diff options
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/.cfgl/config | 2 | ||||
| -rw-r--r-- | etc/dovecot/conf.d/10-mail.conf | 415 | ||||
| -rw-r--r-- | etc/dovecot/conf.d/10-master.conf | 135 | ||||
| -rw-r--r-- | etc/dovecot/conf.d/10-ssl.conf | 82 | ||||
| -rw-r--r-- | etc/dovecot/conf.d/15-mailboxes.conf | 95 | ||||
| -rw-r--r-- | etc/fstab | 6 | ||||
| -rw-r--r-- | etc/hostname | 2 | ||||
| -rw-r--r-- | etc/myconf/cfgl_meta | 24 | ||||
| -rw-r--r-- | etc/nftables.conf | 36 | ||||
| -rw-r--r-- | etc/opendkim/opendkim.conf | 769 | ||||
| -rw-r--r-- | etc/opendmarc/opendmarc.conf | 371 | ||||
| -rw-r--r-- | etc/postfix/aliases | 274 | ||||
| -rw-r--r-- | etc/postfix/main.cf | 748 | ||||
| -rw-r--r-- | etc/postfix/master.cf | 150 | ||||
| -rw-r--r-- | etc/services | 2 | ||||
| -rw-r--r-- | etc/sysctl.d/99-sysctl.conf | 7 | ||||
| -rw-r--r-- | etc/systemd/network/10-cloud-init-eth0.network | 28 | ||||
| -rw-r--r-- | etc/systemd/network/default.network | 6 | ||||
| -rw-r--r-- | etc/systemd/system/acme.sh.service.d/override.conf | 2 | ||||
| -rw-r--r-- | etc/systemd/system/opendmarc.service.d/override.conf | 4 | ||||
| -rw-r--r-- | etc/tmpfiles.d/opendmarc.conf | 1 |
21 files changed, 50 insertions, 3109 deletions
diff --git a/etc/.cfgl/config b/etc/.cfgl/config index 608699e2..e7385c3d 100644 --- a/etc/.cfgl/config +++ b/etc/.cfgl/config @@ -13,4 +13,4 @@ gpgsign = false [branch "ca"] remote = origin - merge = refs/heads/ca + merge = refs/heads/aa diff --git a/etc/dovecot/conf.d/10-mail.conf b/etc/dovecot/conf.d/10-mail.conf deleted file mode 100644 index 49e70cb9..00000000 --- a/etc/dovecot/conf.d/10-mail.conf +++ /dev/null @@ -1,415 +0,0 @@ -## -## Mailbox locations and namespaces -## - -# Location for users' mailboxes. The default is empty, which means that Dovecot -# tries to find the mailboxes automatically. This won't work if the user -# doesn't yet have any mail, so you should explicitly tell Dovecot the full -# location. -# -# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u) -# isn't enough. You'll also need to tell Dovecot where the other mailboxes are -# kept. This is called the "root mail directory", and it must be the first -# path given in the mail_location setting. -# -# There are a few special variables you can use, eg.: -# -# %u - username -# %n - user part in user@domain, same as %u if there's no domain -# %d - domain part in user@domain, empty if there's no domain -# %h - home directory -# -# See doc/wiki/Variables.txt for full list. Some examples: -# -# mail_location = maildir:~/Maildir -# mail_location = mbox:~/mail:INBOX=/var/mail/%u -# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n -# -# <doc/wiki/MailLocation.txt> -# -mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs - -# If you need to set multiple mailbox locations or want to change default -# namespace settings, you can do it by defining namespace sections. -# -# You can have private, shared and public namespaces. Private namespaces -# are for user's personal mails. Shared namespaces are for accessing other -# users' mailboxes that have been shared. Public namespaces are for shared -# mailboxes that are managed by sysadmin. If you create any shared or public -# namespaces you'll typically want to enable ACL plugin also, otherwise all -# users can access all the shared mailboxes, assuming they have permissions -# on filesystem level to do so. -namespace inbox { - # Namespace type: private, shared or public - #type = private - - # Hierarchy separator to use. You should use the same separator for all - # namespaces or some clients get confused. '/' is usually a good one. - # The default however depends on the underlying mail storage format. - #separator = - - # Prefix required to access this namespace. This needs to be different for - # all namespaces. For example "Public/". - #prefix = - - # Physical location of the mailbox. This is in same format as - # mail_location, which is also the default for it. - #location = - - # There can be only one INBOX, and this setting defines which namespace - # has it. - inbox = yes - - # If namespace is hidden, it's not advertised to clients via NAMESPACE - # extension. You'll most likely also want to set list=no. This is mostly - # useful when converting from another server with different namespaces which - # you want to deprecate but still keep working. For example you can create - # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/". - #hidden = no - - # Show the mailboxes under this namespace with LIST command. This makes the - # namespace visible for clients that don't support NAMESPACE extension. - # "children" value lists child mailboxes, but hides the namespace prefix. - #list = yes - - # Namespace handles its own subscriptions. If set to "no", the parent - # namespace handles them (empty prefix should always have this as "yes") - #subscriptions = yes - - # See 15-mailboxes.conf for definitions of special mailboxes. -} - -# Example shared namespace configuration -#namespace { - #type = shared - #separator = / - - # Mailboxes are visible under "shared/user@domain/" - # %%n, %%d and %%u are expanded to the destination user. - #prefix = shared/%%u/ - - # Mail location for other users' mailboxes. Note that %variables and ~/ - # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the - # destination user's data. - #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u - - # Use the default namespace for saving subscriptions. - #subscriptions = no - - # List the shared/ namespace only if there are visible shared mailboxes. - #list = children -#} -# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"? -#mail_shared_explicit_inbox = no - -# System user and group used to access mails. If you use multiple, userdb -# can override these by returning uid or gid fields. You can use either numbers -# or names. <doc/wiki/UserIds.txt> -#mail_uid = -#mail_gid = - -# Group to enable temporarily for privileged operations. Currently this is -# used only with INBOX when either its initial creation or dotlocking fails. -# Typically this is set to "mail" to give access to /var/mail. -#mail_privileged_group = - -# Grant access to these supplementary groups for mail processes. Typically -# these are used to set up access to shared mailboxes. Note that it may be -# dangerous to set these if users can create symlinks (e.g. if "mail" group is -# set here, ln -s /var/mail ~/mail/var could allow a user to delete others' -# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it). -#mail_access_groups = - -# Allow full filesystem access to clients. There's no access checks other than -# what the operating system does for the active UID/GID. It works with both -# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/ -# or ~user/. -#mail_full_filesystem_access = no - -# Dictionary for key=value mailbox attributes. This is used for example by -# URLAUTH and METADATA extensions. -#mail_attribute_dict = - -# A comment or note that is associated with the server. This value is -# accessible for authenticated users through the IMAP METADATA server -# entry "/shared/comment". -#mail_server_comment = "" - -# Indicates a method for contacting the server administrator. According to -# RFC 5464, this value MUST be a URI (e.g., a mailto: or tel: URL), but that -# is currently not enforced. Use for example mailto:admin@example.com. This -# value is accessible for authenticated users through the IMAP METADATA server -# entry "/shared/admin". -#mail_server_admin = - -## -## Mail processes -## - -# Don't use mmap() at all. This is required if you store indexes to shared -# filesystems (NFS or clustered filesystem). -#mmap_disable = no - -# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL -# since version 3, so this should be safe to use nowadays by default. -#dotlock_use_excl = yes - -# When to use fsync() or fdatasync() calls: -# optimized (default): Whenever necessary to avoid losing important data -# always: Useful with e.g. NFS when write()s are delayed -# never: Never use it (best performance, but crashes can lose data) -#mail_fsync = optimized - -# Locking method for index files. Alternatives are fcntl, flock and dotlock. -# Dotlocking uses some tricks which may create more disk I/O than other locking -# methods. NFS users: flock doesn't work, remember to change mmap_disable. -#lock_method = fcntl - -# Directory where mails can be temporarily stored. Usually it's used only for -# mails larger than >= 128 kB. It's used by various parts of Dovecot, for -# example LDA/LMTP while delivering large mails or zlib plugin for keeping -# uncompressed mails. -#mail_temp_dir = /tmp - -# Valid UID range for users, defaults to 500 and above. This is mostly -# to make sure that users can't log in as daemons or other system users. -# Note that denying root logins is hardcoded to dovecot binary and can't -# be done even if first_valid_uid is set to 0. -#first_valid_uid = 500 -#last_valid_uid = 0 - -# Valid GID range for users, defaults to non-root/wheel. Users having -# non-valid GID as primary group ID aren't allowed to log in. If user -# belongs to supplementary groups with non-valid GIDs, those groups are -# not set. -#first_valid_gid = 1 -#last_valid_gid = 0 - -# Maximum allowed length for mail keyword name. It's only forced when trying -# to create new keywords. -#mail_max_keyword_length = 50 - -# ':' separated list of directories under which chrooting is allowed for mail -# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too). -# This setting doesn't affect login_chroot, mail_chroot or auth chroot -# settings. If this setting is empty, "/./" in home dirs are ignored. -# WARNING: Never add directories here which local users can modify, that -# may lead to root exploit. Usually this should be done only if you don't -# allow shell access for users. <doc/wiki/Chrooting.txt> -#valid_chroot_dirs = - -# Default chroot directory for mail processes. This can be overridden for -# specific users in user database by giving /./ in user's home directory -# (eg. /home/./user chroots into /home). Note that usually there is no real -# need to do chrooting, Dovecot doesn't allow users to access files outside -# their mail directory anyway. If your home directories are prefixed with -# the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt> -#mail_chroot = - -# UNIX socket path to master authentication server to find users. -# This is used by imap (for shared users) and lda. -#auth_socket_path = /var/run/dovecot/auth-userdb - -# Directory where to look up mail plugins. -#mail_plugin_dir = /usr/lib/dovecot - -# Space separated list of plugins to load for all services. Plugins specific to -# IMAP, LDA, etc. are added to this list in their own .conf files. -#mail_plugins = - -## -## Mailbox handling optimizations -## - -# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are -# also required for IMAP NOTIFY extension to be enabled. -#mailbox_list_index = yes - -# Trust mailbox list index to be up-to-date. This reduces disk I/O at the cost -# of potentially returning out-of-date results after e.g. server crashes. -# The results will be automatically fixed once the folders are opened. -#mailbox_list_index_very_dirty_syncs = yes - -# Should INBOX be kept up-to-date in the mailbox list index? By default it's -# not, because most of the mailbox accesses will open INBOX anyway. -#mailbox_list_index_include_inbox = no - -# The minimum number of mails in a mailbox before updates are done to cache -# file. This allows optimizing Dovecot's behavior to do less disk writes at -# the cost of more disk reads. -#mail_cache_min_mail_count = 0 - -# When IDLE command is running, mailbox is checked once in a while to see if -# there are any new mails or other changes. This setting defines the minimum -# time to wait between those checks. Dovecot can also use inotify and -# kqueue to find out immediately when changes occur. -#mailbox_idle_check_interval = 30 secs - -# Save mails with CR+LF instead of plain LF. This makes sending those mails -# take less CPU, especially with sendfile() syscall with Linux and FreeBSD. -# But it also creates a bit more disk I/O which may just make it slower. -# Also note that if other software reads the mboxes/maildirs, they may handle -# the extra CRs wrong and cause problems. -#mail_save_crlf = no - -# Max number of mails to keep open and prefetch to memory. This only works with -# some mailbox formats and/or operating systems. -#mail_prefetch_count = 0 - -# How often to scan for stale temporary files and delete them (0 = never). -# These should exist only after Dovecot dies in the middle of saving mails. -#mail_temp_scan_interval = 1w - -# How many slow mail accesses sorting can perform before it returns failure. -# With IMAP the reply is: NO [LIMIT] Requested sort would have taken too long. -# The untagged SORT reply is still returned, but it's likely not correct. -#mail_sort_max_read_count = 0 - -protocol !indexer-worker { - # If folder vsize calculation requires opening more than this many mails from - # disk (i.e. mail sizes aren't in cache already), return failure and finish - # the calculation via indexer process. Disabled by default. This setting must - # be 0 for indexer-worker processes. - #mail_vsize_bg_after_count = 0 -} - -## -## Maildir-specific settings -## - -# By default LIST command returns all entries in maildir beginning with a dot. -# Enabling this option makes Dovecot return only entries which are directories. -# This is done by stat()ing each entry, so it causes more disk I/O. -# (For systems setting struct dirent->d_type, this check is free and it's -# done always regardless of this setting) -#maildir_stat_dirs = no - -# When copying a message, do it with hard links whenever possible. This makes -# the performance much better, and it's unlikely to have any side effects. -#maildir_copy_with_hardlinks = yes - -# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only -# when its mtime changes unexpectedly or when we can't find the mail otherwise. -#maildir_very_dirty_syncs = no - -# If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for -# getting the mail's physical size, except when recalculating Maildir++ quota. -# This can be useful in systems where a lot of the Maildir filenames have a -# broken size. The performance hit for enabling this is very small. -#maildir_broken_filename_sizes = no - -# Always move mails from new/ directory to cur/, even when the \Recent flags -# aren't being reset. -#maildir_empty_new = no - -## -## mbox-specific settings -## - -# Which locking methods to use for locking mbox. There are four available: -# dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe -# solution. If you want to use /var/mail/ like directory, the users -# will need write access to that directory. -# dotlock_try: Same as dotlock, but if it fails because of permissions or -# because there isn't enough