diff options
Diffstat (limited to 'roles/mail/files/postfix')
-rw-r--r-- | roles/mail/files/postfix/header-checks-submission.pcre | 35 | ||||
-rw-r--r-- | roles/mail/files/postfix/helo-access.pcre | 26 | ||||
-rw-r--r-- | roles/mail/files/postfix/master.cf | 93 |
3 files changed, 154 insertions, 0 deletions
diff --git a/roles/mail/files/postfix/header-checks-submission.pcre b/roles/mail/files/postfix/header-checks-submission.pcre new file mode 100644 index 0000000..8abd6bf --- /dev/null +++ b/roles/mail/files/postfix/header-checks-submission.pcre @@ -0,0 +1,35 @@ +# +# Header checks policy for mails going through the submission service +# +# See header_checks(5) +# +# Usage: +# 1. In "master.cf" set option "cleanup_service_name=subcleanup" for +# "submission" service; +# 2. set option "header_checks" for "subcleanup" service. +# +# Credits: +# * Anonymize headers in Postfix +# https://www.void.gr/kargig/blog/2013/11/24/anonymize-headers-in-postfix/ +# * Remove sensitive information from email headers with Postfix +# https://major.io/2013/04/14/remove-sensitive-information-from-email-headers-with-postfix/ +# +# +# Aaron LI +# 2017-04-21 +# + +# +# Strip sensitive information for outgoing mails +# +# NOTE: +# * Pattern maching is case insensitive. +# * First matched line will be modified. +# +#/^\s*Received:.*\(Authenticated sender:/ IGNORE +/^\s*(Received: from)[^\n]*(.*)/ REPLACE $1 [127.0.0.1] (localhost [127.0.0.1])$2 +/^\s*User-Agent/ IGNORE +/^\s*X-Enigmail/ IGNORE +/^\s*X-Forward/ IGNORE +/^\s*X-Mailer/ IGNORE +/^\s*X-Originating-IP/ IGNORE diff --git a/roles/mail/files/postfix/helo-access.pcre b/roles/mail/files/postfix/helo-access.pcre new file mode 100644 index 0000000..f678385 --- /dev/null +++ b/roles/mail/files/postfix/helo-access.pcre @@ -0,0 +1,26 @@ +# +# Postfix access control on HELO/EHLO context. +# +# References: +# * Postfix SMTP relay and access control +# http://www.postfix.org/SMTPD_ACCESS_README.html +# +# NOTE: by default, patterns are case insensitive. +# +# Aaron LI +# 2017-08-05 +# + +# +# smtpd_helo_restrictions = +# permit_mynetworks, +# check_helo_access pcre:/usr/local/etc/postfix/helo-access.pcre, +# reject_non_fqdn_helo_hostname, +# reject_invalid_helo_hostname, +# reject_unknown_helo_hostname, +# permit +# + +# Whitelist M$ Exchange Online Protection +# See also: https://technet.microsoft.com/en-us/library/dn163583 +/^.*\.outbound.protection.outlook.com$/ OK diff --git a/roles/mail/files/postfix/master.cf b/roles/mail/files/postfix/master.cf new file mode 100644 index 0000000..dc15319 --- /dev/null +++ b/roles/mail/files/postfix/master.cf @@ -0,0 +1,93 @@ +# +# /usr/local/etc/postfix/master.cf +# +# Postfix master process configuration file. +# See master(5), and http://www.postfix.org/master.5.html +# +# +# Aaron LI +# 2017-04-16 +# + +# +# NOTE: Run "postfix reload" after editing this file! +# + +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== + +# Disable authenticiation via SMTP server port 25, force clients (MUA) to +# use the secure submission service on port 587, therefore to make sure +# that client # connections are always made using secure ciphers. +# +#smtp inet n - n - - smtpd +# -o smtpd_sasl_auth_enable=no +# +# Postscreen service and friends +smtp inet n - n - 1 postscreen + -o smtpd_sasl_auth_enable=no +smtpd pass - - n - - smtpd +dnsblog unix - - n - 0 dnsblog +tlsproxy unix - - n - 0 tlsproxy + +# Secure submission service: require user authentication +# https://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL +submission inet n - n - - smtpd + -o syslog_name=postfix/submission + -o smtpd_tls_security_level=encrypt + -o tls_preempt_cipherlist=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_reject_unlisted_recipient=no + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o smtpd_helo_restrictions=permit_sasl_authenticated,reject + -o smtpd_sender_restrictions=reject_sender_login_mismatch + -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject + -o smtpd_relay_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING + -o cleanup_service_name=subcleanup + +#628 inet n - n - - qmqpd +pickup unix n - n 60 1 pickup +cleanup unix n - n - 0 cleanup +subcleanup unix n - n - 0 cleanup + -o header_checks=pcre:$config_directory/header-checks-submission.pcre +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - n 1000? 1 tlsmgr +rewrite unix - - n - - trivial-rewrite +bounce unix - - n - 0 bounce +defer unix - - n - 0 bounce +trace unix - - n - 0 bounce +verify unix - - n - 1 verify +flush unix n - n 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - n - - smtp +relay unix - - n - - smtp +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - n - - showq +error unix - - n - - error +retry unix - - n - - error +discard unix - - n - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - n - - lmtp +anvil unix - - n - 1 anvil +scache unix - - n - 1 scache + +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== + +# Dovecot LDA as the `virtual_transport` for Postfix +# https://wiki.dovecot.org/LDA/Postfix +dovecot unix - n n - - pipe + flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver + -f ${sender} -d ${recipient} |