mailnode/postfix, branch master Custom email service opendkim: Configure postfix milter socket 2024-07-09T19:50:39+00:00 Malfurious m@lfurio.us 2024-07-05T10:54:58+00:00 053ecfdb5110b2a0eda01dfe78c62b446fc4866b Signed-off-by: Malfurious <m@lfurio.us> 
Signed-off-by: Malfurious <m@lfurio.us>
mlmmj: Integration with postfix 2024-06-15T21:41:53+00:00 Malfurious m@lfurio.us 2024-06-15T03:21:59+00:00 7d2158a75b6ff294146444a6e1b51170d3f43010 Incoming mail for an mlmmj list is caught by a virtual mapping and directed via virtual transport to the mlmmj system for processing. Outgoing mail is implicitly allowed since it originates from the localhost. The postfix entrypoint script now dynamically generates these mailing list mappings on startup from data in the mlmmj spool directory, so user configuration is minimal. In addition, the script will now sync the user's mailing list parameters into the spool directory, thus automatically creating new lists and deleting old ones. The list creation logic is implemented in a new script `make_list.sh`. This is made necessary as the mlmmj built in tooling for this must be run interactively, so we duplicate the logic. This is separate from `entrypoint.sh` mainly because we need to drop privileges to the mlmmj user while creating files. Signed-off-by: Malfurious <m@lfurio.us> 
Incoming mail for an mlmmj list is caught by a virtual mapping and
directed via virtual transport to the mlmmj system for processing.
Outgoing mail is implicitly allowed since it originates from the
localhost.

The postfix entrypoint script now dynamically generates these mailing
list mappings on startup from data in the mlmmj spool directory, so user
configuration is minimal.  In addition, the script will now sync the
user's mailing list parameters into the spool directory, thus
automatically creating new lists and deleting old ones.

The list creation logic is implemented in a new script `make_list.sh`.
This is made necessary as the mlmmj built in tooling for this must be
run interactively, so we duplicate the logic.  This is separate from
`entrypoint.sh` mainly because we need to drop privileges to the mlmmj
user while creating files.

Signed-off-by: Malfurious <m@lfurio.us>
postfix: Deny submission sender/login mismatch 2024-06-15T02:46:33+00:00 Malfurious m@lfurio.us 2024-06-12T14:45:13+00:00 2ee344e9c7ab8182efde6a18e50d4b4e7d148e71 Prevent outgoing spoofed emails by requiring the MAIL FROM header to match the SASL login name. Specifically, the SASL user must "own" the address. `smtpd_sender_login_maps` defines a lookup table to determine ownership. We create a placeholder table that states each user simply owns their own email address (aka: the value of their username). Signed-off-by: Malfurious <m@lfurio.us> 
Prevent outgoing spoofed emails by requiring the MAIL FROM header to
match the SASL login name.

Specifically, the SASL user must "own" the address.
`smtpd_sender_login_maps` defines a lookup table to determine ownership.
We create a placeholder table that states each user simply owns their
own email address (aka: the value of their username).

Signed-off-by: Malfurious <m@lfurio.us>
postfix: Prevent leaking MUA IP addresses 2024-06-10T13:06:09+00:00 Malfurious m@lfurio.us 2024-06-10T13:06:09+00:00 dc7f1bb8f52569b158f0c24c02070fcc459e580d Protect user privacy by stripping IP addresses from headers received from authenticated mail submission. Headers for mail received from other servers are unaffected. Signed-off-by: Malfurious <m@lfurio.us> 
Protect user privacy by stripping IP addresses from headers received
from authenticated mail submission.  Headers for mail received from
other servers are unaffected.