disk space, just skip it. -# fcntl : Use this if possible. Works with NFS too if lockd is used. -# flock : May not exist in all systems. Doesn't work with NFS. -# lockf : May not exist in all systems. Doesn't work with NFS. -# -# You can use multiple locking methods; if you do the order they're declared -# in is important to avoid deadlocks if other MTAs/MUAs are using multiple -# locking methods as well. Some operating systems don't allow using some of -# them simultaneously. -#mbox_read_locks = fcntl -#mbox_write_locks = dotlock fcntl - -# Maximum time to wait for lock (all of them) before aborting. -#mbox_lock_timeout = 5 mins - -# If dotlock exists but the mailbox isn't modified in any way, override the -# lock file after this much time. -#mbox_dotlock_change_timeout = 2 mins - -# When mbox changes unexpectedly we have to fully read it to find out what -# changed. If the mbox is large this can take a long time. Since the change -# is usually just a newly appended mail, it'd be faster to simply read the -# new mails. If this setting is enabled, Dovecot does this but still safely -# fallbacks to re-reading the whole mbox file whenever something in mbox isn't -# how it's expected to be. The only real downside to this setting is that if -# some other MUA changes message flags, Dovecot doesn't notice it immediately. -# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK -# commands. -#mbox_dirty_syncs = yes - -# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE, -# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored. -#mbox_very_dirty_syncs = no - -# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK -# commands and when closing the mailbox). This is especially useful for POP3 -# where clients often delete all mails. The downside is that our changes -# aren't immediately visible to other MUAs. -#mbox_lazy_writes = yes - -# If mbox size is smaller than this (e.g. 100k), don't write index files. -# If an index file already exists it's still read, just not updated. -#mbox_min_index_size = 0 - -# Mail header selection algorithm to use for MD5 POP3 UIDLs when -# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired -# algorithm, but it fails if the first Received: header isn't unique in all -# mails. An alternative algorithm is "all" that selects all headers. -#mbox_md5 = apop3d - -## -## mdbox-specific settings -## - -# Maximum dbox file size until it's rotated. -#mdbox_rotate_size = 10M - -# Maximum dbox file age until it's rotated. Typically in days. Day begins -# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled. -#mdbox_rotate_interval = 0 - -# When creating new mdbox files, immediately preallocate their size to -# mdbox_rotate_size. This setting currently works only in Linux with some -# filesystems (ext4, xfs). -#mdbox_preallocate_space = no - -## -## Mail attachments -## - -# sdbox and mdbox support saving mail attachments to external files, which -# also allows single instance storage for them. Other backends don't support -# this for now. - -# Directory root where to store mail attachments. Disabled, if empty. -#mail_attachment_dir = - -# Attachments smaller than this aren't saved externally. It's also possible to -# write a plugin to disable saving specific attachments externally. -#mail_attachment_min_size = 128k - -# Filesystem backend to use for saving attachments: -# posix : No SiS done by Dovecot (but this might help FS's own deduplication) -# sis posix : SiS with immediate byte-by-byte comparison during saving -# sis-queue posix : SiS with delayed comparison and deduplication -#mail_attachment_fs = sis posix - -# Hash format to use in attachment filenames. You can add any text and -# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}. -# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits -#mail_attachment_hash = %{sha1} - -# Settings to control adding $HasAttachment or $HasNoAttachment keywords. -# By default, all MIME parts with Content-Disposition=attachment, or inlines -# with filename parameter are consired attachments. -# add-flags - Add the keywords when saving new mails or when fetching can -# do it efficiently. -# content-type=type or !type - Include/exclude content type. Excluding will -# never consider the matched MIME part as attachment. Including will only -# negate an exclusion (e.g. content-type=!foo/* content-type=foo/bar). -# exclude-inlined - Exclude any Content-Disposition=inline MIME part. -#mail_attachment_detection_options = diff --git a/etc/dovecot/conf.d/10-master.conf b/etc/dovecot/conf.d/10-master.conf deleted file mode 100644 index fb03c64c..00000000 --- a/etc/dovecot/conf.d/10-master.conf +++ /dev/null @@ -1,135 +0,0 @@ -#default_process_limit = 100 -#default_client_limit = 1000 - -# Default VSZ (virtual memory size) limit for service processes. This is mainly -# intended to catch and kill processes that leak memory before they eat up -# everything. -#default_vsz_limit = 256M - -# Login user is internally used by login processes. This is the most untrusted -# user in Dovecot system. It shouldn't have access to anything at all. -#default_login_user = dovenull - -# Internal user is used by unprivileged processes. It should be separate from -# login user, so that login processes can't disturb other processes. -#default_internal_user = dovecot - -service imap-login { - inet_listener imap { - #port = 143 - } - inet_listener imaps { - #port = 993 - #ssl = yes - } - - # Number of connections to handle before starting a new process. Typically - # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 - # is faster. <doc/wiki/LoginProcess.txt> - #service_count = 1 - - # Number of processes to always keep waiting for more connections. - #process_min_avail = 0 - - # If you set service_count=0, you probably need to grow this. - #vsz_limit = $default_vsz_limit -} - -service pop3-login { - inet_listener pop3 { - #port = 110 - } - inet_listener pop3s { - #port = 995 - #ssl = yes - } -} - -service submission-login { - inet_listener submission { - #port = 587 - } - inet_listener submissions { - #port = 465 - } -} - -service lmtp { - unix_listener lmtp { - #mode = 0666 - } - - # Create inet listener only if you can't use the above UNIX socket - #inet_listener lmtp { - # Avoid making LMTP visible for the entire internet - #address = - #port = - #} -} - -service imap { - # Most of the memory goes to mmap()ing files. You may need to increase this - # limit if you have huge mailboxes. - #vsz_limit = $default_vsz_limit - - # Max. number of IMAP processes (connections) - #process_limit = 1024 -} - -service pop3 { - # Max. number of POP3 processes (connections) - #process_limit = 1024 -} - -service submission { - # Max. number of SMTP Submission processes (connections) - #process_limit = 1024 -} - -service auth { - # auth_socket_path points to this userdb socket by default. It's typically - # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have - # full permissions to this socket are able to get a list of all usernames and - # get the results of everyone's userdb lookups. - # - # The default 0666 mode allows anyone to connect to the socket, but the - # userdb lookups will succeed only if the userdb returns an "uid" field that - # matches the caller process's UID. Also if caller's uid or gid matches the - # socket's uid or gid the lookup succeeds. Anything else causes a failure. - # - # To give the caller full permissions to lookup all users, set the mode to - # something else