postfix-lmdb: no tlsproxy warning in certain combis, add .signature

7 files changed, 67 insertions, 41 deletions

diff --git a/postfix-lmdb/.md5sum b/postfix-lmdb/.md5sum
deleted file mode 100644
index 27ced0acf..000000000
--- a/postfix-lmdb/.md5sum
+++ /dev/null
@@ -1,11 +0,0 @@
-24bfa6cc02af20ff1306dbdc9e9ccd72  README
-991eec1333efecf3e5c5785a35f63f93  aliases
-356deb2ed0a246dc67417d501384b29d  lmdb-default.patch
-6b5b42413a938f5e1c036a29919fc6ba  main-addon.cf
-349f82d9bce5df2e820edde59f0df385  master.patch
-3a0783dfe97cd85620ec63dc3155c138  post-install
-a4d1b2df03a500cf8f9759d5fca1c1f6  postfix-3.5.9.tar.gz
-3c58426d21611dd4eb1f93e924b349a1  postfix-install.patch
-74ca32d588624b357889e6d783c3aa11  postfix.rc
-9e5990ceca5cd7969fe1297e02fd966d  relay_clientcerts
-e701ec7f1075d63c1b0cf930cce8ff9e  sender_restrict
diff --git a/postfix-lmdb/.signature b/postfix-lmdb/.signature
new file mode 100644
index 000000000..8652c4ff8
--- /dev/null
+++ b/postfix-lmdb/.signature
@@ -0,0 +1,15 @@
+untrusted comment: verify with /etc/ports/contrib.pub
+RWSagIOpLGJF38+KOnQGbaIUW82eL0DQkmLgUylfs2r0PpUUobpR1ZKWLOsiFrHPjt4Jrk1k77Usuo4gEUCqS1eIHPUBWUBiwg8=
+SHA256 (Pkgfile) = de4e93a4dc2a52d14573b98ff4e0235952784cc289ef969ea44c3399cb597875
+SHA256 (.footprint) = c4bef46624508b9105e8c5816c322560a560c09e9c5507509eb95c886d52a387
+SHA256 (postfix-3.5.9.tar.gz) = 51ced5a3165a415beba812b6c9ead0496b7172ac6c3beb654d2ccd9a1b00762b
+SHA256 (lmdb-default.patch) = 11f42333ae0640a3ca579463ed28007973693b93bc734b5d82225fcb516bf05e
+SHA256 (postfix-install.patch) = 7185d2b2e4d7cc090b958c1d372c16e15f274465e2123686a0d97db20e2b5943
+SHA256 (post-install) = b459d6e4c56384c24d5f3473964ed6442b2c501406745d1fd46c6b453e393138
+SHA256 (postfix.rc) = 5ac60205a95faf4633c64bc60d2689f654b997932e3bbc1204b66df7b5dce1d2
+SHA256 (aliases) = 60ae98d869800055b248c32c183a1836cc5a698cf337cb7ad734e862ae80e95a
+SHA256 (README) = f6422a14ad8e7aeacb966db68bd2e27fa17dfac9cb8d406f61dae38d45629d8e
+SHA256 (relay_clientcerts) = 98e7e663f4d9b9a648c4b9198cce3faf9aef82fc81600d2268bf09b84ee39890
+SHA256 (sender_restrict) = b83ab2c27d6966876c6cfa7f12d5c3d3065fb11507a69199ce8d30a757217e4c
+SHA256 (main-addon.cf) = 82282c81995c15084efb20c52f62a4844cce3fe12fa09ad5b26d39c13d127ff8
+SHA256 (master.patch) = a4f576de6d511201f6329f6904246acfc21707bd69391fca5a14d9b44de74f1a
diff --git a/postfix-lmdb/Pkgfile b/postfix-lmdb/Pkgfile
index d34df6eb1..1e58adadb 100644
--- a/postfix-lmdb/Pkgfile
+++ b/postfix-lmdb/Pkgfile
@@ -6,7 +6,7 @@
 rname=postfix
 name=postfix-lmdb
 version=3.5.9
-release=1
+release=2
 source=(
    https://de.${rname}.org/ftpmirror/official/${rname}-${version}.tar.gz
    lmdb-default.patch postfix-install.patch post-install
diff --git a/postfix-lmdb/README b/postfix-lmdb/README
index 5557cb244..4e791d41b 100644
--- a/postfix-lmdb/README
+++ b/postfix-lmdb/README
@@ -22,7 +22,7 @@ TLS
 ---
 
 tlsproxy(8) for connection tracking is running by default.
-To be identifieable generate a private key with certificate, either via
+To be identifiable generate a private key with certificate, either via
 
   openssl genpkey -algorithm ed25519 -out prv.pem
   #openssl pkey -in prv.pem -pubout -out pub.pem
@@ -32,7 +32,8 @@ or
 
   openssl req -x509 -nodes -newkey ed25519 -keyout prv.pem -out crt.pem
 
-Also create DH parameters
+This is self-signed (which might be sufficient for client certificate
+identification as below).  Also create DH parameters
 
   openssl dhparam -out dh2048.pem 2048
 
@@ -51,17 +52,19 @@ SmartHost
 
 For laptops or hosts without their own hostname using a smart host which
 does the real delivery is usually the thing.
+
 Edit main.cf and uncomment and edit lines marked #SMART.
 Run "/etc/rc.d/postfix-lmdb reload" (or restart).
 
 Authentication to the smart host is not covered by the default
 configuration, with TLS as above however it may be possible to go
 via client certificates shall the relayhost allow this, see below.
-I.e., just reuse key_and_cert.pem "also" for this.
+I.e., just reuse key_and_cert.pem "also" for this.  Just uncomment the
+according lines.
 
-Note it seems wise to go the $smtp_tls_fingerprint_cert_match approach to
-verify $relayhost, because the $smtp_tls_CAfile way requires a full chain, to
-the best of my knowledge.
+Note it seems wise to go the $smtp_tls_fingerprint_cert_match approach
+to verify $relayhost, because the $smtp_tls_CAfile way requires a full
+chain, to the best of my knowledge.
 
 You need to have cyrus-sasl installed otherwise (usually), and also
 dovecot that drive the SASL authentication.  The default configuration
diff --git a/postfix-lmdb/main-addon.cf b/postfix-lmdb/main-addon.cf
index 92565861b..729916ac3 100644
--- a/postfix-lmdb/main-addon.cf
+++ b/postfix-lmdb/main-addon.cf
@@ -28,8 +28,6 @@ disable_vrfy_command = yes
 default_verp_delimiters = -=
 verp_delimiter_filter = -=
 recipient_delimiter = +
-# Only localhost for mailing-lists etc.; maybe $mynetworks?
-smtpd_authorized_verp_clients = 127.0.0.1
 
 default_process_limit = 8
 anvil_rate_time_unit = 60s
@@ -41,6 +39,11 @@ bounce_size_limit = 50000
 mailbox_size_limit = 100000000
 message_size_limit = 442000
 
+## TLSPROXY(8) (where diverging from daemon / client)
+tls_append_default_CA = no
+
+## POSTFIX DAEMON
+
 # Calculate:
 # openssl x509 -noout -sha256 -fingerprint < CERT.pem
 # OR
@@ -54,11 +57,15 @@ message_size_limit = 442000
 transport_maps =
 relay_domains = $mynetworks,$transport_maps
 
+# Only localhost for mailing-lists etc.; maybe $mynetworks?
+smtpd_authorized_verp_clients = 127.0.0.1
+
 # Clients which are allowed to invoke commands
 smtpd_client_restrictions =
-#  permit_tls_clientcerts,
-#  permit_sasl_authenticated,
+#  permit_inet_interfaces, OR
    permit_mynetworks,
+#RELAY   permit_tls_clientcerts,
+#  permit_sasl_authenticated,
    # in case you want reject DNS blacklists rather than greylist them
    # with gross, exchange sleep (maybe) and uncomment the lines below
    sleep 1,
@@ -77,9 +84,10 @@ smtpd_data_restrictions =
    permit
 
 smtpd_helo_restrictions =
+#  permit_inet_interfaces, OR
+   permit_mynetworks,
 #RELAY   permit_tls_clientcerts,
 #  permit_sasl_authenticated,
-   permit_mynetworks,
    reject_invalid_helo_hostname,
    reject_non_fqdn_helo_hostname,
    reject_unknown_helo_hostname
@@ -87,9 +95,10 @@ smtpd_helo_restrictions =
 # RCPT TO checks, spam blocking policy
 # Match fast for $mynetworks and authenticated clients.
 smtpd_recipient_restrictions =
+#  permit_inet_interfaces, OR
+   permit_mynetworks,
 #RELAY   permit_tls_clientcerts,
 #  permit_sasl_authenticated,
-   permit_mynetworks,
    reject_unknown_sender_domain,
    reject_unknown_reverse_client_hostname,
    reject_unknown_recipient_domain,
@@ -101,9 +110,10 @@ smtpd_recipient_restrictions =
 # RCPT TO checks, relay policy
 # Local clients and authenticated clients may specify any destination domain
 smtpd_relay_restrictions =
+#  permit_inet_interfaces, OR
+   permit_mynetworks,
 #RELAY   permit_tls_clientcerts,
 #  permit_sasl_authenticated,
-   permit_mynetworks,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    #permit_auth_destination,
@@ -113,9 +123,10 @@ smtpd_relay_restrictions =
 
 # MAIL FROM Checks
 smtpd_sender_restrictions =
+#  permit_inet_interfaces, OR
+   permit_mynetworks,
 #RELAY   permit_tls_clientcerts,
 #  permit_sasl_authenticated,
-   permit_mynetworks,
     # Eg: qq.com reject
    lmdb:/etc/postfix-lmdb/sender_restrict,
    reject_unknown_sender_domain,
@@ -134,23 +145,23 @@ smtpd_log_access_permit_actions = 1
 smtpd_client_connection_rate_limit = 20
 smtpd_client_connection_count_limit = 2
 
