From b1b474e3f3962acfb9cef0b496da32d09e06f64d Mon Sep 17 00:00:00 2001 From: Steffen Nurpmeso Date: Mon, 12 Apr 2021 20:36:05 +0200 Subject: postfix-lmdb: update to 3.5.10 --- postfix-lmdb/.signature | 12 ++++++------ postfix-lmdb/Pkgfile | 11 +++++------ postfix-lmdb/main-addon.cf | 38 +++++++++++++++++++++++++++----------- postfix-lmdb/master.patch | 9 +++++---- postfix-lmdb/relay_clientcerts | 4 ++++ 5 files changed, 47 insertions(+), 27 deletions(-) diff --git a/postfix-lmdb/.signature b/postfix-lmdb/.signature index 8652c4ff8..e67dd8249 100644 --- a/postfix-lmdb/.signature +++ b/postfix-lmdb/.signature @@ -1,15 +1,15 @@ untrusted comment: verify with /etc/ports/contrib.pub -RWSagIOpLGJF38+KOnQGbaIUW82eL0DQkmLgUylfs2r0PpUUobpR1ZKWLOsiFrHPjt4Jrk1k77Usuo4gEUCqS1eIHPUBWUBiwg8= -SHA256 (Pkgfile) = de4e93a4dc2a52d14573b98ff4e0235952784cc289ef969ea44c3399cb597875 +RWSagIOpLGJF35D0u9AVbgDpYYu6Zyab8GRFP/q9nfkHsJK4HWU9oJrEEqVeannd3dI16dpAry8rNaYQvve3pv5bAlW1iyvqmwc= +SHA256 (Pkgfile) = 746a2d74681fe18966f98b46b16c40ed30c45c2cbb09042c5e958ebed18a8e97 SHA256 (.footprint) = c4bef46624508b9105e8c5816c322560a560c09e9c5507509eb95c886d52a387 -SHA256 (postfix-3.5.9.tar.gz) = 51ced5a3165a415beba812b6c9ead0496b7172ac6c3beb654d2ccd9a1b00762b +SHA256 (postfix-3.5.10.tar.gz) = 5bb4d7d72d7512b58f3a31426dcbd394fd354e0a43de21da89466b057a0228f8 SHA256 (lmdb-default.patch) = 11f42333ae0640a3ca579463ed28007973693b93bc734b5d82225fcb516bf05e SHA256 (postfix-install.patch) = 7185d2b2e4d7cc090b958c1d372c16e15f274465e2123686a0d97db20e2b5943 SHA256 (post-install) = b459d6e4c56384c24d5f3473964ed6442b2c501406745d1fd46c6b453e393138 SHA256 (postfix.rc) = 5ac60205a95faf4633c64bc60d2689f654b997932e3bbc1204b66df7b5dce1d2 SHA256 (aliases) = 60ae98d869800055b248c32c183a1836cc5a698cf337cb7ad734e862ae80e95a SHA256 (README) = f6422a14ad8e7aeacb966db68bd2e27fa17dfac9cb8d406f61dae38d45629d8e -SHA256 (relay_clientcerts) = 98e7e663f4d9b9a648c4b9198cce3faf9aef82fc81600d2268bf09b84ee39890 +SHA256 (relay_clientcerts) = 2aa69a949c06826e2f5a760791fb5cebb37e6797613270fd11381c33afa38297 SHA256 (sender_restrict) = b83ab2c27d6966876c6cfa7f12d5c3d3065fb11507a69199ce8d30a757217e4c -SHA256 (main-addon.cf) = 82282c81995c15084efb20c52f62a4844cce3fe12fa09ad5b26d39c13d127ff8 -SHA256 (master.patch) = a4f576de6d511201f6329f6904246acfc21707bd69391fca5a14d9b44de74f1a +SHA256 (main-addon.cf) = 4d0dec5805262595687492dc9ff16c51ee955bf566b9197c05fde87caeb6a212 +SHA256 (master.patch) = 2554c5e37ae7a87ee771aa46502aa99bf3668da0bbf3313664dd63e9336e794b diff --git a/postfix-lmdb/Pkgfile b/postfix-lmdb/Pkgfile index 1e58adadb..3efdc75ef 100644 --- a/postfix-lmdb/Pkgfile +++ b/postfix-lmdb/Pkgfile @@ -2,11 +2,12 @@ # URL: https://www.postfix.org/ # Maintainer: Steffen Nurpmeso, steffen at sdaoden dot eu # Depends on: libpcre lmdb openssl +# Optional: dovecot cyrus-sasl rname=postfix name=postfix-lmdb -version=3.5.9 -release=2 +version=3.5.10 +release=1 source=( https://de.