From 69973b31e3a95c6436ca513b0ceada1406f9a111 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Wed, 6 Jan 2021 23:35:26 +0100 Subject: [PATCH] daily autocommit --- .etckeeper | 1 + motd | 5 +- postfix/helo_access.pcre | 2 + postfix/main.cf.2021-01-06_22-34-07 | 313 ++++++++++++++++++++++++++++ postfix/postscreen_access.cidr | 1 + postfix/sender_access.pcre | 2 + 6 files changed, 321 insertions(+), 3 deletions(-) create mode 100644 postfix/main.cf.2021-01-06_22-34-07 diff --git a/.etckeeper b/.etckeeper index f9e6f6b..1ff5b97 100755 --- a/.etckeeper +++ b/.etckeeper @@ -1382,6 +1382,7 @@ maybe chmod 0640 'postfix/helo_access.pcre.2016.07.20.08.58.54' maybe chmod 0644 'postfix/main.cf' maybe chmod 0644 'postfix/main.cf.2016.07.20.08.58.54' maybe chmod 0644 'postfix/main.cf.2016.07.20.09.03.50' +maybe chmod 0644 'postfix/main.cf.2021-01-06_22-34-07' maybe chmod 0644 'postfix/main.cf.proto' maybe chmod 0644 'postfix/master.cf' maybe chmod 0644 'postfix/master.cf.2016.07.20.08.58.54' diff --git a/motd b/motd index b5783e4..99aa4b7 100644 --- a/motd +++ b/motd @@ -6,9 +6,8 @@ Debian GNU/Linux 10 (buster) |____/ \__,_|_| \__,_|_| |_| -Gott Abrahams, Gott Isaaks, Gott Jakobs, nicht der Gott der -Philosophen und Gelehrten. - -- Blaise Pascal +Was nicht in die Masse dringt, ist unwirksam. + -- Karl Jaspers Today is Sweetmorn, the 6th day of Chaos in the YOLD 3187 diff --git a/postfix/helo_access.pcre b/postfix/helo_access.pcre index b1d7a26..8e8ee8d 100644 --- a/postfix/helo_access.pcre +++ b/postfix/helo_access.pcre @@ -30,6 +30,8 @@ # Prepend HELO hostname of sender server #/(.*)/ PREPEND X-Original-Helo: $1 (iRedMail: http://www.iredmail.org/) +/h1693891.stratoserver.net/ OK + # No one will use these in helo command. /^(localhost)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) /^(localhost.localdomain)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) diff --git a/postfix/main.cf.2021-01-06_22-34-07 b/postfix/main.cf.2021-01-06_22-34-07 new file mode 100644 index 0000000..4d6b7b9 --- /dev/null +++ b/postfix/main.cf.2021-01-06_22-34-07 @@ -0,0 +1,313 @@ +# -------------------- +# INSTALL-TIME CONFIGURATION INFORMATION +# +# location of the Postfix queue. Default is /var/spool/postfix. +queue_directory = /var/spool/postfix + +# location of all postXXX commands. Default is /usr/sbin. +command_directory = /usr/sbin + +# location of all Postfix daemon programs (i.e. programs listed in the +# master.cf file). This directory must be owned by root. +# Default is /usr/libexec/postfix +#daemon_directory = /usr/lib/postfix + +# location of Postfix-writable data files (caches, random numbers). +# This directory must be owned by the mail_owner account (see below). +# Default is /var/lib/postfix. +data_directory = /var/lib/postfix + +# owner of the Postfix queue and of most Postfix daemon processes. +# Specify the name of a user account THAT DOES NOT SHARE ITS USER OR GROUP ID +# WITH OTHER ACCOUNTS AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. +# In particular, don't specify nobody or daemon. PLEASE USE A DEDICATED USER. +# Default is postfix. +mail_owner = postfix + +# The following parameters are used when installing a new Postfix version. +# +# sendmail_path: The full pathname of the Postfix sendmail command. +# This is the Sendmail-compatible mail posting interface. +# +sendmail_path = /usr/sbin/sendmail + +# newaliases_path: The full pathname of the Postfix newaliases command. +# This is the Sendmail-compatible command to build alias databases. +# +newaliases_path = /usr/bin/newaliases + +# full pathname of the Postfix mailq command. This is the Sendmail-compatible +# mail queue listing command. +mailq_path = /usr/bin/mailq + +# group for mail submission and queue management commands. +# This must be a group name with a numerical group ID that is not shared with +# other accounts, not even with the Postfix account. +setgid_group = postdrop + +# external command that is executed when a Postfix daemon program is run with +# the -D option. +# +# Use "command .. & sleep 5" so that the debugger can attach before +# the process marches on. If you use an X-based debugger, be sure to +# set up your XAUTHORITY environment variable before starting Postfix. +# +debugger_command = + PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin + ddd $daemon_directory/$process_name $process_id & sleep 5 + +debug_peer_level = 2 + +# -------------------- +# CUSTOM SETTINGS +# + +# SMTP server response code when recipient or domain not found. +unknown_local_recipient_reject_code = 550 + +# Do not notify local user. +biff = no + +# Disable the rewriting of "site!user" into "user@site". +swap_bangpath = no + +# Disable the rewriting of the form "user%domain" to "user@domain". +allow_percent_hack = no + +# Allow recipient address start with '-'. +allow_min_user = no + +# Disable the SMTP VRFY command. This stops some techniques used to +# harvest email addresses. +disable_vrfy_command = yes + +# Enable both IPv4 and/or IPv6: ipv4, ipv6, all. +inet_protocols = all + +# Enable all network interfaces. +inet_interfaces = all + +# +# TLS settings. +# +# SSL key, certificate, CA +# +smtpd_tls_key_file = /etc/letsencrypt/live/mail.uhu-banane.net/privkey.pem +smtpd_tls_cert_file = /etc/letsencrypt/live/mail.uhu-banane.net/fullchain.pem +smtpd_tls_CAfile = $smtpd_tls_cert_file + +# +# Disable SSLv2, SSLv3 +# +smtpd_tls_protocols = !SSLv2 !SSLv3 +smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 +smtp_tls_protocols = !SSLv2 !SSLv3 +smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 +lmtp_tls_protocols = !SSLv2 !SSLv3 +lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3 + +# +# Fix 'The Logjam Attack'. +# +smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA +smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem +smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem + +tls_random_source = dev:/dev/urandom + +# Log only a summary message on TLS handshake completion — no logging of client +# certificate trust-chain verification errors if client certificate +# verification is not required. With Postfix 2.8 and earlier, log the summary +# message, peer certificate summary information and unconditionally log +# trust-chain verification errors. +smtp_tls_loglevel = 1 +smtpd_tls_loglevel = 1 + +# Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do +# not require that clients use TLS encryption. +smtpd_tls_security_level = may + +# Produce `Received:` message headers that include information about the +# protocol and cipher used, as well as the remote SMTP client CommonName and +# client certificate issuer CommonName. +# This is disabled by default, as the information may be modified in transit +# through other mail servers. Only information that was recorded by the final +# destination can be trusted. +#smtpd_tls_received_header = yes + +# Opportunistic TLS, used when Postfix sends email to remote SMTP server. +# Use TLS if this is supported by the remote SMTP server, otherwise use +# plaintext. +# References: +# - http://www.postfix.org/TLS_README.html#client_tls_may +# - http://www.postfix.org/postconf.5.html#smtp_tls_security_level +smtp_tls_security_level = may + +# Use the same CA file as smtpd. +smtp_tls_CAfile = $smtpd_tls_cert_file +smtp_tls_note_starttls_offer = yes + +# Enable long, non-repeating, queue IDs (queue file names). +# The benefit of non-repeating names is simpler logfile analysis and easier +# queue migration (there is no need to run "postsuper" to change queue file +# names that don't match their message file inode number). +#enable_long_queue_ids = yes + +# Reject unlisted sender and recipient +smtpd_reject_unlisted_recipient = yes +smtpd_reject_unlisted_sender = yes + +# Header and body checks with PCRE table +header_checks = pcre:/etc/postfix/header_checks +body_checks = pcre:/etc/postfix/body_checks.pcre + +# HELO restriction +smtpd_helo_required = yes +smtpd_helo_restrictions = + permit_mynetworks + permit_sasl_authenticated + reject_non_fqdn_helo_hostname + reject_invalid_helo_hostname + check_helo_access pcre:/etc/postfix/helo_access.pcre + +# Sender restrictions +smtpd_sender_restrictions = + reject_unknown_sender_domain + reject_non_fqdn_sender + reject_unlisted_sender + permit_mynetworks + permit_sasl_authenticated + check_sender_access pcre:/etc/postfix/sender_access.pcre + +# Recipient restrictions +smtpd_recipient_restrictions = + reject_unknown_recipient_domain + reject_non_fqdn_recipient + reject_unlisted_recipient + check_policy_service inet:127.0.0.1:7777 + permit_mynetworks + permit_sasl_authenticated + reject_unauth_destination + +# Data restrictions +smtpd_data_restrictions = reject_unauth_pipelining + +# END-OF-MESSAGE restrictions +smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777 + +proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps + +# Avoid duplicate recipient messages. Default is 'yes'. +enable_original_recipient = no + +# Virtual support. +virtual_minimum_uid = 2000 +virtual_uid_maps = static:2000 +virtual_gid_maps = static:2000 +virtual_mailbox_base = /home/vmail + +# Do not set virtual_alias_domains. +virtual_alias_domains = + +# +# Enable SASL authentication on port 25 and force TLS-encrypted SASL authentication. +# WARNING: NOT RECOMMENDED to enable smtp auth on port 25, all end users should +# be forced to submit email through port 587 instead. +# +#smtpd_sasl_auth_enable = yes +#smtpd_tls_auth_only = yes +#smtpd_sasl_security_options = noanonymous + +# hostname +myhostname = mail.uhu-banane.net +myorigin = mail.uhu-banane.net +mydomain = uhu-banane.net + +# trusted SMTP clients which are allowed to relay mail through Postfix. +# +# Note: additional IP addresses/networks listed in mynetworks should be listed +# in iRedAPD setting 'MYNETWORKS' too. for example: +# +# MYNETWORKS = ['xx.xx.xx.xx', 'xx.xx.xx.0/24', ...] +# +mynetworks = 127.0.0.1, 185.48.118.130, 10.12.20.5, [2001:6f8:1db7::5] + +# Accepted local emails +mydestination = $myhostname, sarah.uhu-banane.de, localhost, localhost.localdomain + +alias_maps = hash:/etc/postfix/aliases +alias_database = hash:/etc/postfix/aliases + +# Default message_size_limit. +message_size_limit = 52428800 + +# The set of characters that can separate a user name from its extension +# (example: user+foo), or a .forward file name from its extension (example: +# .forward+foo). +# Postfix 2.11 and later supports multiple characters. +recipient_delimiter = + + +# +# Lookup virtual mail accounts +# +transport_maps = + proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf + proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf + +sender_dependent_relayhost_maps = + proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf + +# Lookup table with the SASL login names that own the sender (MAIL FROM) addresses. +smtpd_sender_login_maps = + proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf + +virtual_mailbox_domains = + proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf + +relay_domains = + $mydestination + proxy:mysql:/etc/postfix/mysql/relay_domains.cf + +virtual_mailbox_maps = + proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf + +virtual_alias_maps = + proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf + proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf + proxy:mysql:/etc/postfix/mysql/catchall_maps.cf + proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf + +sender_bcc_maps = + proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf + proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf + +recipient_bcc_maps = + proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf + proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf +postscreen_dnsbl_threshold = 2 +postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 +postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply +postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr +postscreen_greet_action = enforce +postscreen_dnsbl_action = enforce +postscreen_blacklist_action = enforce +postscreen_dnsbl_whitelist_threshold = -2 +# +# Dovecot SASL support. +# +smtpd_sasl_type = dovecot +smtpd_sasl_path = private/dovecot-auth +virtual_transport = dovecot +dovecot_destination_recipient_limit = 1 +content_filter = smtp-amavis:[127.0.0.1]:10024 +smtp-amavis_destination_recipient_limit = 1 +mailbox_size_limit = 524288000 +smtpd_tls_received_header = yes + +# smtpd_milters = inet:localhost:8891 +# non_smtpd_milters = inet:localhost:8891 + +smtpd_banner = $myhostname ESMTP $mail_name $mail_version +smtpd_sasl_authenticated_header = yes +smtp_tls_cert_file = $smtpd_tls_cert_file +smtp_tls_key_file = $smtpd_tls_key_file diff --git a/postfix/postscreen_access.cidr b/postfix/postscreen_access.cidr index 498a3af..51853dd 100644 --- a/postfix/postscreen_access.cidr +++ b/postfix/postscreen_access.cidr @@ -5,3 +5,4 @@ # Permit local clients 127.0.0.0/8 permit 192.168.254.0/24 permit +81.169.181.159 permit diff --git a/postfix/sender_access.pcre b/postfix/sender_access.pcre index e69de29..fc2cb7c 100644 --- a/postfix/sender_access.pcre +++ b/postfix/sender_access.pcre @@ -0,0 +1,2 @@ + +apache@teehaus-shila.de OK -- 2.39.5