From 644ef66ec84eb19be5764d4ec5115c37c50d6541 Mon Sep 17 00:00:00 2001 From: Sheppy Date: Mon, 9 Jan 2023 18:23:21 +0100 Subject: [PATCH] feat: mail config files only --- roles/mail/files/dynamicmaps.cf | 1 + roles/mail/files/enabled_senders | 8 +++ roles/mail/files/main.cf | 99 +++++++++++++++++++++++++++++++ roles/mail/files/master.cf | 57 ++++++++++++++++++ roles/mail/files/relocated | 1 + roles/mail/files/sender_blacklist | 6 ++ roles/mail/files/tls_policy | 13 ++++ roles/mail/files/transport | 3 + roles/mail/files/virtual | 34 +++++++++++ 9 files changed, 222 insertions(+) create mode 100644 roles/mail/files/dynamicmaps.cf create mode 100644 roles/mail/files/enabled_senders create mode 100644 roles/mail/files/main.cf create mode 100644 roles/mail/files/master.cf create mode 100644 roles/mail/files/relocated create mode 100644 roles/mail/files/sender_blacklist create mode 100644 roles/mail/files/tls_policy create mode 100644 roles/mail/files/transport create mode 100644 roles/mail/files/virtual diff --git a/roles/mail/files/dynamicmaps.cf b/roles/mail/files/dynamicmaps.cf new file mode 100644 index 0000000..e3b134d --- /dev/null +++ b/roles/mail/files/dynamicmaps.cf @@ -0,0 +1 @@ +sqlite postfix-sqlite.so dict_sqlite_open diff --git a/roles/mail/files/enabled_senders b/roles/mail/files/enabled_senders new file mode 100644 index 0000000..adc9ba1 --- /dev/null +++ b/roles/mail/files/enabled_senders @@ -0,0 +1,8 @@ +# Sender adress the user may use :) +HISTORY_PURGED_SECRET HISTORY_PURGED_SECRET +check@atlantishq.de check@atlantishq.de,HISTORY_PURGED_SECRET +test@atlantishq.de check@atlantishq.de +joerg@darknet-fashion.de joerg@darknet-fashion.de +HISTORY_PURGED_SECRET HISTORY_PURGED_SECRET +@darknet-fashion.de joerg +@atlantishq.de sheppy diff --git a/roles/mail/files/main.cf b/roles/mail/files/main.cf new file mode 100644 index 0000000..a57e284 --- /dev/null +++ b/roles/mail/files/main.cf @@ -0,0 +1,99 @@ +# let's confuse atackers +smtpd_banner = $myhostname Postfix +# appending .domain is the MUA's job. +append_dot_mydomain = no +# Uncomment the next line to generate "delayed mail" warnings +# delay_warning_time = 10h + +queue_directory = /var/spool/postfix + +# TLS parameters +smtpd_tls_cert_file=/etc/letsencrypt/live/atlantishq.de/fullchain.pem +smtpd_tls_key_file=/etc/letsencrypt/live/atlantishq.de/privkey.pem +smtpd_use_tls=yes +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + +# tls paramaters +smtpd_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 +smtp_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 +smtp_tls_ciphers = high +smtpd_tls_ciphers = high +smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 +smtp_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 +smtp_tls_mandatory_ciphers = high +smtpd_tls_mandatory_ciphers = high +smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL +smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL +smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL +smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL +tls_preempt_cipherlist = yes + +# breaks mailman for obvious reasons +smtpd_tls_security_level=may +smtpd_tls_auth_only = yes + +# SMTP (mainly from dovecot documentation) +smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_non_fqdn_sender +smtpd_sasl_path = private/auth +smtpd_sasl_auth_enable = yes +smtpd_sasl_type = dovecot +smtpd_sasl_security_options = noanonymous +smtpd_sasl_local_domain = $myhostname +#broken_sasl_auth_clients = no +smtp_tls_policy_maps = hash:/etc/postfix/tls_policy +smtp_tls_mandatory_ciphers=high +#smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd +smtp_sasl_security_options = +smtpd_sender_login_maps=hash:/etc/postfix/enabled_senders +## restrictions + +# PERMIT MY NETWORKS MUST ALWAYS BE THE FIRST ARGUMENT OR YOU CANNOT SEND TO NON-LOCAL domains from NOT-DOVECOT +#policyd-spf_time_limit = 3600 +smtpd_recipient_restrictions=permit_mynetworks,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject_unauth_destination,check_policy_service unix:private/policyd-spf,check_sender_access hash:/etc/postfix/sender_blacklist +#smtpd_recipient_restrictions=permit_mynetworks,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject_unauth_destination,check_sender_access hash:/etc/postfix/sender_blacklist +#smtpd_sender_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_sender +smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch,reject_non_fqdn_sender,permit_sasl_authenticated + +# USER mappings (not reliant on unix users) + +# MAILMAN # +virtual_mailbox_domains = atlantishq.de,darknet-fashion.de,darknet-fashion.com,potaris.de +virtual_alias_maps = hash:/etc/postfix/virtual +#recipient_cononical_maps = hash:/etc/postfix/canonical-recipient + + +virtual_transport = lmtp:unix:private/dovecot_lmtp_target +#relocated_maps = hash:/etc/postfix/mail_redirect +alias_maps = hash:/etc/aliases +virtual_minimum_uid = 100 +virtual_uid_maps = static:1009 +virtual_gid_maps = static:1009 +#receive_override_options = no_address_mappings + +# random shit +biff = no +readme_directory = no +compatibility_level = 2 +myhostname = mail.atlantishq.de +#mydestination = localhost.divercitystudio.de,localhost.atlantishq.de, ,localhost +mydestination = localhost +#,localhost.esports-erlangen.de,esports-erlangen.de +relayhost = +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 +mailbox_command = procmail -a "$EXTENSION" +mailbox_size_limit = 0 +recipient_delimiter = + +message_size_limit = 80480000 +inet_interfaces = all +inet_protocols = all +#alias_maps = hash:/etc/aliases + +# Milter configuration +milter_default_action = accept +milter_protocol = 6 +smtpd_milters = inet:localhost:8892 +non_smtpd_milters = $smtpd_milters +disable_mime_output_conversion = yes + +authorized_submit_users = !check,static:all diff --git a/roles/mail/files/master.cf b/roles/mail/files/master.cf new file mode 100644 index 0000000..c7941eb --- /dev/null +++ b/roles/mail/files/master.cf @@ -0,0 +1,57 @@ +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - y - - smtpd + -o content_filter=spamassassin +spamassassin unix - n n - - pipe + user=spamd argv=/usr/bin/spamc -f -e + /usr/sbin/sendmail -oi -f ${sender} ${recipient} +#smtp inet n - y - 1 postscreen +smtps inet n - y - - smtpd -v + -o smtpd_tls_wrappermode=yes +#smtpd pass - - y - - smtpd +#dnsblog unix - - y - 0 dnsblog +#tlsproxy unix - - y - 0 tlsproxy +submission inet n - y - - smtpd +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +relay unix - - y - - smtp +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +policyd-spf unix - n n - 0 spawn + user=policyd-spf argv=/usr/bin/policyd-spf + +########################## OTHER ############################# +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +dovecot unix - n n - - pipe + flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/dovecot-lda -f ${sender} -d ${user}@${nexthop} -m ${extension} diff --git a/roles/mail/files/relocated b/roles/mail/files/relocated new file mode 100644 index 0000000..e142004 --- /dev/null +++ b/roles/mail/files/relocated @@ -0,0 +1 @@ +test@atlantishq.de HISTORY_PURGED_SECRET diff --git a/roles/mail/files/sender_blacklist b/roles/mail/files/sender_blacklist new file mode 100644 index 0000000..61945a7 --- /dev/null +++ b/roles/mail/files/sender_blacklist @@ -0,0 +1,6 @@ +alyssa@catapult.gg REJECT +service-expert.net REJECT +yougetnow.com REJECT +forestanes.pics REJECT +stockcard.io REJECT +zapingers.autos REJECT diff --git a/roles/mail/files/tls_policy b/roles/mail/files/tls_policy new file mode 100644 index 0000000..ded2cdc --- /dev/null +++ b/roles/mail/files/tls_policy @@ -0,0 +1,13 @@ +[atlantishq.de]:587 encrypt protocols=TLSv1.2 ciphers=high +[atlantishq.de]:msa encrypt protocols=TLSv1.2 ciphers=high +[atlantishq.de]:submission encrypt protocols=TLSv1.2 ciphers=high +[esports-erlangen.de]:587 encrypt protocols=TLSv1.2 ciphers=high +[esports-erlangen.de]:msa encrypt protocols=TLSv1.2 ciphers=high +[esports-erlangen.de]:submission encrypt protocols=TLSv1.2 ciphers=high +[darknet-fashion.de]:587 encrypt protocols=TLSv1.2 ciphers=high +[darknet-fashion.de]:msa encrypt protocols=TLSv1.2 ciphers=high +[darknet-fashion.de]:submission encrypt protocols=TLSv1.2 ciphers=high +[darknet-fashion.com]:587 encrypt protocols=TLSv1.2 ciphers=high +[darknet-fashion.com]:msa encrypt protocols=TLSv1.2 ciphers=high +[darknet-fashion.com]:submission encrypt protocols=TLSv1.2 ciphers=high +.datev.de encrypt diff --git a/roles/mail/files/transport b/roles/mail/files/transport new file mode 100644 index 0000000..e2d7165 --- /dev/null +++ b/roles/mail/files/transport @@ -0,0 +1,3 @@ +atlantishq.de lmtp:unix:private/dovecot_lmtp_target +darknet-fashion.de lmtp:unix:private/dovecot_lmtp_target +darknet-fashion.com lmtp:unix:private/dovecot_lmtp_target diff --git a/roles/mail/files/virtual b/roles/mail/files/virtual new file mode 100644 index 0000000..d3034cc --- /dev/null +++ b/roles/mail/files/virtual @@ -0,0 +1,34 @@ +# you can also so this: test-second-account@atlantishq.de test@atlantishq.de +# which will give all incoming mails of test-second-account to test (sorta obvious) + +# IMPORTANT >> IT IS _NOT_ NESSESARY TO DO THE FOLLOWING << IMPORTANT +# user@atlantishq.de user@esports-erlangen.de +# every user will get emails from both domains + +# If a user also wants to _SEND_ mails, he also have to have an +# entry in the /etc/postfix/enabled-senders + +# CHANGES IN THIS FILE MUST BE MAPPED BEFORE RESTART (!) +# postmap FILENAME +# CHANGES IN THIS FILE WILL ONLY BE APPLIED ON POSTFIX RESTART, NOT RELOAD (!) + +# sheppy +HISTORY_PURGED_SECRET HISTORY_PURGED_SECRET +HISTORY_PURGED_SECRET HISTORY_PURGED_SECRET +HISTORY_PURGED_SECRET HISTORY_PURGED_SECRET +HISTORY_PURGED_SECRET HISTORY_PURGED_SECRET +#HISTORY_PURGED_SECRET HISTORY_PURGED_SECRET +HISTORY_PURGED_SECRET HISTORY_PURGED_SECRET +HISTORY_PURGED_SECRET HISTORY_PURGED_SECRET +HISTORY_PURGED_SECRET HISTORY_PURGED_SECRET +HISTORY_PURGED_SECRET HISTORY_PURGED_SECRET,michel@pa-bu.de +HISTORY_PURGED_SECRET HISTORY_PURGED_SECRET + +# michy +HISTORY_PURGED_SECRET HISTORY_PURGED_SECRET + +# catchall +#@atlantishq.de HISTORY_PURGED_SECRET +#@esports-erlangen.de HISTORY_PURGED_SECRET +@darknet-fashion.com joerg@darknet-fashion.de +@darknet-fashion.de joerg@darknet-fashion.de