${rname}.org/ftpmirror/official/${rname}-${version}.tar.gz lmdb-default.patch postfix-install.patch post-install @@ -15,8 +16,6 @@ source=( main-addon.cf master.patch ) -isinst() { pkginfo -i | grep -qE "^${1}[[:space:]]"; } - build() { cd ${rname}-${version} @@ -27,11 +26,11 @@ build() { cca=${cca}' -DHAS_LMDB -DDEF_DB_TYPE=\"lmdb\" -DHAS_PCRE -DUSE_TLS' aux= - if isinst dovecot; then # TODO UNTESTED! + if prt-get isinst dovecot; then # TODO UNTESTED! cca=${cca}' -DUSE_SASL_AUTH -DDEF_SASL_SERVER=dovecot' fi - if isinst cyrus-sasl; then # TODO UNTESTED! + if prt-get isinst cyrus-sasl; then # TODO UNTESTED! cca=${cca}' -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl' aux=${aux}' -lsasl2' fi diff --git a/postfix-lmdb/main-addon.cf b/postfix-lmdb/main-addon.cf index 729916ac3..dd8bc9d91 100644 --- a/postfix-lmdb/main-addon.cf +++ b/postfix-lmdb/main-addon.cf @@ -40,6 +40,7 @@ mailbox_size_limit = 100000000 message_size_limit = 442000 ## TLSPROXY(8) (where diverging from daemon / client) + tls_append_default_CA = no ## POSTFIX DAEMON @@ -141,17 +142,19 @@ smtpd_per_record_deadline = yes smtpd_timeout = 15s smtpd_starttls_timeout = 15s smtpd_junk_command_limit = 5 -smtpd_log_access_permit_actions = 1 -smtpd_client_connection_rate_limit = 20 -smtpd_client_connection_count_limit = 2 +#smtpd_log_access_permit_actions = +# permit_tls_clientcerts, +# permit_sasl_authenticated +#smtpd_client_connection_rate_limit = 20 +#smtpd_client_connection_count_limit = 2 +#TLS Do not forget to look into master.cf! # That one is for client certificates! #smtpd_tls_CAfile = /etc/dovecot/cert.pem #TLS smtpd_tls_chain_files = /etc/postfix-lmdb/key_and_cert.pem #TLS smtpd_tls_dh1024_param_file = /etc/postfix-lmdb/dh2048.pem -#TLS smtpd_tls_security_level = may -#TLS comment out next; usually enabled per-service in master.cf! -smtpd_tls_security_level = none +# This are managed per-service in master.cf! +#smtpd_tls_security_level = none #RELAY smtpd_tls_ask_ccert = yes smtpd_tls_ask_ccert = no smtpd_tls_auth_only = yes @@ -161,7 +164,6 @@ smtpd_tls_received_header = no smtpd_tls_fingerprint_digest = sha256 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_protocols = $smtpd_tls_mandatory_protocols -#SMART When only relaying to smarthost, the next can be =high !?! smtpd_tls_mandatory_ciphers = medium smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, @@ -169,6 +171,8 @@ smtpd_tls_mandatory_exclude_ciphers = smtpd_tls_ciphers = $smtpd_tls_mandatory_ciphers smtpd_tls_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers smtpd_tls_connection_reuse = yes +smtpd_tls_session_cache_database = lmdb:/var/lib/postfix-lmdb/smtpd_scache +smtpd_tls_session_cache_timeout = 3600s # Usually enabled per-service in master.cf! #smtpd_sasl_auth_enable = yes @@ -181,20 +185,22 @@ smtpd_sasl_tls_security_options = noanonymous ## POSTFIX CLIENT -#TLS smtp_tls_security_level = $smtpd_tls_security_level #TLS comment out next +#SMART comment out next smtp_tls_security_level = may +# To always go directly SMTPS/SUBMISSIONS #smtp_tls_wrappermode = yes smtp_tls_fingerprint_digest = $smtpd_tls_fingerprint_digest smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols smtp_tls_protocols = $smtpd_tls_protocols +#SMART When only relaying to smarthost, the next can be =high !?! smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers smtp_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers