postfix: Enable secure submission of outgoing email

The encrypted "submissions" port (465) is opened in postfix and is configured for delivery of outgoing mail of authenticated users only. The authentication is provided by dovecot via unix socket and account data is sourced from the userconfig directory. Signed-off-by: Malfurious <m@lfurio.us>
author: Malfurious <m@lfurio.us> 2024-06-08 05:07:09 -0400
committer: Malfurious <m@lfurio.us> 2024-06-09 14:16:42 -0400
commit: 55a364bda1d1f293a0691198cd6a4d1784cb2f87 (patch)
tree: 13236dca38bf7298a02cd5ec567f8ad1ca5adae1
parent: 21cbfd354bc2586b26e1bcff00a388e50aa92bba (diff)
download: mailnode-55a364bda1d1f293a0691198cd6a4d1784cb2f87.tar.gz
mailnode-55a364bda1d1f293a0691198cd6a4d1784cb2f87.zip
2 files changed, 23 insertions, 39 deletions
diff --git a/dovecot/dovecot.conf b/dovecot/dovecot.conf
index 19f5ebd..b1e3f9b 100644
--- a/dovecot/dovecot.conf
+++ b/dovecot/dovecot.conf
@@ -30,6 +30,14 @@ userdb {
     args = /etc/userconfig/passwd
 }
 
+# Provide user authentication service to postfix submission sessions
+service auth {
+    unix_listener /var/spool/postfix/private/auth {
+        user = postfix
+        group = postfix
+        mode = 0660
+    }
+}
 
 # Location for users mailboxes
 #  %u - username
diff --git a/postfix/master.cf b/postfix/master.cf
index fd0d581..0105387 100644
--- a/postfix/master.cf
+++ b/postfix/master.cf
@@ -10,46 +10,22 @@
 #               (yes)   (yes)   (no)    (never) (100)
 # ==========================================================================
 smtp      inet  n       -       y       -       -       smtpd
-#smtp      inet  n       -       y       -       1       postscreen
-#smtpd     pass  -       -       y       -       -       smtpd
-#dnsblog   unix  -       -       y       -       0       dnsblog
-#tlsproxy  unix  -       -       y       -       0       tlsproxy
-# Choose one: enable submission for loopback clients only, or for any client.
-#127.0.0.1:submission inet n -   y       -       -       smtpd
-#submission inet n       -       y       -       -       smtpd
-#  -o syslog_name=postfix/submission
-#  -o smtpd_tls_security_level=encrypt
-#  -o smtpd_sasl_auth_enable=yes
-#  -o smtpd_tls_auth_only=yes
-#  -o smtpd_reject_unlisted_recipient=no
-#     Instead of specifying complex smtpd_<xxx>_restrictions here,
-#     specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
-#     here, and specify mua_<xxx>_restrictions in main.cf (where
-#     "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
-#  -o smtpd_client_restrictions=
-#  -o smtpd_helo_restrictions=
+#smtp     inet  n       -       y       -       1       postscreen
+#smtpd    pass  -       -       y       -       -       smtpd
+#dnsblog  unix  -       -       y       -       0       dnsblog
+#tlsproxy unix  -       -       y       -       0       tlsproxy
+submissions inet n      -       y       -       -       smtpd
+  -o syslog_name=postfix/submissions
+  -o smtpd_tls_wrappermode=yes
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_sasl_type=dovecot
+  -o smtpd_sasl_path=private/auth
+  -o smtpd_reject_unlisted_recipient=no
+  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 #  -o smtpd_sender_restrictions=
-#  -o smtpd_relay_restrictions=
-#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-#  -o milter_macro_daemon_name=ORIGINATING
-# Choose one: enable submissions for loopback clients only, or for any client.
-#127.0.0.1:submissions inet n  -       y       -       -       smtpd
-#submissions     inet  n       -       y       -       -       smtpd
-#  -o syslog_name=postfix/submissions
-#  -o smtpd_tls_wrappermode=yes
-#  -o smtpd_sasl_auth_enable=yes
-#  -o smtpd_reject_unlisted_recipient=no
-#     Instead of specifying complex smtpd_<xxx>_restrictions here,
-#     specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
-#     here, and specify mua_<xxx>_restrictions in main.cf (where
-#     "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
-#  -o smtpd_client_restrictions=
-#  -o smtpd_helo_restrictions=
-#  -o smtpd_sender_restrictions=
-#  -o smtpd_relay_restrictions=
-#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-#  -o milter_macro_daemon_name=ORIGINATING
-#628       inet  n       -       y       -       -       qmqpd
+  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
+  -o milter_macro_daemon_name=ORIGINATING
+#628      inet  n       -       y       -       -       qmqpd
 pickup    unix  n       -       y       60      1       pickup
 cleanup   unix  n       -       y       -       0       cleanup
 qmgr      unix  n       -       n       300     1       qmgr
author	Malfurious <m@lfurio.us>	2024-06-08 05:07:09 -0400
committer	Malfurious <m@lfurio.us>	2024-06-09 14:16:42 -0400
commit	55a364bda1d1f293a0691198cd6a4d1784cb2f87 (patch)
tree	13236dca38bf7298a02cd5ec567f8ad1ca5adae1
parent	21cbfd354bc2586b26e1bcff00a388e50aa92bba (diff)
download	mailnode-55a364bda1d1f293a0691198cd6a4d1784cb2f87.tar.gz mailnode-55a364bda1d1f293a0691198cd6a4d1784cb2f87.zip