-# TLS see CRUX-README.txt for this
-tls_append_default_CA = no
 # That one is for client certificates!
 #smtpd_tls_CAfile = /etc/dovecot/cert.pem
 #TLS smtpd_tls_chain_files = /etc/postfix-lmdb/key_and_cert.pem
 #TLS smtpd_tls_dh1024_param_file = /etc/postfix-lmdb/dh2048.pem
 #TLS smtpd_tls_security_level = may
-#TLS comment out next; see master.cf, too!
+#TLS comment out next; usually enabled per-service in master.cf!
 smtpd_tls_security_level = none
 #RELAY smtpd_tls_ask_ccert = yes
 smtpd_tls_ask_ccert = no
 smtpd_tls_auth_only = yes
 smtpd_tls_loglevel = 1
-smtpd_tls_received_header = yes
+#SMART The next is usually nice but when using client certificates
+smtpd_tls_received_header = no
 smtpd_tls_fingerprint_digest = sha256
 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
+#SMART When only relaying to smarthost, the next can be =high !?!
 smtpd_tls_mandatory_ciphers = medium
 smtpd_tls_mandatory_exclude_ciphers =
    aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
@@ -159,6 +170,17 @@ smtpd_tls_ciphers = $smtpd_tls_mandatory_ciphers
 smtpd_tls_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
 smtpd_tls_connection_reuse = yes
 
+# Usually enabled per-service in master.cf!
+#smtpd_sasl_auth_enable = yes
+smtpd_sasl_auth_enable = no
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
+smtpd_sasl_local_domain = $myhostname
+smtpd_sasl_security_options = noanonymous, noplaintext
+smtpd_sasl_tls_security_options = noanonymous
+
+## POSTFIX CLIENT
+
 #TLS smtp_tls_security_level = $smtpd_tls_security_level
 #TLS comment out next
 smtp_tls_security_level = may
@@ -174,14 +196,6 @@ smtp_tls_connection_reuse = $smtpd_tls_connection_reuse
 smtp_tls_session_cache_database = lmdb:/var/lib/postfix-lmdb/smtp_scache
 smtp_tls_session_cache_timeout = 3600s
 
-#smtpd_sasl_auth_enable = yes
-smtpd_sasl_auth_enable = no
-smtpd_sasl_type = dovecot
-smtpd_sasl_path = private/auth
-smtpd_sasl_local_domain = $myhostname
-smtpd_sasl_security_options = noanonymous, noplaintext
-smtpd_sasl_tls_security_options = noanonymous
-
 #smtp_sasl_auth_enable = $smtpd_sasl_auth_enable
 #smtp_sasl_type = $smtpd_sasl_type
 #smtp_sasl_path = $smtpd_sasl_path
@@ -222,3 +236,4 @@ smtpd_sasl_tls_security_options = noanonymous
 #   # Per-sender provider; see also /etc/postfix/sasl_passwd.
 #   user1@example.com  [mail.example.com]:submission
 #   user2@example.net  [mail.example.net]
+
diff --git a/postfix-lmdb/master.patch b/postfix-lmdb/master.patch
index a2d6b32f5..19ca910a1 100644
--- a/postfix-lmdb/master.patch
+++ b/postfix-lmdb/master.patch
@@ -1,16 +1,20 @@
 --- master.cf	2021-02-10 01:28:29.091526626 +0100
 +++ master.cf.new	2021-02-10 01:30:19.998198603 +0100
-@@ -10,6 +10,13 @@
+@@ -10,6 +10,17 @@
  #               (yes)   (yes)   (no)    (never) (100)
  # ==========================================================================
  smtp      inet  n       -       n       -       -       smtpd
-+#TLS   -o smtpd_tls_security_level=none
++#TLS Does: STARTTLS on :25, enforced STARTTLS on :587, always TLS on :465
++#TLS   -o smtpd_tls_security_level=may
 +#TLS   -o smtpd_sasl_auth_enable=no
 +#TLS submission inet n       -       n       -       -       smtpd
 +#TLS  -o smtpd_tls_security_level=encrypt
++#TLS  -o smtpd_sasl_auth_enable=no
 +#TLS submissions     inet  n       -       n       -       -       smtpd
 +#TLS  -o smtpd_tls_wrappermode=yes
++#TLS  -o smtpd_sasl_auth_enable=no
 +tlsproxy  unix  -       -       n       -       0       tlsproxy
++   -o tlsproxy_tls_security_level=encrypt
  #smtp      inet  n       -       n       -       1       postscreen
  #smtpd     pass  -       -       n       -       -       smtpd
  #dnsblog   unix  -       -       n       -       0       dnsblog
diff --git a/postfix-lmdb/post-install b/postfix-lmdb/post-install
index fa2e5bce7..ab4c83aac 100644
--- a/postfix-lmdb/post-install
+++ b/postfix-lmdb/post-install
@@ -19,7 +19,7 @@ getent group ${usrgrp} >/dev/null || groupadd -r ${usrgrp}
 getent passwd ${usr} >/dev/null 2>&1 || {
 	useradd -r -g ${usrgrp} -d /var/spool/${usr} -s /bin/false ${usr}
 	passwd -l ${usr}
-} 
+}
 
 getent group ${queuegrp} >/dev/null || groupadd -r ${queuegrp}