diff options
| -rw-r--r-- | etc/dovecot/conf.d/10-mail.conf | 2 | ||||
| -rw-r--r-- | etc/dovecot/conf.d/10-master.conf | 12 | ||||
| -rw-r--r-- | etc/dovecot/conf.d/10-ssl.conf | 8 | ||||
| -rw-r--r-- | etc/nftables.conf | 16 | ||||
| -rw-r--r-- | etc/opendkim/opendkim.conf | 14 | ||||
| -rw-r--r-- | etc/opendmarc/opendmarc.conf | 3 | ||||
| -rw-r--r-- | etc/postfix/main.cf | 59 | ||||
| -rw-r--r-- | etc/postfix/master.cf | 37 |
8 files changed, 110 insertions, 41 deletions
diff --git a/etc/dovecot/conf.d/10-mail.conf b/etc/dovecot/conf.d/10-mail.conf index de48f92d..49e70cb9 100644 --- a/etc/dovecot/conf.d/10-mail.conf +++ b/etc/dovecot/conf.d/10-mail.conf @@ -27,7 +27,7 @@ # # <doc/wiki/MailLocation.txt> # -#mail_location = +mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs # If you need to set multiple mailbox locations or want to change default # namespace settings, you can do it by defining namespace sections. diff --git a/etc/dovecot/conf.d/10-master.conf b/etc/dovecot/conf.d/10-master.conf index 64fa0f2c..fb03c64c 100644 --- a/etc/dovecot/conf.d/10-master.conf +++ b/etc/dovecot/conf.d/10-master.conf @@ -100,16 +100,18 @@ service auth { # To give the caller full permissions to lookup all users, set the mode to # something else than 0666 and Dovecot lets the kernel enforce the # permissions (e.g. 0777 allows everyone full permissions). - unix_listener auth-userdb { + #unix_listener auth-userdb { #mode = 0666 #user = #group = - } + #} # Postfix smtp-auth - #unix_listener /var/spool/postfix/private/auth { - # mode = 0666 - #} + unix_listener /var/spool/postfix/private/auth { + mode = 0666 + user = postfix + group = postfix + } # Auth process is run as this user. #user = $default_internal_user diff --git a/etc/dovecot/conf.d/10-ssl.conf b/etc/dovecot/conf.d/10-ssl.conf index ad847664..b9c2263e 100644 --- a/etc/dovecot/conf.d/10-ssl.conf +++ b/etc/dovecot/conf.d/10-ssl.conf @@ -3,14 +3,14 @@ ## # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> -#ssl = yes +ssl = required # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf -ssl_cert = </etc/ssl/certs/dovecot.pem -ssl_key = </etc/ssl/private/dovecot.pem +ssl_cert = </etc/postfix/flylightning.pem +ssl_key = </etc/postfix/flylightning.key # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often @@ -51,7 +51,7 @@ ssl_key = </etc/ssl/private/dovecot.pem # Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096` # Or migrate from old ssl-parameters.dat file with the command dovecot # gives on startup when ssl_dh is unset. -#ssl_dh = </etc/dovecot/dh.pem +ssl_dh = </etc/dovecot/dh.pem # Minimum SSL protocol version to use. Potentially recognized values are SSLv3, # TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3, depending on the OpenSSL version used. diff --git a/etc/nftables.conf b/etc/nftables.conf index bd943c12..c4ca7f45 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -33,12 +33,16 @@ table inet my_table { #udp dport qbt accept #tcp dport iperf3 accept udp dport wireguard accept - # email ports - #tcp dport smtp accept - #udp dport smtp accept - # other email ports? seems blocked by crunchbits - #tcp dport 465 accept - #tcp dport 587 accept + # for acme.sh standalone mode builtin webserver to renew ssl cert + tcp dport http accept + # email related ports + tcp dport smtp accept + tcp dport pop3 accept + tcp dport imap accept + tcp dport submissions accept + tcp dport submission accept + tcp dport imaps accept + tcp dport pop3s accept pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited counter comment "count any other traffic" diff --git a/etc/opendkim/opendkim.conf b/etc/opendkim/opendkim.conf index fa3559a3..373c7213 100644 --- a/etc/opendkim/opendkim.conf +++ b/etc/opendkim/opendkim.conf @@ -127,7 +127,7 @@ ## omitted, "simple" is used. Valid values for each are "simple" and ## "relaxed". -# Canonicalization simple/simple +Canonicalization relaxed/simple ## ClockDrift n ## default 300 @@ -160,7 +160,7 @@ ## Specify for which domain(s) signing should be done. No default; must ## be specified for signing. -Domain example.com +Domain flylightning.xyz ## DomainKeysCompat { yes | no } ## default "no" @@ -245,7 +245,7 @@ Domain example.com ## SigningTable and KeyTable are used. No default; must be specified for ## signing if SigningTable/KeyTable are not in use. -KeyFile /var/db/dkim/example.private +KeyFile /etc/opendkim/mail.private ## KeyTable dataset ## default (none) @@ -570,7 +570,7 @@ KeyFile /var/db/dkim/example.private ## The name of the selector to use when signing. No default; must be ## specified for signing. -Selector my-selector-name +Selector mail ## SenderHeaders dataset ## default (none) @@ -658,7 +658,7 @@ Selector my-selector-name ## inet:port to listen on all interfaces ## local:/path/to/socket to listen on a UNIX domain socket -Socket inet:port@localhost +Socket local:/run/opendkim/opendkim.sock ## SoftwareHeader { yes | no } ## default "no" @@ -758,7 +758,7 @@ Syslog Yes ## The system has its own default which will be used (usually 022). ## See the umask(2) man page for more information. -# UMask 022 +UMask 002 ## Userid userid ## default (none) @@ -766,4 +766,4 @@ Syslog Yes ## Change to user "userid" before starting normal operation? May include ## a group ID as well, separated from the userid by a colon. -# UserID userid +UserID opendkim diff --git a/etc/opendmarc/opendmarc.conf b/etc/opendmarc/opendmarc.conf index 84ea1a83..f8d8120c 100644 --- a/etc/opendmarc/opendmarc.conf +++ b/etc/opendmarc/opendmarc.conf @@ -286,7 +286,8 @@ IgnoreAuthenticatedClients true ## address is used, it must be enclosed in square brackets. # # Socket inet:8893@localhost -Socket unix:/var/spool/opendmarc/opendmarc.sock +#Socket unix:/var/spool/opendmarc/opendmarc.sock +Socket unix:/run/opendmarc/opendmarc.sock ## SoftwareHeader { true | false } ## default "false" diff --git a/etc/postfix/main.cf b/etc/postfix/main.cf index 1d93a701..0c36d421 100644 --- a/etc/postfix/main.cf +++ b/etc/postfix/main.cf @@ -1,3 +1,62 @@ +# edit configs from: +# https://wiki.archlinux.org/title/Postfix +# GPL-3.0-only https://github.com/LukeSmithxyz/emailwiz +# https://wiki.archlinux.org/title/OpenDMARC +# https://wiki.archlinux.org/title/OpenDKIM +# maybe useful things: +# `man postconf.5` +# print config: `postconf` +# default config: `postconf -d` +myhostname = mail.flylightning.xyz + +# fix "relay access denied" error when receiving emails +# I choose to follow `man postconf.5` instruction to only add $mydomain +# emailwiz way add a lot more to mydestination, see: +# https://github.com/LukeSmithxyz/emailwiz/pull/275 +# https://github.com/LukeSmithxyz/emailwiz/issues/265 +mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain + +smtp_tls_security_level = may +smtpd_tls_security_level = may +smtpd_use_tls = yes +smtpd_tls_cert_file = /etc/postfix/flylightning.pem +smtpd_tls_key_file = /etc/postfix/flylightning.key + +# Here we tell Postfix to look to Dovecot for authenticating users/passwords. +# Dovecot will be putting an authentication socket in /var/spool/postfix/private/auth +smtpd_sasl_auth_enable = yes +smtpd_sasl_type = dovecot +smtpd_sasl_path = private/auth + +# NOTE: the trailing slash here, or for any directory name in the home_mailbox +# command, is necessary as it distinguishes a maildir (which is the actual +# directory that we want) from a spoolfile (which is what old unix boomers want +# and no one else). +home_mailbox = Mail/Inbox/ + +# https://wiki.archlinux.org/title/OpenDKIM +non_smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock +smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock + +# more emailwiz configs, maybe useful: + +# TLS required for authentication. +#smtpd_tls_auth_only = yes + +# Exclude insecure and obsolete encryption protocols. +#smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +#smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +#smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +#smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 + +# helo, sender, relay and recipient restrictions +#smtpd_sender_login_maps = pcre:/etc/postfix/login_maps.pcre +#smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_sender_login_mismatch, reject_unknown_reverse_client_hostname, reject_unknown_sender_domain +#smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain +#smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination +#smtpd_helo_required = yes +#smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname + # Global Postfix configuration file. This file lists only a subset # of all parameters. For the syntax, and for a complete parameter # list, see the postconf(5) manual page (command: "man 5 postconf"). diff --git a/etc/postfix/master.cf b/etc/postfix/master.cf index fd282dd2..7ce6e816 100644 --- a/etc/postfix/master.cf +++ b/etc/postfix/master.cf @@ -1,3 +1,6 @@ +# I follow these guides: +# https://wiki.archlinux.org/title/Postfix#Secure_SMTP_(receiving) + # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master" or @@ -16,13 +19,13 @@ smtp inet n - n - - smtpd #tlsproxy unix - - n - 0 tlsproxy # Choose one: enable submission for loopback clients only, or for any client. #127.0.0.1:submission inet n - n - - smtpd -#submission inet n - n - - smtpd -# -o syslog_name=postfix/submission -# -o smtpd_tls_security_level=encrypt -# -o smtpd_sasl_auth_enable=yes -# -o smtpd_tls_auth_only=yes +submission inet n - n - - smtpd + -o syslog_name=postfix/submission + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_tls_auth_only=yes # -o local_header_rewrite_clients=static:all -# -o smtpd_reject_unlisted_recipient=no + -o smtpd_reject_unlisted_recipient=no # Instead of specifying complex smtpd_<xxx>_restrictions here, # specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions" # here, and specify mua_<xxx>_restrictions in main.cf (where @@ -30,17 +33,17 @@ smtp inet n - n - - smtpd # -o smtpd_client_restrictions= # -o smtpd_helo_restrictions= # -o smtpd_sender_restrictions= -# -o smtpd_relay_restrictions= -# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING + -o smtpd_relay_restrictions= + -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING # Choose one: enable submissions for loopback clients only, or for any client. #127.0.0.1:submissions inet n - n - - smtpd -#submissions inet n - n - - smtpd -# -o syslog_name=postfix/submissions -# -o smtpd_tls_wrappermode=yes -# -o smtpd_sasl_auth_enable=yes +submissions inet n - n - - smtpd + -o syslog_name=postfix/submissions + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes # -o local_header_rewrite_clients=static:all -# -o smtpd_reject_unlisted_recipient=no + -o smtpd_reject_unlisted_recipient=no # Instead of specifying complex smtpd_<xxx>_restrictions here, # specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions" # here, and specify mua_<xxx>_restrictions in main.cf (where @@ -48,9 +51,9 @@ smtp inet n - n - - smtpd # -o smtpd_client_restrictions= # -o smtpd_helo_restrictions= # -o smtpd_sender_restrictions= -# -o smtpd_relay_restrictions= -# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING + -o smtpd_relay_restrictions= + -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING #628 inet n - n - - qmqpd pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup |