From 4e68d2fa394483b75458face769d6a05f4280a72 Mon Sep 17 00:00:00 2001 From: Sebastian Hugentobler Date: Fri, 8 Jul 2016 10:21:21 +0200 Subject: [PATCH] tls config in main.cf --- rootfs/etc/confd/templates/main.cf.tmpl | 53 +++++++++++++++-------- rootfs/etc/confd/templates/master.cf.tmpl | 11 +---- 2 files changed, 36 insertions(+), 28 deletions(-) diff --git a/rootfs/etc/confd/templates/main.cf.tmpl b/rootfs/etc/confd/templates/main.cf.tmpl index 63c6ada..d41052f 100644 --- a/rootfs/etc/confd/templates/main.cf.tmpl +++ b/rootfs/etc/confd/templates/main.cf.tmpl @@ -1,48 +1,63 @@ compatibility_level = 2 -queue_directory = /var/spool/postfix -command_directory = /usr/sbin -daemon_directory = /usr/lib/postfix -data_directory = /var/lib/postfix + mail_owner = postfix myhostname = {{getenv "MYHOSTNAME"}} mydomain = {{getenv "MYDOMAIN"}} myorigin = $mydomain mydestination = localhost + unknown_local_recipient_reject_code = 550 mynetworks_style = subnet relay_domains = $mydestination recipient_delimiter = + + mailbox_transport = lmtp:{{getenv "LMTPHOST"}} mailbox_size_limit = {{getenv "MAILBOXSIZELIMIT"}} -smtpd_banner = $myhostname ESMTP $mail_name +smtpd_banner = {{getenv "SMTP"}} $myhostname ESMTP $mail_name + virtual_mailbox_domains = proxy:ldap:/etc/postfix/ldap-virtual-mailbox-domains.cf virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap-virtual-mailbox-maps.cf virtual_alias_maps = proxy:ldap:/etc/postfix/ldap-virtual-alias-maps.cf virtual_transport = lmtp:inet:{{getenv "LMTPHOST"}}:{{getenv "LMTPPORT"}} + +smtpd_tls_key_file=/etc/ssl/mail/privkey.pem +smtpd_tls_cert_file=/etc/ssl/mail/fullchain.pem + +smtpd_tls_security_level = {{getenv "TLSSECURITYLEVEL"}} +smtpd_tls_auth_only = yes + +smtpd_tls_mandatory_protocols = {{getenv "TLSMANDATORYPROTOCOLS"}} +smtpd_tls_mandatory_ciphers = {{getenv "TLSMANDATORYCIPHERS"}} +smtpd_tls_ciphers = {{getenv "TLSCIPHERS"}} +smtpd_tls_mandatory_exclude_ciphers = {{getenv "TLSMANDATORYEXCLUDECIPHERS"}} +smtpd_tls_wrappermode = no + +smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers +smtp_tls_ciphers = $smtpd_tls_ciphers + +lmtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers +lmtp_tls_ciphers = $smtpd_tls_ciphers + +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + smtpd_sasl_type = dovecot smtpd_sasl_path = inet:{{getenv "DOVECOTHOST"}}:{{getenv "DOVECOTAUTHPORT"}} smtpd_sasl_auth_enable = yes -smtpd_tls_security_level = {{getenv "TLSSECURITYLEVEL"}} -smtpd_tls_auth_only = yes + +smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination + smtpd_milters = inet:{{getenv "SPAMASSASSINHOST"}}:{{getenv "SPAMASSASSINPORT"}} non_smtpd_milters = $smtpd_milters milter_default_action = accept +milter_macro_daemon_name = ORIGINATING #milter_connect_macros = "i j {daemon_name} v {if_name} _" + message_size_limit = {{getenv "MESSAGESIZELIMIT"}} sender_dependent_default_transport_maps = hash:/etc/postfix/sender-transport -smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache -smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache -smtpd_tls_mandatory_protocols = {{getenv "TLSMANDATORYPROTOCOLS"}} + tls_preempt_cipherlist = yes -smtpd_tls_mandatory_ciphers = {{getenv "TLSMANDATORYCIPHERS"}} -smtpd_tls_ciphers = {{getenv "TLSCIPHERS"}} -smtpd_tls_mandatory_exclude_ciphers = {{getenv "TLSMANDATORYEXCLUDECIPHERS"}} -smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers -smtp_tls_ciphers = $smtpd_tls_ciphers -lmtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers -lmtp_tls_ciphers = $smtpd_tls_ciphers + smtputf8_enable = no biff = no -smtpd_tls_key_file=/etc/ssl/mail/privkey.pem -smtpd_tls_cert_file=/etc/ssl/mail/fullchain.pem diff --git a/rootfs/etc/confd/templates/master.cf.tmpl b/rootfs/etc/confd/templates/master.cf.tmpl index dd69f1c..8b1ff36 100644 --- a/rootfs/etc/confd/templates/master.cf.tmpl +++ b/rootfs/etc/confd/templates/master.cf.tmpl @@ -1,19 +1,12 @@ -smtp inet n - - - - smtpd - -o syslog_name=postfix/smtp - -o myhostname={{getenv "MYDOMAIN"}} - {{getenv "MYDOMAIN"}}-out unix - - - - - smtp -o smtp_helo_name={{getenv "MYHOSTNAME"}} - -o syslog_name=postfix/smtp-out + -o syslog_name=postfix/smtp-{{getenv "MYHOSTNAME"}} submission inet n - - - - smtpd -o syslog_name=postfix/submission - -o smtpd_tls_wrappermode=no -o smtpd_tls_security_level=encrypt - -o smtpd_sasl_auth_enable=yes - -o smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination - -o milter_macro_daemon_name=ORIGINATING +smtp inet n - n - - smtpd pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr