Mailout: Port redirection

[LecrisUT]

This issue is to keep track of the recent tests and documentation of the minimum postfix configuration needed for the port redirection. For other mail-servers we should ask the community to help on that.

Basic interface with mailout

TBD

Minimum postfix configuration

When receiving on port 25 (or NATed over from custom port 2525), the default configuration should be sufficient. In mater.cf the main service that handles the incoming mails is submission (TBC). Commonly found reasons for not being able to receive mails on port 465 and 587 are either due to postfix blocking the connection or TLS is missconfigured. For the postfix settings the user should check that the following options allow to receive:

## These are placeholder settings for now. DO NOT use these settings as we have not tested the security yet.
## If others have experience and insight setting these options please comment.

## TODO: find the appropriate safe options to:
## 1) Deny access to non-authenticated users to send mails from the service
## 2a) Allow receiving the mails from mailout receiving MX record
## 2b) Allow receiving the mails from arbitrary source. (Useful for overriding mailout on IPv6)
## PS: it is not recommended to have ONLY these options set/unset, but 

submission inet n       -       n       -       -       smtpd                                                               
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject                 
#  -o smtpd_client_restrictions=permit_sasl_authenticated                                                                       
#  -o smtpd_reject_unlisted_recipient=no                                                                           
#  -o smtpd_client_restrictions=$mua_client_restrictions                                                           
#  -o smtpd_helo_restrictions=$mua_helo_restrictions                                                               
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
smtps     inet  n       -       n       -       -       smtpd                                                              
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject                 
#  -o smtpd_client_restrictions=permit_sasl_authenticated                                                                       
#  -o smtpd_reject_unlisted_recipient=no                                                                           
#  -o smtpd_client_restrictions=$mua_client_restrictions                                                           
#  -o smtpd_helo_restrictions=$mua_helo_restrictions                                                               
#  -o smtpd_sender_restrictions=$mua_sender_restrictions

Otherwise mailout is properly configured to allow setting:

submission inet n       -       n       -       -       smtpd                        
  -o smtpd_tls_auth_only=yes
smtps     inet  n       -       n       -       -       smtpd             
  -o smtpd_tls_auth_only=yes

TLS certificate

Misconfiguration here has also lead to a few issues with mailout relaying mails, particularly when setting up additional MX subdomains to redirect the mails.
Coming soon: recommended and simple configuration for setting up manual and automatic certificate renewal using certbot, step and caddy.