Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mailout: Port redirection #1

Open
LecrisUT opened this issue Feb 24, 2021 · 0 comments
Open

Mailout: Port redirection #1

LecrisUT opened this issue Feb 24, 2021 · 0 comments

Comments

@LecrisUT
Copy link

This issue is to keep track of the recent tests and documentation of the minimum postfix configuration needed for the port redirection. For other mail-servers we should ask the community to help on that.

Basic interface with mailout

TBD

Minimum postfix configuration

When receiving on port 25 (or NATed over from custom port 2525), the default configuration should be sufficient. In mater.cf the main service that handles the incoming mails is submission (TBC). Commonly found reasons for not being able to receive mails on port 465 and 587 are either due to postfix blocking the connection or TLS is missconfigured. For the postfix settings the user should check that the following options allow to receive:

## These are placeholder settings for now. DO NOT use these settings as we have not tested the security yet.
## If others have experience and insight setting these options please comment.

## TODO: find the appropriate safe options to:
## 1) Deny access to non-authenticated users to send mails from the service
## 2a) Allow receiving the mails from mailout receiving MX record
## 2b) Allow receiving the mails from arbitrary source. (Useful for overriding mailout on IPv6)
## PS: it is not recommended to have ONLY these options set/unset, but 

submission inet n       -       n       -       -       smtpd                                                               
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject                 
#  -o smtpd_client_restrictions=permit_sasl_authenticated                                                                       
#  -o smtpd_reject_unlisted_recipient=no                                                                           
#  -o smtpd_client_restrictions=$mua_client_restrictions                                                           
#  -o smtpd_helo_restrictions=$mua_helo_restrictions                                                               
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
smtps     inet  n       -       n       -       -       smtpd                                                              
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject                 
#  -o smtpd_client_restrictions=permit_sasl_authenticated                                                                       
#  -o smtpd_reject_unlisted_recipient=no                                                                           
#  -o smtpd_client_restrictions=$mua_client_restrictions                                                           
#  -o smtpd_helo_restrictions=$mua_helo_restrictions                                                               
#  -o smtpd_sender_restrictions=$mua_sender_restrictions

Otherwise mailout is properly configured to allow setting:

submission inet n       -       n       -       -       smtpd                        
  -o smtpd_tls_auth_only=yes
smtps     inet  n       -       n       -       -       smtpd             
  -o smtpd_tls_auth_only=yes

TLS certificate

Misconfiguration here has also lead to a few issues with mailout relaying mails, particularly when setting up additional MX subdomains to redirect the mails.
Coming soon: recommended and simple configuration for setting up manual and automatic certificate renewal using certbot, step and caddy.

xtuc added a commit that referenced this issue Mar 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant