From b8953ecd3f9f293a311f8a61ed2fe0835c8047ef Mon Sep 17 00:00:00 2001 From: Marius Burkard Date: Tue, 6 Oct 2020 16:31:07 +0200 Subject: [PATCH 1/3] - re-enable auth_verbose in dovecot - don't use the quota-status check on unlisted recipients --- install/tpl/debian6_dovecot2.conf.master | 1 + install/tpl/debian_dovecot2.conf.master | 1 + install/tpl/debian_postfix.conf.master | 2 +- install/tpl/fedora_dovecot2.conf.master | 1 + install/tpl/fedora_postfix.conf.master | 2 +- install/tpl/gentoo_postfix.conf.master | 2 +- install/tpl/opensuse_dovecot2.conf.master | 1 + install/tpl/opensuse_postfix.conf.master | 2 +- 8 files changed, 8 insertions(+), 4 deletions(-) diff --git a/install/tpl/debian6_dovecot2.conf.master b/install/tpl/debian6_dovecot2.conf.master index 53eff38642..1080eeb559 100644 --- a/install/tpl/debian6_dovecot2.conf.master +++ b/install/tpl/debian6_dovecot2.conf.master @@ -11,6 +11,7 @@ ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 ssl_min_protocol = TLSv1.2 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl_prefer_server_ciphers = no +auth_verbose = yes mail_max_userip_connections = 100 mail_plugins = quota passdb { diff --git a/install/tpl/debian_dovecot2.conf.master b/install/tpl/debian_dovecot2.conf.master index ac19e7ad04..f35c40b629 100644 --- a/install/tpl/debian_dovecot2.conf.master +++ b/install/tpl/debian_dovecot2.conf.master @@ -11,6 +11,7 @@ ssl_dh = Date: Tue, 6 Oct 2020 16:35:39 +0200 Subject: [PATCH 2/3] - remove non_smtpd_milters when switching to amavis --- .../postfix_server_plugin.inc.php | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/server/plugins-available/postfix_server_plugin.inc.php b/server/plugins-available/postfix_server_plugin.inc.php index 34a8509e4f..cf73cf93e7 100644 --- a/server/plugins-available/postfix_server_plugin.inc.php +++ b/server/plugins-available/postfix_server_plugin.inc.php @@ -91,13 +91,13 @@ class postfix_server_plugin { if (!empty($mail_config['relayhost_user']) || !empty($mail_config['relayhost_password'])) { $content .= "\n".$mail_config['relayhost'].' '.$mail_config['relayhost_user'].':'.$mail_config['relayhost_password']; } - + if (preg_replace('/^(#[^\n]*|\s+)(:?\n+|)/m','',$content) != '') { exec("postconf -e 'smtp_sasl_auth_enable = yes'"); } else { exec("postconf -e 'smtp_sasl_auth_enable = no'"); } - + $app->system->exec_safe("postconf -e ?", 'relayhost = '.$mail_config['relayhost']); file_put_contents('/etc/postfix/sasl_passwd', $content); chmod('/etc/postfix/sasl_passwd', 0600); @@ -281,7 +281,7 @@ class postfix_server_plugin { exec("postconf -X 'smtpd_timeout'"); } } - + if($app->system->is_installed('dovecot')) { $virtual_transport = 'dovecot'; $configure_lmtp = false; @@ -347,7 +347,7 @@ class postfix_server_plugin { if($mail_config['content_filter'] == 'rspamd'){ exec("postconf -X 'receive_override_options'"); exec("postconf -X 'content_filter'"); - + exec("postconf -e 'smtpd_milters = inet:localhost:11332'"); exec("postconf -e 'non_smtpd_milters = inet:localhost:11332'"); exec("postconf -e 'milter_protocol = 6'"); @@ -355,7 +355,7 @@ class postfix_server_plugin { exec("postconf -e 'milter_default_action = accept'"); exec("postconf -e 'smtpd_sender_restrictions = ${raslm} permit_mynetworks, ${rslm} permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf'"); - + $new_options = array(); $options = preg_split("/,\s*/", exec("postconf -h smtpd_recipient_restrictions")); foreach ($options as $key => $value) { @@ -367,7 +367,7 @@ class postfix_server_plugin { $new_options[] = $value; } exec("postconf -e 'smtpd_recipient_restrictions = ".implode(", ", $new_options)."'"); - + // get all domains that have dkim enabled if ( substr($mail_config['dkim_path'], strlen($mail_config['dkim_path'])-1) == '/' ) { $mail_config['dkim_path'] = substr($mail_config['dkim_path'], 0, strlen($mail_config['dkim_path'])-1); @@ -384,10 +384,11 @@ class postfix_server_plugin { unset($dkim_domains); } else { exec("postconf -X 'smtpd_milters'"); + exec("postconf -X 'non_smtpd_milters'"); exec("postconf -X 'milter_protocol'"); exec("postconf -X 'milter_mail_macros'"); exec("postconf -X 'milter_default_action'"); - + exec("postconf -e 'receive_override_options = no_address_mappings'"); exec("postconf -e 'content_filter = " . ($configure_lmtp ? "lmtp" : "amavis" ) . ":[127.0.0.1]:10024'"); @@ -395,7 +396,7 @@ class postfix_server_plugin { exec("postconf -e 'smtpd_sender_restrictions = ${raslm} check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, ${rslm} permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:/etc/postfix/tag_as_foreign.re, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf'"); } } - + if($mail_config['content_filter'] == 'rspamd' && ($mail_config['rspamd_password'] != $old_ini_data['mail']['rspamd_password'] || $mail_config['content_filter'] != $old_ini_data['mail']['content_filter'])) { $app->load('tpl'); @@ -404,7 +405,7 @@ class postfix_server_plugin { if($crypted_password) { $rspamd_password = $crypted_password; } - + $tpl = new tpl(); $tpl->newTemplate('rspamd_worker-controller.inc.master'); $tpl->setVar('rspamd_password', $rspamd_password); -- GitLab From 554453a69c9063b8a63e6451bcc09784b6c7aaab Mon Sep 17 00:00:00 2001 From: Marius Burkard Date: Wed, 7 Oct 2020 09:18:12 +0200 Subject: [PATCH 3/3] - move reject_unlisted_recipient to match earlier --- install/tpl/debian_postfix.conf.master | 2 +- install/tpl/fedora_postfix.conf.master | 2 +- install/tpl/gentoo_postfix.conf.master | 2 +- install/tpl/opensuse_postfix.conf.master | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/install/tpl/debian_postfix.conf.master b/install/tpl/debian_postfix.conf.master index 42f2c45322..87ce6fc662 100644 --- a/install/tpl/debian_postfix.conf.master +++ b/install/tpl/debian_postfix.conf.master @@ -15,7 +15,7 @@ broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_restriction_classes = greylisting greylisting = check_policy_service inet:127.0.0.1:10023 -smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, check_recipient_access proxy:mysql:{config_dir}/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:{config_dir}/mysql-virtual_recipient.cf{greylisting}, reject_unlisted_recipient, check_policy_service unix:private/quota-status +smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, check_recipient_access proxy:mysql:{config_dir}/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:{config_dir}/mysql-virtual_recipient.cf{greylisting}, check_policy_service unix:private/quota-status smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_cert_file = {config_dir}/smtpd.cert diff --git a/install/tpl/fedora_postfix.conf.master b/install/tpl/fedora_postfix.conf.master index dd54a820cc..a87c7daed9 100644 --- a/install/tpl/fedora_postfix.conf.master +++ b/install/tpl/fedora_postfix.conf.master @@ -11,7 +11,7 @@ broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_restriction_classes = greylisting greylisting = check_policy_service inet:127.0.0.1:10023 -smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, check_recipient_access proxy:mysql:{config_dir}/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:{config_dir}/mysql-virtual_recipient.cf{greylisting}, reject_unlisted_recipient, check_policy_service unix:private/quota-status +smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, check_recipient_access proxy:mysql:{config_dir}/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:{config_dir}/mysql-virtual_recipient.cf{greylisting}, check_policy_service unix:private/quota-status smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_cert_file = {config_dir}/smtpd.cert diff --git a/install/tpl/gentoo_postfix.conf.master b/install/tpl/gentoo_postfix.conf.master index ca79f526dd..605344bd74 100644 --- a/install/tpl/gentoo_postfix.conf.master +++ b/install/tpl/gentoo_postfix.conf.master @@ -10,7 +10,7 @@ broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_restriction_classes = greylisting greylisting = check_policy_service inet:127.0.0.1:10023 -smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, check_recipient_access proxy:mysql:{config_dir}/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:{config_dir}/mysql-virtual_recipient.cf{greylisting}, reject_unlisted_recipient, check_policy_service unix:private/quota-status +smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, check_recipient_access proxy:mysql:{config_dir}/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:{config_dir}/mysql-virtual_recipient.cf{greylisting}, check_policy_service unix:private/quota-status smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_cert_file = {config_dir}/smtpd.cert diff --git a/install/tpl/opensuse_postfix.conf.master b/install/tpl/opensuse_postfix.conf.master index f971a9e485..4cb46786a3 100644 --- a/install/tpl/opensuse_postfix.conf.master +++ b/install/tpl/opensuse_postfix.conf.master @@ -13,7 +13,7 @@ broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_restriction_classes = greylisting greylisting = check_policy_service inet:127.0.0.1:10023 -smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, check_recipient_access proxy:mysql:{config_dir}/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:{config_dir}/mysql-virtual_recipient.cf{greylisting}, reject_unlisted_recipient, check_policy_service unix:private/quota-status +smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, check_recipient_access proxy:mysql:{config_dir}/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:{config_dir}/mysql-virtual_recipient.cf{greylisting}, check_policy_service unix:private/quota-status smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_cert_file = {config_dir}/smtpd.cert -- GitLab