From 12e996003e8925285e4740c7da7ac11e822cfdb5 Mon Sep 17 00:00:00 2001 From: = <=> Date: Thu, 19 Dec 2024 01:36:27 -0500 Subject: [PATCH] postfix --- postfix/Dockerfile | 28 ++++++ postfix/config/header_checks.pcre | 0 postfix/config/ldap_aliases.cf | 9 ++ postfix/config/ldap_senders.cf | 9 ++ postfix/config/main.cf | 111 +++++++++++++++++++++++ postfix/config/master.cf | 63 +++++++++++++ postfix/config/sender_header_checks.pcre | 10 ++ postfix/start.sh | 26 ++++++ 8 files changed, 256 insertions(+) create mode 100644 postfix/Dockerfile create mode 100644 postfix/config/header_checks.pcre create mode 100644 postfix/config/ldap_aliases.cf create mode 100644 postfix/config/ldap_senders.cf create mode 100644 postfix/config/main.cf create mode 100644 postfix/config/master.cf create mode 100644 postfix/config/sender_header_checks.pcre create mode 100755 postfix/start.sh diff --git a/postfix/Dockerfile b/postfix/Dockerfile new file mode 100644 index 0000000..e0a2614 --- /dev/null +++ b/postfix/Dockerfile @@ -0,0 +1,28 @@ +FROM alpine:3 + +RUN apk add --update --no-cache \ + bash \ + nano \ + curl \ + postfix \ + postfix-ldap \ + postfix-pcre \ + postfix-policyd-spf-perl \ + ca-certificates + +RUN update-ca-certificates && \ + mkdir /cert && \ + chown 100:101 /cert + +COPY --chown=root:root start.sh config / + +VOLUME /config +VOLUME /cert +VOLUME /var/spool/postfix + +EXPOSE 10025/tcp +EXPOSE 10465/tcp + +USER root + +CMD ["/start.sh"] \ No newline at end of file diff --git a/postfix/config/header_checks.pcre b/postfix/config/header_checks.pcre new file mode 100644 index 0000000..e69de29 diff --git a/postfix/config/ldap_aliases.cf b/postfix/config/ldap_aliases.cf new file mode 100644 index 0000000..ccfbe0e --- /dev/null +++ b/postfix/config/ldap_aliases.cf @@ -0,0 +1,9 @@ +server_host = ldaps://ldap.balsillie.net:636 +version = 3 +bind = yes +bind_dn = cn=bind,dc=balsillie,dc=net +bind_pw = $ldap_bind_pw +search_base = ou=users,dc=balsillie,dc=net +scope = sub +query_filter = (&(objectClass=mailAccount)(mailEnabled=TRUE)(|(mailAlias=%s)(mail=%s))) +result_attribute = mail \ No newline at end of file diff --git a/postfix/config/ldap_senders.cf b/postfix/config/ldap_senders.cf new file mode 100644 index 0000000..69191a5 --- /dev/null +++ b/postfix/config/ldap_senders.cf @@ -0,0 +1,9 @@ +server_host = ldaps://ldap.balsillie.net:636 +version = 3 +bind = yes +bind_dn = cn=bind,dc=balsillie,dc=net +bind_pw = $ldap_bind_pw +search_base = ou=users,dc=balsillie,dc=net +scope = sub +query_filter = (&(objectClass=mailAccount)(mailEnabled=TRUE)(|(mailAlias=%s)(mail=%s))) +result_attribute = mail,uid \ No newline at end of file diff --git a/postfix/config/main.cf b/postfix/config/main.cf new file mode 100644 index 0000000..473a3a3 --- /dev/null +++ b/postfix/config/main.cf @@ -0,0 +1,111 @@ +myhostname = smtp.balsillie.net +mydomain = balsillie.net +myorigin = $mydomain +mynetworks = 127.0.0.0/8 10.64.0.0/12 10.96.10.0/24 +mydestination = $myhostname localhost + +biff = no +bounce_queue_lifetime = 1d +broken_sasl_auth_clients = no +compatibility_level = 3.6 + +header_checks = pcre:/config/header_checks.pcre + +inet_interfaces = all +inet_protocols = ipv4 + +lmtp_tls_loglevel = 1 +lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +lmtp_tls_security_level = none +lmtp_tls_wrappermode = no +lmtp_use_tls = no + +local_recipient_maps = +local_transport = local:$myhostname + +mailbox_size_limit = 51200000 +maillog_file = /dev/stdout +maximal_queue_lifetime = 1d +message_size_limit = 51200000 +mime_header_checks = $header_checks + +# Milters +milter_protocol = 6 +milter_default_action = accept +dkim_milter = inet:127.0.0.1:8891 +# dmarc_milter = inet:localhost:8893 +# smtpd_milters = $dkim_milter,$dmarc_milter +smtpd_milters = $dkim_milter +non_smtpd_milters = $dkim_milter + +postscreen_access_list = +postscreen_denylist_action = drop +postscreen_dnsbl_action = enforce +postscreen_dnsbl_allowlist_threshold = -1 +postscreen_dnsbl_sites = + zen.spamhaus.org=127.0.1.[2..254]*3, + ix.dnsbl.manitu.net*3, + bl.spamcop.net, + b.barracudacentral.org, + safe.dnsbl.sorbs.net, + swl.spamhaus.org*-10, +postscreen_dnsbl_threshold = 3 +postscreen_greet_action = ignore +postscreen_greet_banner = +postscreen_upstream_proxy_protocol = + +# proxy_interfaces = x.x.x.x # Set with postconf during startup +recipient_delimiter = + +relay_domains = +relayhost = +sender_dependent_relayhost_maps = + +smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt +smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 +smtp_tls_note_starttls_offer = yes +smtp_tls_policy_maps = +smtp_tls_protocols = !SSLv2, !SSLv3 +smtp_tls_security_level = dane + +smtpd_banner = $myhostname ESMTP + +# SASL - SMTPS sasl settings specified in master.cf + +smtpd_sasl_auth_enable = no + +# SMTPD restrictions + +smtpd_helo_required = yes +smtpd_delay_reject = yes +smtpd_client_restrictions = reject_unknown_client_hostname +smtpd_helo_restrictions = reject_unknown_helo_hostname, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname +smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain +smtpd_relay_restrictions = permit_auth_destination, reject_unauth_destination +smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unlisted_recipient +smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce + +# client , reject_rbl_client zen.