New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Modernize postfix template #259
base: main
Are you sure you want to change the base?
Conversation
The organization of the options in the postfix templates is confusing. there are some titles for some options, but not others that are unrelated. We can just reorder the options and add some titles to make it easier to read the files.
Options that are related to TLS are currently split into two groups in the template, and this makes it hard to understand what is happening. Some changes to configuration are necessary since a lot of time has passed since the latest changes to this template. Some configuration is actually plain wrong, and some other is doing what the documentation recommends against. Following are some details about why options were changed: * smtpd_use_tls and smtp_use_tls are deprecated. We should use instead smtp(d)_tls_security_level. * smtpd_tls_security_level should be set to "may" in order to use encryption opportunistically when delivering emails to other MTAs whenever they advertise that they can do it. * smtpd_tls_dcert_file and smtpd_tls_dkey_file exist specifically for certificates that use DSA key pairs. This is not the norm anymore and RSA has been the default for many years now. We should use the more generic option smtpd_tls_cert_file. * Since alternc generates a single file apache.pem that contains the certificate and the private key, we don't actually need to specify smtpd_tls_key_file. * smtpd_tls_CApath restricts postfix to using *only* the system-provided CAs. This might not be what some folks want to do and the restriction that the template imposes is useless. * we should *not* set smtp_tls_{dcert,dkey,cert,key}_file ! This is setting up postfix to use a *client* certificate when contacting other servers for delivery to other MTAs. This is very probably not what most ppl want to be doing, and if some users actually want to do this because for example the MTA configured by alternc needs to authenticate to a remailer to get mail out to the world, then they will *not* want to use the same certificate/private key pair than the one that's used on the mail submission side (smtpd_*). * smtpd_tls_auth_only, when set to "no" permits clients to send their credentials unencrypted! This is not a good default if we expect to be using TLS * smtp(d)_tls_protocols should exclude deprecated cipher "families" instead of including some of them, as is recommended in http://www.postfix.org/postconf.5.html#smtpd_tls_protocols * smtpd_sasl_auth_enable is there twice
Quoi dire de plus qu'un gros merci pour ce boulot 👍 |
Should wait ssl-feature branch merging first |
@camlafit salut! je crois voir que la branche |
Salut On va finaliser la release en cours avant. On a du mal à sortir une version stable strech compatible. Donc on va finir ce point avant tout merge complémentaire. :) Mais oui on va l'intégrer |
The postfix templates for default configuration of main.cf are still using some old options. It's also configuring smtp client certs, which is not desirable at all, and some options need some changes.
I've taken a stab at modernizing those templates a bit and to also make both files look ass much alike as possible so that it's easier to compare what's different between the "primary" and "relay" mail servers.
I haven't touched the cipher lists since this subject is way more difficult to evaluate, especially in the context of mail servers.
I'm open to discuss the changes. Maybe I've missed some intentions that were not specified in comments, or maybe some ppl might disagree with some changes.
For detailed explanations about changes, see the commit message on the second commit, b414125