Signed-off-by: Malfurious <m@lfurio.us>
postfix: Don't chroot subprograms 2024-06-10T11:48:11+00:00 Malfurious m@lfurio.us 2024-06-10T11:48:11+00:00 4348ca29fb05e12a5308e48c908b00dc1fc83d0f Sending mail to an external server previously fails due to name resolution error. ("Host or domain name not found. Name service error for name=xxxxxxxxxx type=A: Host not found, try again") The reason this was happening is because the relay process runs in a chroot jail and can not access the docker container's resolve.conf file. Given the system is containerized, which is like a chroot on steroids, I'm comfortable disabling chrooting for mail processes to work around this. Signed-off-by: Malfurious <m@lfurio.us> 
Sending mail to an external server previously fails due to name
resolution error.  ("Host or domain name not found.  Name service error
for name=xxxxxxxxxx type=A: Host not found, try again")

The reason this was happening is because the relay process runs in a
chroot jail and can not access the docker container's resolve.conf file.

Given the system is containerized, which is like a chroot on steroids,
I'm comfortable disabling chrooting for mail processes to work around
this.

Signed-off-by: Malfurious <m@lfurio.us>
Write logs to stdout 2024-06-09T18:27:08+00:00 Malfurious m@lfurio.us 2024-06-08T19:12:58+00:00 62f01b6347a8125c071ce1d79a2e0b7725576f56 This allows output to be read with `docker compose logs`. Signed-off-by: Malfurious <m@lfurio.us> 
This allows output to be read with `docker compose logs`.

Signed-off-by: Malfurious <m@lfurio.us>
postfix: Add service entrypoint script 2024-06-09T18:16:42+00:00 Malfurious m@lfurio.us 2024-06-08T18:49:26+00:00 26dab860bd733e4f110fc837e1f3d8c682248502 This is used to generate database files used by postfix daemons. In theory, this could also be performed at build-time by the Dockerfile. However, I intend to create only a single image that each service separately spawns from, since there will be several commonalities between them. Moving these postfix-specific tasks to an entrypoint script keeps the common Dockerfile more managable. Signed-off-by: Malfurious <m@lfurio.us> 
This is used to generate database files used by postfix daemons.

In theory, this could also be performed at build-time by the Dockerfile.
However, I intend to create only a single image that each service
separately spawns from, since there will be several commonalities
between them.  Moving these postfix-specific tasks to an entrypoint
script keeps the common Dockerfile more managable.

Signed-off-by: Malfurious <m@lfurio.us>
postfix: Enable secure submission of outgoing email 2024-06-09T18:16:42+00:00 Malfurious m@lfurio.us 2024-06-08T09:07:09+00:00 55a364bda1d1f293a0691198cd6a4d1784cb2f87 The encrypted "submissions" port (465) is opened in postfix and is configured for delivery of outgoing mail of authenticated users only. The authentication is provided by dovecot via unix socket and account data is sourced from the userconfig directory. Signed-off-by: Malfurious <m@lfurio.us> 
The encrypted "submissions" port (465) is opened in postfix and is
configured for delivery of outgoing mail of authenticated users only.
The authentication is provided by dovecot via unix socket and account
data is sourced from the userconfig directory.

Signed-off-by: Malfurious <m@lfurio.us>
Basic service configuration 2024-06-09T18:16:42+00:00 Malfurious m@lfurio.us 2024-06-07T19:53:38+00:00 21cbfd354bc2586b26e1bcff00a388e50aa92bba Setup postfix and dovecot to work with virtual domains/mailboxes and user accounts defined in the userconfig directory. Services are also configured to use TLS certificates that will later be provided by the nginx-proxy acme service. Basic formatting and informative comments are added to config files. Signed-off-by: Malfurious <m@lfurio.us> 
Setup postfix and dovecot to work with virtual domains/mailboxes and
user accounts defined in the userconfig directory.  Services are also
configured to use TLS certificates that will later be provided by the
nginx-proxy acme service.

Basic formatting and informative comments are added to config files.

Signed-off-by: Malfurious <m@lfurio.us>
Add default postfix config files 2024-06-06T10:07:08+00:00 Malfurious m@lfurio.us 2024-06-06T10:07:08+00:00 2e2ef7db26ef59f596f8bbb7a5f81193d92d451b Signed-off-by: Malfurious <m@lfurio.us> 
Signed-off-by: Malfurious <m@lfurio.us>