From c71159b036d96ae09c2c5caa3c703c193cff7e3d Mon Sep 17 00:00:00 2001 From: "Alexander \"Arav\" Andreev" Date: Mon, 20 Sep 2021 16:42:41 +0400 Subject: [PATCH] I think that Postfix part is done. But, there'll be any future fixes I'm sure. Now, it's time for Dovecot. --- .../articles/setting_up_a_mail_server.pug | 37 +++++++++---------- 1 file changed, 18 insertions(+), 19 deletions(-) diff --git a/homepage/views/articles/setting_up_a_mail_server.pug b/homepage/views/articles/setting_up_a_mail_server.pug index 0ff4917..0b33be2 100644 --- a/homepage/views/articles/setting_up_a_mail_server.pug +++ b/homepage/views/articles/setting_up_a_mail_server.pug @@ -166,17 +166,12 @@ block article p #[code smtpd_tls_received_header] makes Postfix include information about the protocol and cypher used to a Received: header. p #[code smtpd_tls_session_cache_timeout] is for how long to store session. #[code tls_random_source] is for setting an entropy source. p The final part is my "favorite". :) The restrictions! There is a set of them for each stage the message falls through. Here's the ones I configured:#[code smtpd_helo_restrictions], #[code smtpd_relay_restrictions], #[code smtpd_data_restrictions], #[code smtpd_sender_restrictions], and #[code smtpd_recipient_restrictions]. - p So lets roll. + p So lets roll. This my working restrictions setup: pre | smtpd_helo_restrictions = | reject_unknown_helo_hostname, | reject_invalid_helo_hostname, | reject_non_fqdn_helo_hostname - pre - | smtpd_relay_restrictions = - | permit_mynetworks, - | permit_sasl_authenticated, - | reject_unauth_destination pre | smtpd_data_restrictions = | reject_multi_recipient_bounce, @@ -190,28 +185,32 @@ block article | smtpd_recipient_restrictions = | reject_unknown_recipient_domain, | reject_non_fqdn_recipient + p In order to explain what every restriction does I'd have to copy-paste from #[code man 5 postconf]. :) + p The first set of restrictions are for HELO or EHLO command, that we force the client to send with priorly set option #[code smtpd_helo_required] to yes. Here #[code reject_unknown_helo_hostname] rejects hostnames that doesn't have DNS A or MX records. #[code reject_invalid_helo_hostname] rejects malformed hostnames, and #[code reject_non_fqdn_helo_hostname] ensures that the hostname is a fully-qualified domain name. + p The second one are for DATA command. And here man page is better than me at explaining it. Here is the link for #[a(href='http://www.postfix.org/postconf.5.html#reject_multi_recipient_bounce') reject_multi_recipient_bounce] and #[a(href='http://www.postfix.org/postconf.5.html#reject_unauth_pipelining') reject_unauth_pipelining]. All I can say is that it is better to have them than not to. :) + p The rest is simpler, #[code permit_sasl_authenticated] in #[code smtpd_sender_restrictions] accepts the senders that were authenticated by SALS (e.g. Dovecot or Cyrus). And all the #[code reject_unknown_*] and #[code reject_non_fqdn_*] has the same meaning as for theirs *_helo_* counterparts, just used in theirs specific places. h4#art-3-2 #[a(href='#art-3-2') 3.2. master.cf] p The following services are needed: #[code smtp], #[code submission], #[code smtps], and we add #[code spamassassin] service. The rest in this file left untouchable. pre | smtp inet n - n - - smtpd - | -o content_filter=spamassassin + | -o content_filter=spamassassin | submission inet n - n - - smtpd - | -o syslog_name=postfix/submission - | -o smtpd_tls_security_level=encrypt - | -o smtpd_sasl_auth_enable=yes - | -o smtpd_tls_auth_only=yes - | -o milter_macro_daemon_name=ORIGINATING - | -o content_filter=spamassassin + | -o syslog_name=postfix/submission + | -o smtpd_tls_security_level=encrypt + | -o smtpd_sasl_auth_enable=yes + | -o smtpd_tls_auth_only=yes + | -o milter_macro_daemon_name=ORIGINATING + | -o content_filter=spamassassin | smtps inet n - n - - smtpd - | -o content_filter=spamassassin - | -o syslog_name=postfix/smtps - | -o smtpd_tls_wrappermode=yes - | -o smtpd_sasl_auth_enable=yes + | -o content_filter=spamassassin + | -o syslog_name=postfix/smtps + | -o smtpd_tls_wrappermode=yes + | -o smtpd_sasl_auth_enable=yes | | spamassassin unix - n n - - pipe | user=spamd argv=/bin/vendor_perl/spamc - | -e /sbin/sendmail -oi -f ${sender} ${recipient} + | -e /sbin/sendmail -oi -f ${sender} ${recipient} p #[code smtp] is listening on port 25, and #[code smtps] on port 465. #[code submission] is listening on port 587 and is used by mail client to send mail. h4#art-3-3 #[a(href='#art-3-3') 3.3. User aliases] @@ -321,7 +320,7 @@ block article | TrustedAuthservIDs mail.example.org,example.org | UMask 002 p What's in a #[code Socket] option should be added to Postfix's #[code smtpd_milters] and #[code non_smtpd_milters]. - p Creating DMARC DNS record covered in 7.4. + p Creating DMARC DNS record covered in 8.4. h3#art-8 #[a(href='#art-8') 8. DNS records]