than 0666 and Dovecot lets the kernel enforce the - # permissions (e.g. 0777 allows everyone full permissions). - #unix_listener auth-userdb { - #mode = 0666 - #user = - #group = - #} - - # Postfix smtp-auth - unix_listener /var/spool/postfix/private/auth { - mode = 0666 - user = postfix - group = postfix - } - - # Auth process is run as this user. - #user = $default_internal_user -} - -service auth-worker { - # Auth worker process is run as root by default, so that it can access - # /etc/shadow. If this isn't necessary, the user should be changed to - # $default_internal_user. - #user = root -} - -service dict { - # If dict proxy is used, mail processes should have access to its socket. - # For example: mode=0660, group=vmail and global mail_access_groups=vmail - unix_listener dict { - #mode = 0600 - #user = - #group = - } -} diff --git a/etc/dovecot/conf.d/10-ssl.conf b/etc/dovecot/conf.d/10-ssl.conf deleted file mode 100644 index b9c2263e..00000000 --- a/etc/dovecot/conf.d/10-ssl.conf +++ /dev/null @@ -1,82 +0,0 @@ -## -## SSL settings -## - -# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> -ssl = required - -# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before -# dropping root privileges, so keep the key file unreadable by anyone but -# root. Included doc/mkcert.sh can be used to easily generate self-signed -# certificate, just make sure to update the domains in dovecot-openssl.cnf -ssl_cert = </etc/postfix/flylightning.pem -ssl_key = </etc/postfix/flylightning.key - -# If key file is password protected, give the password here. Alternatively -# give it when starting dovecot with -p parameter. Since this file is often -# world-readable, you may want to place this setting instead to a different -# root owned 0600 file by using ssl_key_password = <path. -#ssl_key_password = - -# PEM encoded trusted certificate authority. Set this only if you intend to use -# ssl_verify_client_cert=yes. The file should contain the CA certificate(s) -# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) -#ssl_ca = - -# Require that CRL check succeeds for client certificates. -#ssl_require_crl = yes - -# Directory and/or file for trusted SSL CA certificates. These are used only -# when Dovecot needs to act as an SSL client (e.g. imapc backend or -# submission service). The directory is usually /etc/ssl/certs in -# Debian-based systems and the file is /etc/pki/tls/cert.pem in -# RedHat-based systems. Note that ssl_client_ca_file isn't recommended with -# large CA bundles, because it leads to excessive memory usage. -#ssl_client_ca_dir = -#ssl_client_ca_file = - -# Require valid cert when connecting to a remote server -#ssl_client_require_valid_cert = yes - -# Request client to send a certificate. If you also want to require it, set -# auth_ssl_require_client_cert=yes in auth section. -#ssl_verify_client_cert = no - -# Which field from certificate to use for username. commonName and -# x500UniqueIdentifier are the usual choices. You'll also need to set -# auth_ssl_username_from_cert=yes. -#ssl_cert_username_field = commonName - -# SSL DH parameters -# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096` -# Or migrate from old ssl-parameters.dat file with the command dovecot -# gives on startup when ssl_dh is unset. -ssl_dh = </etc/dovecot/dh.pem - -# Minimum SSL protocol version to use. Potentially recognized values are SSLv3, -# TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3, depending on the OpenSSL version used. -# -# Dovecot also recognizes values ANY and LATEST. ANY matches with any protocol -# version, and LATEST matches with the latest version supported by library. -#ssl_min_protocol = TLSv1.2 - -# SSL ciphers to use, the default is: -#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH -# To disable non-EC DH, use: -#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH - -# Colon separated list of elliptic curves to use. Empty value (the default) -# means use the defaults from the SSL library. P-521:P-384:P-256 would be an -# example of a valid value. -#ssl_curve_list = - -# Prefer the server's order of ciphers over client's. -#ssl_prefer_server_ciphers = no - -# SSL crypto device to use, for valid values run "openssl engine" -#ssl_crypto_device = - -# SSL extra options. Currently supported options are: -# compression - Enable compression. -# no_ticket - Disable SSL session tickets. -#ssl_options = diff --git a/etc/dovecot/conf.d/15-mailboxes.conf b/etc/dovecot/conf.d/15-mailboxes.conf deleted file mode 100644 index 95f99394..00000000 --- a/etc/dovecot/conf.d/15-mailboxes.conf +++ /dev/null @@ -1,95 +0,0 @@ -## -## Mailbox definitions -## - -# Each mailbox is specified in a separate mailbox section. The section name -# specifies the mailbox name. If it has spaces, you can put the name -# "in quotes". These sections can contain the following mailbox settings: -# -# auto: -# Indicates whether the mailbox with this name is automatically created -# implicitly when it is first accessed. The user can also be automatically -# subscribed to the mailbox after creation. The following values are -# defined for this setting: -# -# no - Never created automatically. -# create - Automatically created, but no automatic subscription. -# subscribe - Automatically created and subscribed. -# -# special_use: -# A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the -# mailbox. There are no validity checks, so you could specify anything -# you want in here, but it's not a good idea to use flags other than the -# standard ones specified in the RFC: -# -# \All - This (virtual) mailbox presents all messages in the -# user's message store. -# \Archive - This mailbox is used to archive messages. -# \Drafts - This mailbox is used to hold draft messages. -# \Flagged - This (virtual) mailbox presents all messages in the -# user's message store marked with the IMAP \Flagged flag. -# \Important - This (virtual) mailbox presents all messages in the -# user's message store deemed important to user. -# \Junk - This mailbox is where messages deemed to be junk mail -# are held. -# \Sent - This mailbox is used to hold copies of messages that -# have been sent. -# \Trash - This mailbox is used to hold messages that have been -# deleted. -# -# comment: -# Defines a default comment or note associated with the mailbox. This -# value is accessible through the IMAP METADATA mailbox entries -# "/shared/comment" and "/private/comment". Users with sufficient -# privileges can override the default value for entries with a custom -# value. - -# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf. -namespace inbox { - # These mailboxes are widely used and could perhaps be created automatically: - mailbox Drafts { - special_use = \Drafts - auto = subscribe - } - mailbox Junk { - special_use = \Junk - auto = subscribe - } - mailbox Trash { - special_use = \Trash - auto = subscribe - } - - # For \Sent mailboxes there are two widely used names. We'll mark both of - # them as \Sent. User typically deletes one of them if duplicates are created. - mailbox Sent { - special_use = \Sent - auto = subscribe - } - #mailbox "Sent Messages" { - # special_use = \Sent - #} - - mailbox Archive { - special_use = \Archive - auto = subscribe - } - - # If you have a virtual "All messages" mailbox: - #mailbox virtual/All { - # special_use = \All - # comment = All my messages - #} - - # If you have a virtual "Flagged" mailbox: - #mailbox virtual/Flagged { - # special_use = \Flagged - # comment = All my flagged messages - #} - - # If you have a virtual "Important" mailbox: - #mailbox virtual/Important { - # special_use = \Important - # comment = All my important messages - #} -} @@ -2,4 +2,8 @@ # See fstab(5) for details. # <file system> <dir> <type> <options> <dump> <pass> -/swap/swapfile none swap defaults 0 0 +/dev/vda3 / ext4 rw,relatime,errors=remount-ro 0 1 + +/dev/vda2 /boot/efi vfat rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 2 + +/swapfile none swap defaults 0 0 diff --git a/etc/hostname b/etc/hostname index 8eb04e15..e30c3d44 100644 --- a/etc/hostname +++ b/etc/hostname @@ -1 +1 @@ -xyzca +xyzaa diff --git a/etc/myconf/cfgl_meta b/etc/myconf/cfgl_meta index 9b63978b..aaff51df 100644 --- a/etc/myconf/cfgl_meta +++ b/etc/myconf/cfgl_meta @@ -4,12 +4,6 @@ 600 root root //etc/.cfgl/config.worktree 700 root root //etc/.cfgl/info 600 root root //etc/.cfgl/info/sparse-checkout -755 root root //etc/dovecot -755 root root //etc/dovecot/conf.d -644 root root //etc/dovecot/conf.d/10-mail.conf -644 root root //etc/dovecot/conf.d/10-master.conf -644 root root //etc/dovecot/conf.d/10-ssl.conf -644 root root //etc/dovecot/conf.d/15-mailboxes.conf 644 root root //etc/fstab 644 root root //etc/hostname 644 root root //etc/locale.conf @@ -19,15 +13,7 @@ 755 root root //etc/myconf 600 root root //etc/myconf/cfgl_meta 644 root root //etc/nftables.conf -700 opendkim mail //etc/opendkim -644 opendkim mail //etc/opendkim/opendkim.conf -755 root root //etc/opendmarc -640 opendmarc mail //etc/opendmarc/opendmarc.conf 644 root root //etc/pacman.conf -755 root root //etc/postfix -644 root root //etc/postfix/aliases -644 root root //etc/postfix/main.cf -644 root root //etc/postfix/master.cf 777 root root //etc/resolv.conf 644 root root //etc/services 755 root root //etc/ssh @@ -35,18 +21,14 @@ 644 root root //etc/ssh/ssh_config.d/my_ssh_config.conf 644 root root //etc/ssh/sshd_config 440 root root //etc/sudoers +755 root root //etc/sysctl.d +644 root root //etc/sysctl.d/99-sysctl.conf 755 root root //etc/systemd 755 root root //etc/systemd/network -644 systemd-network systemd-network //etc/systemd/network/10-cloud-init-eth0.network +644 systemd-network systemd-network //etc/systemd/network/default.network 755 root root //etc/systemd/system -755 root root //etc/systemd/system/acme.sh.service.d -644 root root //etc/systemd/system/acme.sh.service.d/override.conf -755 root root //etc/systemd/system/opendmarc.service.d -644 root root //etc/systemd/system/opendmarc.service.d/override.conf 755 root root //etc/systemd/system/paccache.service.d 644 root root //etc/systemd/system/paccache.service.d/20-remove-all-uninstalled.conf -755 root root //etc/tmpfiles.d -644 root root //etc/tmpfiles.d/opendmarc.conf 755 root root //home 700 xyz wheel //home/xyz 644 xyz wheel //home/xyz/.bashrc diff --git a/etc/nftables.conf b/etc/nftables.conf index 22e38dfe..f5d7b49e 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -8,6 +8,8 @@ # needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf` flush ruleset +define pub_iface = "eth0" +define wg_iface = "wg0" table inet my_table { chain my_input { @@ -17,6 +19,7 @@ table inet my_table { ct state invalid drop comment "early drop of invalid connections" ct state {established, related} accept comment "allow tracked connections" iifname lo accept comment "allow from loopback" + iifname $wg_iface accept comment "allow from wireguard" ip protocol icmp accept meta l4proto ipv6-icmp accept @@ -25,17 +28,8 @@ table inet my_table { #tcp dport qbt accept #udp dport qbt accept #tcp dport iperf3 accept - #udp dport wireguard accept - # for acme.sh standalone mode builtin webserver to renew ssl cert - tcp dport http accept - # email related ports - tcp dport smtp accept - tcp dport pop3 accept - tcp dport imap accept - tcp dport submissions accept - tcp dport submission accept - tcp dport imaps accept - tcp dport pop3s accept + udp dport wireguard accept + udp dport swgp accept pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited counter comment "count any other traffic" @@ -45,6 +39,12 @@ table inet my_table { type filter hook forward priority filter policy drop # Drop everything forwarded to us. We do not forward. That is routers job. + + # needed for wireguard? + #iifname $wg_iface oifname $pub_iface accept + #iifname $pub_iface oifname $wg_iface accept + iifname $wg_iface accept + oifname $wg_iface accept } chain my_output { @@ -53,3 +53,17 @@ table inet my_table { # Accept every outbound connection } } + + +# needed to wireguard NAT masquerade VPN traffic +# Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6? +# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families +table inet nat { + # newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/ + # for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface + chain postrouting { + type nat hook postrouting priority 100 + policy accept + oifname $pub_iface masquerade + } +} diff --git a/etc/opendkim/opendkim.conf b/etc/opendkim/opendkim.conf deleted file mode 100644 index 373c7213..00000000 --- a/etc/opendkim/opendkim.conf +++ /dev/null @@ -1,769 +0,0 @@ -## -## opendkim.conf -- configuration file for OpenDKIM filter -## -## Copyright (c) 2010-2015, 2018, The Trusted Domain Project. -## All rights reserved. -## - -## -## For settings that refer to a "dataset", see the opendkim(8) man page. -## - -## DEPRECATED CONFIGURATION OPTIONS -## -## The following configuration options are no longer valid. They should be -## removed from your existing configuration file to prevent potential issues. -## Failure to do so may result in opendkim being unable to start. -## -## Removed in 2.10.0: -## AddAllSignatureResults -## ADSPAction -## ADSPNoSuchDomain -## BogusPolicy -## DisableADSP -## LDAPSoftStart -## LocalADSP -## NoDiscardableMailTo -## On-PolicyError -## SendADSPReports -## UnprotectedPolicy - -## CONFIGURATION OPTIONS - -## AllowSHA1Only { yes | no } -## default "no" -## -## By default, the filter will refuse to start if support for SHA256 is -## not available since this violates the strong recommendations of -## RFC6376 Section 3.3, which says: -## -## "Verifiers MUST implement both rsa-sha1 and rsa-sha256. Signers MUST -## implement and SHOULD sign using rsa-sha256." -## -## This forces that violation to be explicitly selected by the administrator. - -# AllowSHA1Only no - -## AlwaysAddARHeader { yes | no } -## default "no" -## -## Add an "Authentication-Results:" header even to unsigned messages -## from domains with no "signs all" policy. The reported DKIM result -## will be "none" in such cases. Normally unsigned mail from non-strict -## domains does not cause the results header to be added. - -# AlwaysAddARHeader no - -## AuthservID string -## default (local host name) -## -## Defines the "authserv-id" token to be used when generating -## Authentication-Results headers after message verification. - -# AuthservID example.com - -## AuthservIDWithJobID -## default "no" -## -## Appends a "/" followed by the MTA's job ID to the "authserv-id" token -## when generating Authentication-Results headers after message verification. - -# AuthservIDWithJobId no - -## AutoRestart { yes | no } -## default "no" -## -## Indicate whether or not the filter should arrange to restart automatically -## if it crashes. - -# AutoRestart No - -## AutoRestartCount n -## default 0 -## -## Sets the maximum automatic restart count. After this number of -## automatic restarts, the filter will give up and terminate. A value of 0 -## implies no limit. - -# AutoRestartCount 0 - -## AutoRestartRate n/t[u] -## default (none) -## -## Sets the maximum automatic restart rate. See the opendkim.conf(5) -## man page for the format of this parameter. - -# AutoRestartRate n/tu - -## Background { yes | no } -## default "yes" -## -## Indicate whether or not the filter should run in the background. - -# Background Yes - -## BaseDirectory path -## default (none) -## -## Causes the filter to change to the named directory before beginning -## operation. Thus, cores will be dumped here and configuration files -## are read relative to this location. - -# BaseDirectory /run/opendkim - -## BodyLengthDB dataset -## default (none) -## -## A data set that is checked against envelope recipients to see if a -## body length tag should be included in the generated signature. -## This has security implications; see opendkim.conf(5) for details. - -# BodyLengthDB dataset - -## Canonicalization hdrcanon[/bodycanon] -## default "simple/simple" -## -## Select canonicalizations to use when signing. If the "bodycanon" is -## omitted, "simple" is used. Valid values for each are "simple" and -## "relaxed". - -Canonicalization relaxed/simple - -## ClockDrift n -## default 300 -## -## Specify the tolerance range for expired signatures or signatures -## which appear to have timestamps in the future, allowing for clock -## drift. - -# ClockDrift 300 - -## Diagnostics { yes | no } -## default "no" -## -## Specifies whether or not signatures with header diagnostic tags should -## be generated. - -# Diagnostics No - -## DNSTimeout n -## default 10 -## -## Specify the time in seconds to wait for replies from the nameserver when -## requesting keys or signing policies. - -# DNSTimeout 10 - -## Domain dataset -## default (none) -## -## Specify for which domain(s) signing should be done. No default; must -## be specified for signing. - -Domain flylightning.xyz - -## DomainKeysCompat { yes | no } -## default "no" -## -## When enabled, backward compatibility with DomainKeys (RFC4870) key -## records is enabled. Otherwise, such key records are considered to be -## syntactically invalid. - -# DomainKeysCompat no - -## DontSignMailTo dataset -## default (none) -## -## Gives a list of recipient addresses or address patterns whose mail should -## not be signed. - -# DontSignMailTo addr1,addr2,... - -## EnableCoredumps { yes | no } -## default "no" -## -## On systems which have support for such, requests that the kernel dump -## core even though the process may change user ID during its execution. - -# EnableCoredumps no - -## ExemptDomains dataset -## default (none) -## -## A data set of domain names that are checked against the message sender's -## domain. If a match is found, the message is ignored by the filter. - -# ExemptDomains domain1,domain2,... - -## ExternalIgnoreList filename -## -## Names a file from which a list of externally-trusted hosts is read. -## These are hosts which are allowed to send mail through you for signing. -## Automatically contains 127.0.0.1. See man page for file format. - -# ExternalIgnoreList filename - -## FixCRLF { yes | no } -## -## Requests that the library convert "naked" CR and LF characters to -## CRLFs during canonicalization. The default is "no". - -# FixCRLF no - -## IgnoreMalformedMail { yes | no } -## default "no" -## -## Silently passes malformed messages without alteration. This includes -## messages that fail the RequiredHeaders check, if enabled. The default is -## to pass those messages but add an Authentication-Results field indicating -## that they were malformed. - -# IgnoreMalformedMail no - -## InternalHosts dataset -## default "127.0.0.1" -## -## Names a file from which a list of internal hosts is read. These are -## hosts from which mail should be signed rather than verified. -## Automatically contains 127.0.0.1. - -# InternalHosts dataset - -## KeepTemporaryFiles { yes | no } -## default "no" -## -## If set, causes temporary files generated during message signing or -## verifying to be left behind for debugging use. Not for normal operation; -## can fill your disks quite fast on busy systems. - -# KeepTemporaryFiles no - -## KeyFile filename -## default (none) -## -## Specifies the path to the private key to use when signing. Ignored if -## SigningTable and KeyTable are used. No default; must be specified for -## signing if SigningTable/KeyTable are not in use. - -KeyFile /etc/opendkim/mail.private - -## KeyTable dataset -## default (none) -## -## Defines a table that will be queried to convert key names to -## sets of data of the form (signing domain, signing selector, private key). -## The private key can either contain a PEM-formatted private key, -## a base64-encoded DER format private key, or a path to a file containing -## one of those. - -# KeyTable dataset - -## LogWhy { yes | no } -## default "no" -## -## If logging is enabled (see Syslog below), issues very detailed logging -## about the logic behind the filter's decision to either sign a message -## or verify it. The logic behind the decision is non-trivial and can be -## confusing to administrators not familiar with its operation. A -## description of how the decision is made can be found in the OPERATIONS -## section of the opendkim(8) man page. This causes a large increase -## in the amount of log data generated for each message, so it should be -## limited to debugging use and not enabled for general operation. - -# LogWhy no - -## MacroList macro[=value][,...] -## -## Gives a set of MTA-provided macros which should be checked to see -## if the sender has been determined to be a local user and therefore -## whether or not signing should be done. See opendkim.conf(5) for -## more information. - -# MacroList foo=bar,baz=blivit - -## MaximumHeaders n -## -## Disallow messages whose header blocks are bigger than "n" bytes. -## Intended to detect and block a denial-of-service attack. The default -## is 65536. A value of 0 disables this test. - -# MaximumHeaders n - -## MaximumSignaturesToVerify n -## (default 3) -## -## Verify no more than "n" signatures on an arriving message. -## A value of 0 means "no limit". - -# MaximumSignaturesToVerify n - -## MaximumSignedBytes n -## -## Don't sign more than "n" bytes of the message. The default is to -## sign the entire message. Setting this implies "BodyLengths". - -# MaximumSignedBytes n - -## MilterDebug n -## -## Request a debug level of "n" from the milter library. The default is 0. - -# MilterDebug 0 - -## Minimum n[% | +] -## default 0 -## -## Sets a minimum signing volume; one of the following formats: -## n at least n bytes (or the whole message, whichever is less) -## must be signed -## n% at least n% of the message must be signed -## n+ if a length limit was presented in the signature, no more than -## n bytes may have been added - -# Minimum n - -## MinimumKeyBits n -## default 1024 -## -## Causes the library not to accept signatures matching keys made of fewer -## than the specified number of bits, even if they would otherwise pass -## DKIM signing. - -# MinimumKeyBits 1024 - -## Mode [sv] -## default sv -## -## Indicates which mode(s) of operation should be provided. "s" means -## "sign", "v" means "verify". - -# Mode sv - -## MTA dataset -## default (none) -## -## Specifies a list of MTAs whos mail should always be signed rather