blob: 4e791d41b778a085151fca2d06bd48e674e1da8a (
plain)
1
2 The CRUX postfix package
3 ========================
4
5 * Abstract
6 * TLS
7 * SmartHost
8 * Relay
9 * DNS black lists
10
11 Abstract
12 --------
13
14 - Fully configured for "sailing in the wind".
15 - Only listens to SMTP by default, but.
16 - A few knobs can be turned here and there for more, see below.
17
18 Remember to run "postmap FILE" after you have updated table files,
19 and "newaliases" or "postalias FILE" after changing alias files.
20
21 TLS
22 ---
23
24 tlsproxy(8) for connection tracking is running by default.
25 To be identifiable generate a private key with certificate, either via
26
27 openssl genpkey -algorithm ed25519 -out prv.pem
28 #openssl pkey -in prv.pem -pubout -out pub.pem
29 openssl req -x509 -key prv.pem -out crt.pem
30
31 or
32
33 openssl req -x509 -nodes -newkey ed25519 -keyout prv.pem -out crt.pem
34
35 This is self-signed (which might be sufficient for client certificate
36 identification as below). Also create DH parameters
37
38 openssl dhparam -out dh2048.pem 2048
39
40 Move all these to a save place. Do
41
42 cat prv.pem crt.pem > /etc/postfix-lmdb/key_and_cert.pem
43 cp dh2048.pem /etc/postfix-lmdb/dh2048.pem
44
45 Make them root:root and 0600.
46 Edit main.cf: uncomment all lines marked #TLS.
47 Edit master.cf and ditto.
48 Run "/etc/rc.d/postfix-lmdb reload" (or restart).
49
50 SmartHost
51 ---------
52
53 For laptops or hosts without their own hostname using a smart host which
54 does the real delivery is usually the thing.
55
56 Edit main.cf and uncomment and edit lines marked #SMART.
57 Run "/etc/rc.d/postfix-lmdb reload" (or restart).
58
59 Authentication to the smart host is not covered by the default
60 configuration, with TLS as above however it may be possible to go
61 via client certificates shall the relayhost allow this, see below.
62 I.e., just reuse key_and_cert.pem "also" for this. Just uncomment the
63 according lines.
64
65 Note it seems wise to go the $smtp_tls_fingerprint_cert_match approach
66 to verify $relayhost, because the $smtp_tls_CAfile way requires a full
67 chain, to the best of my knowledge.
68
69 You need to have cyrus-sasl installed otherwise (usually), and also
70 dovecot that drive the SASL authentication. The default configuration
71 contains the necessary entries, you should only need to adjust and
72 uncomment it. Just search #SMART.
73
74 Relay
75 -----
76
77 The default configuration only allows mails that address $mydestination
78 aka the local host, or shall be relayed to $mynetworks (set to the
79 IPv4 private address range).
80
81 Not covering SASL authentification of clients, the default configuration
82 ships support for client certificate fingerprint matching, in order to
83 allow clients which authenticate themselves to relay mail to anywhere.
84 Edit main.cf and uncomment and edit lines marked #RELAY.
85 Run "/etc/rc.d/postfix-lmdb reload" (or restart).
86
87 Put the fingerprints in /etc/postfix-lmdb/relay_clientcerts as shown.
88 Calculate them via
89
90 openssl x509 -noout -sha256 -fingerprint < CERT.pem
91 or
92 openssl x509 -outform DER -in CERT.pem | openssl dgst -sha256 -c
93
94 It seems to support public-key-only fingerprinting also.
95
96 You need to have cyrus-sasl installed otherwise (usually), and also
97 dovecot that drive the SASL authentication. The default configuration
98 contains the necessary entries, you should only need to adjust and
99 uncomment it. See above for SmartHost.
100
101 DNS black lists
102 ---------------
103
104 Edit main.cf and uncomment and edit lines marked #DNSBL.
105 Run "/etc/rc.d/postfix-lmdb reload" (or restart).
106
107 # s-ts-mode
|