smtp_tls_ciphers = $smtpd_tls_ciphers smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers smtp_tls_connection_reuse = $smtpd_tls_connection_reuse smtp_tls_session_cache_database = lmdb:/var/lib/postfix-lmdb/smtp_scache -smtp_tls_session_cache_timeout = 3600s +smtp_tls_session_cache_timeout = $smtpd_tls_session_cache_timeout #smtp_sasl_auth_enable = $smtpd_sasl_auth_enable #smtp_sasl_type = $smtpd_sasl_type @@ -208,13 +214,17 @@ smtp_tls_session_cache_timeout = 3600s # One or more destinations in the form of a domain name, hostname, # hostname:port, [hostname]:port, [hostaddress] or [hostaddress]:port, # separated by comma or whitespace. The form [hostname] turns off MX lookups +# check man(5) postconf -> local_header_rewrite_clients; +# "Or", i.e., for mail(1): use "-r myname@mydesired.host" #SMART relayhost = [HOST]:submissions +#SMART Next only when going directly SMTPS/SUBMISSIONS #SMART smtp_tls_wrappermode = yes #SMART smtp_tls_chain_files = $smtpd_tls_chain_files +#SMART EITHER these three #SMART smtp_tls_security_level = verify -# This requires a full chain, otherwise look around verify_depth #SMART smtp_tls_CAfile = /etc/ssl/cert.pem -#SMART therefore OR (better, maybe) +#SMART smtp_tls_scert_verifydepth = 9 +#SMART OR these two #SMART smtp_tls_security_level = fingerprint #SMART smtp_tls_fingerprint_cert_match = FINGERPRINT # The following is not tested, really, and may not work with default config @@ -237,3 +247,9 @@ smtp_tls_session_cache_timeout = 3600s # user1@example.com [mail.example.com]:submission # user2@example.net [mail.example.net] +# Permanently (to _destinations) instead if this is "no" +smtp_connection_cache_on_demand = yes +# $relayhost WITHOUT [] and : etc.!! +smtp_connection_cache_destinations = $relayhost +smtp_connection_cache_time_limit = 10s +smtp_connection_reuse_count_limit = 242 diff --git a/postfix-lmdb/master.patch b/postfix-lmdb/master.patch index 19ca910a1..71dd124f3 100644 --- a/postfix-lmdb/master.patch +++ b/postfix-lmdb/master.patch @@ -1,6 +1,6 @@ ---- master.cf 2021-02-10 01:28:29.091526626 +0100 -+++ master.cf.new 2021-02-10 01:30:19.998198603 +0100 -@@ -10,6 +10,17 @@ +--- master.cf.orig 2021-04-12 20:30:45.650213781 +0200 ++++ master.cf 2021-04-12 20:32:34.676882357 +0200 +@@ -10,6 +10,18 @@ # (yes) (yes) (no) (never) (100) # ========================================================================== smtp inet n - n - - smtpd @@ -9,7 +9,8 @@ +#TLS -o smtpd_sasl_auth_enable=no +#TLS submission inet n - n - - smtpd +#TLS -o smtpd_tls_security_level=encrypt -+#TLS -o smtpd_sasl_auth_enable=no ++#TLS -o smtpd_sasl_auth_enable=yes ++#TLS # This was SMTPS aka :465. I use it as that. +#TLS submissions inet n - n - - smtpd +#TLS -o smtpd_tls_wrappermode=yes +#TLS -o smtpd_sasl_auth_enable=no diff --git a/postfix-lmdb/relay_clientcerts b/postfix-lmdb/relay_clientcerts index 1d3fbb31c..a5afd293c 100644 --- a/postfix-lmdb/relay_clientcerts +++ b/postfix-lmdb/relay_clientcerts @@ -1 +1,5 @@ # FINGERPRINT any value +# openssl x509 -noout -sha256 -fingerprint < CERT.pem +# OR +# openssl x509 -outform DER -in CERT.pem | openssl dgst -sha256 -c + -- cgit v1.2.3