, in case you're wondering.)

Logging to stderr is added. One guess as to why I needed to add this.

I've also learned that while bracketing a hostname (i.e.
`smtp:[mail.realy.com]:25`) halts MX record lookups, it does *not* halt
A record lookups. To ensure accurate delivery of mail, Postfix
would much prefer to use public DNS over local name resolution. Luckily
I agree with this design; the opposite behavior only makes sense if a
server isn't delivering to the open internet at all. Precisely the
intended use of the `:tls-in` image. So, that image will no longer do DNS.

bae25e4e — Dominic Ricottone 1 year, 4 months ago

Postfix redesign

Now there are three images tags for `postfix`. `:latest` uses encryption
and authentication for inbound and outbound mail. It listens on posts 25
and 465. Because it authenticates, I dropped the requirement for
senders to have a LAN IP.

`:tls-in` drops outbound encryption and authentication. This is
generally going to be useful for receiving mail and handing it to a
local service.

`:tls-out` drops inbound encryption and authentication and listining on
port 465. This is useful for relaying mail off of a trusted host.