than -## verified. The "mtaname" is extracted from the DaemonPortOptions line -## in effect. - -# MTA name - -## MultipleSignatures { yes | no } -## default no -## -## Allows multiple signatures to be added. If set to "true" and a SigningTable -## is in use, all SigningTable entries that match the candidate message will -## cause a signature to be added. Otherwise, only the first matching -## SigningTable entry will be added, or only the key defined by Domain, -## Selector and KeyFile will be added. - -# MultipleSignatures no - -## MustBeSigned dataset -## default (none) -## -## Defines a list of headers which, if present on a message, must be -## signed for the signature to be considered acceptable. - -# MustBeSigned header1,header2,... - -## Nameservers addr1[,addr2[,...]] -## default (none) -## -## Provides a comma-separated list of IP addresses that are to be used when -## doing DNS queries to retrieve DKIM keys, VBR records, etc. -## These override any local defaults built in to the resolver in use, which -## may be defined in /etc/resolv.conf or hard-coded into the software. - -# Nameservers addr1,addr2,... - -## NoHeaderB { yes | no } -## default "no" -## -## Suppresses addition of "header.b" tags on Authentication-Results -## header fields. - -# NoHeaderB no - -## OmitHeaders dataset -## default (none) -## -## Specifies a list of headers that should always be omitted when signing. -## Header names should be separated by commas. - -# OmitHeaders header1,header2,... - -## On-... -## -## Specifies what to do when certain error conditions are encountered. -## -## See opendkim.conf(5) for more information. - -# On-Default -# On-BadSignature -# On-DNSError -# On-InternalError -# On-NoSignature -# On-Security -# On-SignatureError - -## OversignHeaders dataset -## default (none) -## -## Specifies a set of header fields that should be included in all signature -## header lists (the "h=" tag) once more than the number of times they were -## actually present in the signed message. See opendkim.conf(5) for more -## information. - -# OverSignHeaders header1,header2,... - -## PeerList dataset -## default (none) -## -## Contains a list of IP addresses, CIDR blocks, hostnames or domain names -## whose mail should be neither signed nor verified by this filter. See man -## page for file format. - -# PeerList filename - -## PidFile filename -## default (none) -## -## Name of the file where the filter should write its pid before beginning -## normal operations. - -# PidFile filename - -## POPDBFile dataset -## default (none) -## -## Names a database which should be checked for "POP before SMTP" records -## as a form of authentication of users who may be sending mail through -## the MTA for signing. Requires special compilation of the filter. -## See opendkim.conf(5) for more information. - -# POPDBFile filename - -## Quarantine { yes | no } -## default "no" -## -## Indicates whether or not the filter should arrange to quarantine mail -## which fails verification. Intended for diagnostic use only. - -# Quarantine No - -## QueryCache { yes | no } -## default "no" -## -## Instructs the DKIM library to maintain its own local cache of keys and -## policies retrieved from DNS, rather than relying on the nameserver for -## caching service. Useful if the nameserver being used by the filter is -## not local. The filter must be compiled with the QUERY_CACHE flag to enable -## this feature, since it adds a library dependency. - -# QueryCache No - -## RedirectFailuresTo address -## default (none) -## -## Redirects signed messages to the specified address if none of the -## signatures present failed to verify. - -# RedirectFailuresTo postmaster@example.com - -## RemoveARAll { yes | no } -## default "no" -## -## Remove all Authentication-Results: headers on all arriving mail. - -# RemoveARAll No - -## RemoveARFrom dataset -## default (none) -## -## Remove all Authentication-Results: headers on all arriving mail that -## claim to have been added by hosts listed in this parameter. The list -## should be comma-separated. Entire domains may be specified by preceding -## the dopmain name by a single dot (".") character. - -# RemoveARFrom host1,host2,.domain1,.domain2,... - -## RemoveOldSignatures { yes | no } -## default "no" -## -## Remove old signatures on messages, if any, when generating a signature. - -# RemoveOldSignatures No - -## ReportAddress addr -## default (executing user)@(hostname) -## -## Specifies the sending address to be used on From: headers of outgoing -## failure reports. By default, the e-mail address of the user executing -## the filter is used. - -# ReportAddress "DKIM Error Postmaster" <postmaster@example.com> - -## ReportBccAddress addr -## default (none) -## -## Specifies additional recipient address(es) to receive outgoing failure -## reports. - -# ReportBccAddress postmaster@example.com, john@example.com - -## RequiredHeaders { yes | no } -## default no -## -## Rejects messages which don't conform to RFC5322 header count requirements. - -# RequiredHeaders No - -## RequireSafeKeys { yes | no } -## default yes -## -## Refuses to use key files that appear to have unsafe permissions. - -# RequireSafeKeys Yes - -## ResignAll { yes | no } -## default no -## -## Where ResignMailTo triggers a re-signing action, this flag indicates -## whether or not all mail should be signed (if set) versus only verified -## mail being signed (if not set). - -# ResignAll No - -## ResignMailTo dataset -## default (none) -## -## Checks each message recipient against the specified dataset for a -## matching record. The full address is checked in each case, then the -## hostname, then each domain preceded by ".". If there is a match, the -## value returned is presumed to be the name of a key in the KeyTable -## (if defined) to be used to re-sign the message in addition to -## verifying it. If there is a match without a KeyTable, the default key -## is applied. - -# ResignMailTo dataset - -## ResolverConfiguration string -## -## Passes arbitrary configuration data to the resolver. For the stock UNIX -## resolver, this is ignored; for Unbound, it names an unbound.conf(5)-style -## file that should be read for configuration information. - -# ResolverConfiguration string - -## ResolverTracing { yes | no } -## -## Requests enabling of resolver trace features, if available. The effect -## of setting this flag depends on how trace features, if any, are implemented -## in the resolver in use. Currently only effective when used with the -## OpenDKIM asynchronous resolver. - -# ResolverTracing no - -## Selector name -## -## The name of the selector to use when signing. No default; must be -## specified for signing. - -Selector mail - -## SenderHeaders dataset -## default (none) -## -## Overrides the default list of headers that will be used to determine -## the sending domain when deciding whether to sign the message and with -## with which key(s). See opendkim.conf(5) for details. - -# SenderHeaders From - -## SendReports { yes | no } -## default "no" -## -## Specifies whether or not the filter should generate report mail back -## to senders when verification fails and an address for such a purpose -## is provided. See opendkim.conf(5) for details. - -# SendReports No - -## SignatureAlgorithm signalg -## default "rsa-sha256" -## -## Signature algorithm to use when generating signatures. Must be one of -## "rsa-sha1", "rsa-sha256", or "ed25519-sha256". - -# SignatureAlgorithm