Modernize postfix template #259
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The organization of the options in the postfix templates is confusing. there are some titles for some options, but not others that are unrelated. We can just reorder the options and add some titles to make it easier to read the files.
Options that are related to TLS are currently split into two groups in
the template, and this makes it hard to understand what is happening.
Some changes to configuration are necessary since a lot of time has
passed since the latest changes to this template. Some configuration is
actually plain wrong, and some other is doing what the documentation
recommends against. Following are some details about why options were
changed:
* smtpd_use_tls and smtp_use_tls are deprecated. We should use instead
smtp(d)_tls_security_level.
* smtpd_tls_security_level should be set to "may" in order to use
encryption opportunistically when delivering emails to other MTAs
whenever they advertise that they can do it.
* smtpd_tls_dcert_file and smtpd_tls_dkey_file exist specifically for
certificates that use DSA key pairs. This is not the norm anymore and
RSA has been the default for many years now. We should use the more
generic option smtpd_tls_cert_file.
* Since alternc generates a single file apache.pem that contains the
certificate and the private key, we don't actually need to specify
smtpd_tls_key_file.
* smtpd_tls_CApath restricts postfix to using *only* the
system-provided CAs. This might not be what some folks want to do and
the restriction that the template imposes is useless.
* we should *not* set smtp_tls_{dcert,dkey,cert,key}_file ! This is
setting up postfix to use a *client* certificate when contacting other
servers for delivery to other MTAs. This is very probably not what most
ppl want to be doing, and if some users actually want to do this because
for example the MTA configured by alternc needs to authenticate to a
remailer to get mail out to the world, then they will *not* want to use
the same certificate/private key pair than the one that's used on the
mail submission side (smtpd_*).
* smtpd_tls_auth_only, when set to "no" permits clients to send their
credentials unencrypted! This is not a good default if we expect to be
using TLS
* smtp(d)_tls_protocols should exclude deprecated cipher "families"
instead of including some of them, as is recommended in
http://www.postfix.org/postconf.5.html#smtpd_tls_protocols
* smtpd_sasl_auth_enable is there twice
|
Quoi dire de plus qu'un gros merci pour ce boulot 👍 |
|
Should wait ssl-feature branch merging first |
|
@camlafit salut! je crois voir que la branche |
|
Salut On va finaliser la release en cours avant. On a du mal à sortir une version stable strech compatible. Donc on va finir ce point avant tout merge complémentaire. :) Mais oui on va l'intégrer |
kienanstewart
approved these changes
Dec 16, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The postfix templates for default configuration of main.cf are still using some old options. It's also configuring smtp client certs, which is not desirable at all, and some options need some changes.
I've taken a stab at modernizing those templates a bit and to also make both files look ass much alike as possible so that it's easier to compare what's different between the "primary" and "relay" mail servers.
I haven't touched the cipher lists since this subject is way more difficult to evaluate, especially in the context of mail servers.
I'm open to discuss the changes. Maybe I've missed some intentions that were not specified in comments, or maybe some ppl might disagree with some changes.
For detailed explanations about changes, see the commit message on the second commit, b414125