From 55a364bda1d1f293a0691198cd6a4d1784cb2f87 Mon Sep 17 00:00:00 2001 From: Malfurious Date: Sat, 8 Jun 2024 05:07:09 -0400 Subject: postfix: Enable secure submission of outgoing email The encrypted "submissions" port (465) is opened in postfix and is configured for delivery of outgoing mail of authenticated users only. The authentication is provided by dovecot via unix socket and account data is sourced from the userconfig directory. Signed-off-by: Malfurious --- dovecot/dovecot.conf | 8 ++++++++ postfix/master.cf | 54 +++++++++++++++------------------------------------- 2 files changed, 23 insertions(+), 39 deletions(-) diff --git a/dovecot/dovecot.conf b/dovecot/dovecot.conf index 19f5ebd..b1e3f9b 100644 --- a/dovecot/dovecot.conf +++ b/dovecot/dovecot.conf @@ -30,6 +30,14 @@ userdb { args = /etc/userconfig/passwd } +# Provide user authentication service to postfix submission sessions +service auth { + unix_listener /var/spool/postfix/private/auth { + user = postfix + group = postfix + mode = 0660 + } +} # Location for users mailboxes # %u - username diff --git a/postfix/master.cf b/postfix/master.cf index fd0d581..0105387 100644 --- a/postfix/master.cf +++ b/postfix/master.cf @@ -10,46 +10,22 @@ # (yes) (yes) (no) (never) (100) # ========================================================================== smtp inet n - y - - smtpd -#smtp inet n - y - 1 postscreen -#smtpd pass - - y - - smtpd -#dnsblog unix - - y - 0 dnsblog -#tlsproxy unix - - y - 0 tlsproxy -# Choose one: enable submission for loopback clients only, or for any client. -#127.0.0.1:submission inet n - y - - smtpd -#submission inet n - y - - smtpd -# -o syslog_name=postfix/submission -# -o smtpd_tls_security_level=encrypt -# -o smtpd_sasl_auth_enable=yes -# -o smtpd_tls_auth_only=yes -# -o smtpd_reject_unlisted_recipient=no -# Instead of specifying complex smtpd__restrictions here, -# specify "smtpd__restrictions=$mua__restrictions" -# here, and specify mua__restrictions in main.cf (where -# "" is "client", "helo", "sender", "relay", or "recipient"). -# -o smtpd_client_restrictions= -# -o smtpd_helo_restrictions= +#smtp inet n - y - 1 postscreen +#smtpd pass - - y - - smtpd +#dnsblog unix - - y - 0 dnsblog +#tlsproxy unix - - y - 0 tlsproxy +submissions inet n - y - - smtpd + -o syslog_name=postfix/submissions + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_sasl_type=dovecot + -o smtpd_sasl_path=private/auth + -o smtpd_reject_unlisted_recipient=no + -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_sender_restrictions= -# -o smtpd_relay_restrictions= -# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING -# Choose one: enable submissions for loopback clients only, or for any client. -#127.0.0.1:submissions inet n - y - - smtpd -#submissions inet n - y - - smtpd -# -o syslog_name=postfix/submissions -# -o smtpd_tls_wrappermode=yes -# -o smtpd_sasl_auth_enable=yes -# -o smtpd_reject_unlisted_recipient=no -# Instead of specifying complex smtpd__restrictions here, -# specify "smtpd__restrictions=$mua__restrictions" -# here, and specify mua__restrictions in main.cf (where -# "" is "client", "helo", "sender", "relay", or "recipient"). -# -o smtpd_client_restrictions= -# -o smtpd_helo_restrictions= -# -o smtpd_sender_restrictions= -# -o smtpd_relay_restrictions= -# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING -#628 inet n - y - - qmqpd + -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING +#628 inet n - y - - qmqpd pickup unix n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr -- cgit v1.2.3