blob: 5557cb2442fd17b3e8fdebd31de03028c98221b9 (
plain)
1
2 The CRUX postfix package
3 ========================
4
5 * Abstract
6 * TLS
7 * SmartHost
8 * Relay
9 * DNS black lists
10
11 Abstract
12 --------
13
14 - Fully configured for "sailing in the wind".
15 - Only listens to SMTP by default, but.
16 - A few knobs can be turned here and there for more, see below.
17
18 Remember to run "postmap FILE" after you have updated table files,
19 and "newaliases" or "postalias FILE" after changing alias files.
20
21 TLS
22 ---
23
24 tlsproxy(8) for connection tracking is running by default.
25 To be identifieable generate a private key with certificate, either via
26
27 openssl genpkey -algorithm ed25519 -out prv.pem
28 #openssl pkey -in prv.pem -pubout -out pub.pem
29 openssl req -x509 -key prv.pem -out crt.pem
30
31 or
32
33 openssl req -x509 -nodes -newkey ed25519 -keyout prv.pem -out crt.pem
34
35 Also create DH parameters
36
37 openssl dhparam -out dh2048.pem 2048
38
39 Move all these to a save place. Do
40
41 cat prv.pem crt.pem > /etc/postfix-lmdb/key_and_cert.pem
42 cp dh2048.pem /etc/postfix-lmdb/dh2048.pem
43
44 Make them root:root and 0600.
45 Edit main.cf: uncomment all lines marked #TLS.
46 Edit master.cf and ditto.
47 Run "/etc/rc.d/postfix-lmdb reload" (or restart).
48
49 SmartHost
50 ---------
51
52 For laptops or hosts without their own hostname using a smart host which
53 does the real delivery is usually the thing.
54 Edit main.cf and uncomment and edit lines marked #SMART.
55 Run "/etc/rc.d/postfix-lmdb reload" (or restart).
56
57 Authentication to the smart host is not covered by the default
58 configuration, with TLS as above however it may be possible to go
59 via client certificates shall the relayhost allow this, see below.
60 I.e., just reuse key_and_cert.pem "also" for this.
61
62 Note it seems wise to go the $smtp_tls_fingerprint_cert_match approach to
63 verify $relayhost, because the $smtp_tls_CAfile way requires a full chain, to
64 the best of my knowledge.
65
66 You need to have cyrus-sasl installed otherwise (usually), and also
67 dovecot that drive the SASL authentication. The default configuration
68 contains the necessary entries, you should only need to adjust and
69 uncomment it. Just search #SMART.
70
71 Relay
72 -----
73
74 The default configuration only allows mails that address $mydestination
75 aka the local host, or shall be relayed to $mynetworks (set to the
76 IPv4 private address range).
77
78 Not covering SASL authentification of clients, the default configuration
79 ships support for client certificate fingerprint matching, in order to
80 allow clients which authenticate themselves to relay mail to anywhere.
81 Edit main.cf and uncomment and edit lines marked #RELAY.
82 Run "/etc/rc.d/postfix-lmdb reload" (or restart).
83
84 Put the fingerprints in /etc/postfix-lmdb/relay_clientcerts as shown.
85 Calculate them via
86
87 openssl x509 -noout -sha256 -fingerprint < CERT.pem
88 or
89 openssl x509 -outform DER -in CERT.pem | openssl dgst -sha256 -c
90
91 It seems to support public-key-only fingerprinting also.
92
93 You need to have cyrus-sasl installed otherwise (usually), and also
94 dovecot that drive the SASL authentication. The default configuration
95 contains the necessary entries, you should only need to adjust and
96 uncomment it. See above for SmartHost.
97
98 DNS black lists
99 ---------------
100
101 Edit main.cf and uncomment and edit lines marked #DNSBL.
102 Run "/etc/rc.d/postfix-lmdb reload" (or restart).
103
104 # s-ts-mode
|