From a0eb2564a60b216ebb4f11f42945eeef68eb1579 Mon Sep 17 00:00:00 2001
From: Aaron LI <aly@aaronly.me>
Date: Mon, 5 Mar 2018 22:51:51 +0800
Subject: mail: setup postfix with dovecot (SASL auth + LDA virtual transport)

---
 .../files/postfix/header-checks-submission.pcre    | 35 ++++++++
 roles/mail/files/postfix/helo-access.pcre          | 26 ++++++
 roles/mail/files/postfix/master.cf                 | 93 ++++++++++++++++++++++
 3 files changed, 154 insertions(+)
 create mode 100644 roles/mail/files/postfix/header-checks-submission.pcre
 create mode 100644 roles/mail/files/postfix/helo-access.pcre
 create mode 100644 roles/mail/files/postfix/master.cf

(limited to 'roles/mail/files')

diff --git a/roles/mail/files/postfix/header-checks-submission.pcre b/roles/mail/files/postfix/header-checks-submission.pcre
new file mode 100644
index 0000000..8abd6bf
--- /dev/null
+++ b/roles/mail/files/postfix/header-checks-submission.pcre
@@ -0,0 +1,35 @@
+#
+# Header checks policy for mails going through the submission service
+#
+# See header_checks(5)
+#
+# Usage:
+# 1. In "master.cf" set option "cleanup_service_name=subcleanup" for
+#    "submission" service;
+# 2. set option "header_checks" for "subcleanup" service.
+#
+# Credits:
+# * Anonymize headers in Postfix
+#   https://www.void.gr/kargig/blog/2013/11/24/anonymize-headers-in-postfix/
+# * Remove sensitive information from email headers with Postfix
+#   https://major.io/2013/04/14/remove-sensitive-information-from-email-headers-with-postfix/
+#
+#
+# Aaron LI
+# 2017-04-21
+#
+
+#
+# Strip sensitive information for outgoing mails
+#
+# NOTE:
+# * Pattern maching is case insensitive.
+# * First matched line will be modified.
+#
+#/^\s*Received:.*\(Authenticated sender:/  IGNORE
+/^\s*(Received: from)[^\n]*(.*)/  REPLACE  $1 [127.0.0.1] (localhost [127.0.0.1])$2
+/^\s*User-Agent/        IGNORE
+/^\s*X-Enigmail/        IGNORE
+/^\s*X-Forward/         IGNORE
+/^\s*X-Mailer/          IGNORE
+/^\s*X-Originating-IP/  IGNORE
diff --git a/roles/mail/files/postfix/helo-access.pcre b/roles/mail/files/postfix/helo-access.pcre
new file mode 100644
index 0000000..f678385
--- /dev/null
+++ b/roles/mail/files/postfix/helo-access.pcre
@@ -0,0 +1,26 @@
+#
+# Postfix access control on HELO/EHLO context.
+#
+# References:
+# * Postfix SMTP relay and access control
+#   http://www.postfix.org/SMTPD_ACCESS_README.html
+#
+# NOTE: by default, patterns are case insensitive.
+#
+# Aaron LI
+# 2017-08-05
+#
+
+#
+# smtpd_helo_restrictions =
+# 	permit_mynetworks,
+# 	check_helo_access pcre:/usr/local/etc/postfix/helo-access.pcre,
+# 	reject_non_fqdn_helo_hostname,
+# 	reject_invalid_helo_hostname,
+# 	reject_unknown_helo_hostname,
+# 	permit
+#
+
+# Whitelist M$ Exchange Online Protection
+# See also: https://technet.microsoft.com/en-us/library/dn163583
+/^.*\.outbound.protection.outlook.com$/         OK
diff --git a/roles/mail/files/postfix/master.cf b/roles/mail/files/postfix/master.cf
new file mode 100644
index 0000000..dc15319
--- /dev/null
+++ b/roles/mail/files/postfix/master.cf
@@ -0,0 +1,93 @@
+#
+# /usr/local/etc/postfix/master.cf
+#
+# Postfix master process configuration file.
+# See master(5), and http://www.postfix.org/master.5.html
+#
+#
+# Aaron LI
+# 2017-04-16
+#
+
+#
+# NOTE: Run "postfix reload" after editing this file!
+#
+
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (no)    (never) (100)
+# ==========================================================================
+
+# Disable authenticiation via SMTP server port 25, force clients (MUA) to
+# use the secure submission service on port 587, therefore to make sure
+# that client # connections are always made using secure ciphers.
+#
+#smtp      inet  n       -       n       -       -       smtpd
+#  -o smtpd_sasl_auth_enable=no
+#
+# Postscreen service and friends
+smtp      inet  n       -       n       -       1       postscreen
+  -o smtpd_sasl_auth_enable=no
+smtpd     pass  -       -       n       -       -       smtpd
+dnsblog   unix  -       -       n       -       0       dnsblog
+tlsproxy  unix  -       -       n       -       0       tlsproxy
+
+# Secure submission service: require user authentication
+# https://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL
+submission inet n       -       n       -       -       smtpd
+  -o syslog_name=postfix/submission
+  -o smtpd_tls_security_level=encrypt
+  -o tls_preempt_cipherlist=yes
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_reject_unlisted_recipient=no
+  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+  -o smtpd_helo_restrictions=permit_sasl_authenticated,reject
+  -o smtpd_sender_restrictions=reject_sender_login_mismatch
+  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
+  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+  -o milter_macro_daemon_name=ORIGINATING
+  -o cleanup_service_name=subcleanup
+
+#628      inet  n       -       n       -       -       qmqpd
+pickup    unix  n       -       n       60      1       pickup
+cleanup   unix  n       -       n       -       0       cleanup
+subcleanup   unix  n       -       n       -       0       cleanup
+  -o header_checks=pcre:$config_directory/header-checks-submission.pcre
+qmgr      unix  n       -       n       300     1       qmgr
+#qmgr     unix  n       -       n       300     1       oqmgr
+tlsmgr    unix  -       -       n       1000?   1       tlsmgr
+rewrite   unix  -       -       n       -       -       trivial-rewrite
+bounce    unix  -       -       n       -       0       bounce
+defer     unix  -       -       n       -       0       bounce
+trace     unix  -       -       n       -       0       bounce
+verify    unix  -       -       n       -       1       verify
+flush     unix  n       -       n       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       n       -       -       smtp
+relay     unix  -       -       n       -       -       smtp
+#  -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq     unix  n       -       n       -       -       showq
+error     unix  -       -       n       -       -       error
+retry     unix  -       -       n       -       -       error
+discard   unix  -       -       n       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       n       -       -       lmtp
+anvil     unix  -       -       n       -       1       anvil
+scache    unix  -       -       n       -       1       scache
+
+# ====================================================================
+# Interfaces to non-Postfix software.  Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+
+# Dovecot LDA as the `virtual_transport` for Postfix
+# https://wiki.dovecot.org/LDA/Postfix
+dovecot   unix  -       n       n       -       -       pipe
+  flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver
+  -f ${sender} -d ${recipient}
-- 
cgit v1.2.2