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org +# helo , reject_rhsbl_helo dbl.spamhaus.org +# sender , reject_rhsbl_sender dbl.spamhaus.org + +smtpd_tls_cert_file=/cert/tls.crt +smtpd_tls_key_file=/cert/tls.key +smtpd_tls_dh1024_param_file = /cert/dhparams.pem +smtpd_tls_loglevel = 1 +smtpd_tls_mandatory_ciphers = medium +smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +smtpd_tls_security_level = encrypt + +tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 +tls_preempt_cipherlist = no +tls_ssl_options = NO_COMPRESSION + +unverified_recipient_reject_code = 577 + +virtual_alias_maps = ldap:/config/ldap_users.cf +virtual_mailbox_base = +virtual_mailbox_domains = $mydomain +virtual_mailbox_maps = $virtual_alias_maps +virtual_transport = lmtp:unix:private/dovecot-lmtp \ No newline at end of file diff --git a/postfix/config/master.cf b/postfix/config/master.cf new file mode 100644 index 0000000..c3546ad --- /dev/null +++ b/postfix/config/master.cf @@ -0,0 +1,63 @@ +# ====================================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# ====================================================================================== + +# Inputs +10025 inet n - n - 1 postscreen +10465 inet n - n - 1 smtpd + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_sasl_authenticated_header=yes + -o smtpd_sasl_local_domain=$mydomain + -o smtpd_sasl_type=dovecot + -o smtpd_sasl_path=inet:127.0.0.1:12345 + -o smtpd_sasl_security_options=noanonymous,noplaintext + -o smtpd_sasl_tls_security_options=noanonymous + -o smtpd_sender_login_maps=ldap:/config/ldap_senders.cf + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o smtpd_helo_restrictions= + -o smtpd_sender_restrictions=reject_non_fqdn_sender,reject_sender_login_mismatch + -o smtpd_relay_restrictions=permit_sasl_authenticated,reject + -o smtpd_recipient_restrictions=reject_non_fqdn_recipient + -o smtpd_data_restrictions= + -o smtpd_tls_auth_only=yes + -o cleanup_service_name=scleanup +smtpd pass - - n - - smtpd + +# Processing +qmgr unix n - n 300 1 qmgr +bounce unix - - n - 0 bounce +defer unix - - n - 0 bounce +verify unix - - n - 1 verify +pickup unix n - n 60 1 pickup + -o receive_override_options=no_header_body_checks + +# Outputs +error unix - - n - - error +retry unix - - n - - error +discard unix - - n - - discard +relay unix - - n - - smtp +rewrite unix - - n - - trivial-rewrite +local unix - n n - - local +lmtp unix - - n - - lmtp +smtp unix - - n - - smtp +scache unix - - n - 1 scache + +# Logging +postlog unix-dgram n - n - 1 postlogd +anvil unix - - n - 1 anvil + +# Helpers +dnsblog unix - - n - 0 dnsblog +tlsproxy unix - - n - 0 tlsproxy +trace unix - - n - 0 bounce +tlsmgr unix - - n 1000? 1 tlsmgr +showq unix n - n - - showq +cleanup unix n - n - 0 cleanup +scleanup unix n - - - 0 cleanup + -o header_checks=pcre:/config/sender_header_checks.pcre + +# Other +flush unix n - n 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap \ No newline at end of file diff --git a/postfix/config/sender_header_checks.pcre b/postfix/config/sender_header_checks.pcre new file mode 100644 index 0000000..995be39 --- /dev/null +++ b/postfix/config/sender_header_checks.pcre @@ -0,0 +1,10 @@ +/^\s*Received:.*with ESMTPSA/ IGNORE +/^\s*Received:.*amavisd-new/ IGNORE +/^\s*X-Originating-IP:/ IGNORE +/^\s*X-Mailer:/ IGNORE +/^\s*Mime-Version: 1.0.*/ REPLACE Mime-Version: 1.0 +/^\s*User-Agent/ IGNORE +/^\s*X-Enigmail/ IGNORE +/^\s*X-Mailer/ IGNORE +/^\s*X-Originating-IP/ IGNORE +/^\s*Received: from.*127.0.0.1/ IGNORE \ No newline at end of file diff --git a/postfix/start.sh b/postfix/start.sh new file mode 100755 index 0000000..ea24616 --- /dev/null +++ b/postfix/start.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# --- 2023 Old --- + +# # Add ENV vars to postfix config +# # postconf -e -c /config myhostname=$HOSTNAME + +# /usr/sbin/postconf compatibility_level=3.6 + +# # Upgrade postfix config +# postfix -c /config upgrade-configuration + +# # Config check +# postfix -c /config check + +# # Start postfix +# /usr/sbin/postfix -vvvv -c /config start-fg + +# --- 2024-12-18 --- + +IP=$(curl https://ipv4.icanhazip.com) +/usr/sbin/postconf proxy_interfaces="$IP" +/usr/sbin/postconf ldap_bind_pw="$LDAP_BIND_PW" + +# Start postfix +/usr/sbin/postfix -v -c /config start-fg \ No newline at end of file