rsa-sha256 - -## SignatureTTL seconds -## default "0" -## -## Specifies the lifetime in seconds of signatures generated by the -## filter. A value of 0 means no expiration time is included in the -## signature. - -# SignatureTTL 0 - -## SignHeaders dataset -## default (none) -## -## Specifies the list of headers which should be included when generating -## signatures. The string should be a comma-separated list of header names. -## See the opendkim.conf(5) man page for more information. - -# SignHeaders header1,header2,... - -## SigningTable dataset -## default (none) -## -## Defines a dataset that will be queried for the message sender's address -## to determine which private key(s) (if any) should be used to sign the -## message. The sender is determined from the value of the sender -## header fields as described with SenderHeaders above. The key for this -## lookup should be an address or address pattern that matches senders; -## see the opendkim.conf(5) man page for more information. The value -## of the lookup should return the name of a key found in the KeyTable -## that should be used to sign the message. If MultipleSignatures -## is set, all possible lookup keys will be attempted which may result -## in multiple signatures being applied. - -# SigningTable filename - -## SingleAuthResult { yes | no} -## default "no" -## -## When DomainKeys verification is enabled, multiple Authentication-Results -## will be added, one for DK and one for DKIM. With this enabled, only -## a DKIM result will be reported unless DKIM failed but DK passed, in which -## case only a DK result will be reported. - -# SingleAuthResult no - -## SMTPURI uri -## -## Specifies a URI (e.g., "smtp://localhost") to which mail should be sent -## via SMTP when notifications are generated. - -# SMTPURI smtp://localhost - -## Socket socketspec -## -## Names the socket where this filter should listen for milter connections -## from the MTA. Required. Should be in one of these forms: -## -## inet:port@address to listen on a specific interface -## inet:port to listen on all interfaces -## local:/path/to/socket to listen on a UNIX domain socket - -Socket local:/run/opendkim/opendkim.sock - -## SoftwareHeader { yes | no } -## default "no" -## -## Add a DKIM-Filter header field to messages passing through this filter -## to identify messages it has processed. - -# SoftwareHeader no - -## StrictHeaders { yes | no } -## default "no" -## -## Requests that the DKIM library refuse to process a message whose -## header fields do not conform to the standards, in particular Section 3.6 -## of RFC5322. - -# StrictHeaders no - -## StrictTestMode { yes | no } -## default "no" -## -## Selects strict CRLF mode during testing (see the "-t" command line -## flag in the opendkim(8) man page). Messages for which all header -## fields and body lines are not CRLF-terminated are considered malformed -## and will produce an error. - -# StrictTestMode no - -## SubDomains { yes | no } -## default "no" -## -## Sign for subdomains as well? - -# SubDomains No - -## Syslog { yes | no } -## default "yes" -## -## Log informational and error activity to syslog? - -Syslog Yes - -## SyslogFacility facility -## default "mail" -## -## Valid values are : -## auth cron daemon kern lpr mail news security syslog user uucp -## local0 local1 local2 local3 local4 local5 local6 local7 -## -## syslog facility to be used - -# SyslogFacility mail - -## SyslogName ident -## default "opendkim" (or the name of the executable) -## -## Identifier to be prepended to all generated log entries. - -# SyslogName opendkim - -## SyslogSuccess { yes | no } -## default "no" -## -## Log success activity to syslog? - -# SyslogSuccess No - -## TemporaryDirectory path -## default /tmp -## -## Specifies which directory will be used for creating temporary files -## during message processing. - -# TemporaryDirectory /tmp - -## TestPublicKeys filename -## default (none) -## -## Names a file from which public keys should be read. Intended for use -## only during automated testing. - -# TestPublicKeys /tmp/testkeys - -## TrustAnchorFile filename -## default (none) -## -## Specifies a file from which trust anchor data should be read when doing -## DNS queries and applying the DNSSEC protocol. See the Unbound documentation -## at http://unbound.net for the expected format of this file. - -# TrustAnchorFile /var/named/trustanchor - -## UMask mask -## default (none) -## -## Change the process umask for file creation to the specified value. -## The system has its own default which will be used (usually 022). -## See the umask(2) man page for more information. - -UMask 002 - -## Userid userid -## default (none) -## -## Change to user "userid" before starting normal operation? May include -## a group ID as well, separated from the userid by a colon. - -UserID opendkim diff --git a/etc/opendmarc/opendmarc.conf b/etc/opendmarc/opendmarc.conf deleted file mode 100644 index f8d8120c..00000000 --- a/etc/opendmarc/opendmarc.conf +++ /dev/null @@ -1,371 +0,0 @@ -## opendmarc.conf -- configuration file for OpenDMARC filter -## -## Copyright (c) 2012-2015, The Trusted Domain Project. All rights reserved. - -## DEPRECATED CONFIGURATION OPTIONS -## -## The following configuration options are no longer valid. They should be -## removed from your existing configuration file to prevent potential issues. -## Failure to do so may result in opendmarc being unable to start. -## -## Renamed in 1.3.0: -## ForensicReports became FailureReports -## ForensicReportsBcc became FailureReportsBcc -## ForensicReportsOnNone became FailureReportsOnNone -## ForensicReportsSentBy became FailureReportsSentBy - -## CONFIGURATION OPTIONS - -## AuthservID (string) -## defaults to MTA name -## -## Sets the "authserv-id" to use when generating the Authentication-Results: -## header field after verifying a message. If the string "HOSTNAME" is -## provided, the name of the host running the filter (as returned by the -## gethostname(3) function) will be used. -# -# AuthservID name -AuthservID HOSTNAME - -## AuthservIDWithJobID { true | false } -## default "false" -## -## If "true", requests that the authserv-id portion of the added -## Authentication-Results header fields contain the job ID of the message -## being evaluated. -# -# AuthservIDWithJobID false - -## AutoRestart { true | false } -## default "false" -## -## Automatically re-start on failures. Use with caution; if the filter fails -## instantly after it starts, this can cause a tight fork(2) loop. -# -# AutoRestart false - -## AutoRestartCount n -## default 0 -## -## Sets the maximum automatic restart count. After this number of automatic -## restarts, the filter will give up and terminate. A value of 0 implies no -## limit. -# -# AutoRestartCount 0 - -## AutoRestartRate n/t[u] -## default (no limit) -## -## Sets the maximum automatic restart rate. If the filter begins restarting -## faster than the rate defined here, it will give up and terminate. This -## is a string of the form n/t[u] where n is an integer limiting the count -## of restarts in the given interval and t[u] defines the time interval -## through which the rate is calculated; t is an integer and u defines the -## units thus represented ("s" or "S" for seconds, the default; "m" or "M" -## for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a -## value of "10/1h" limits the restarts to 10 in one hour. There is no -## default, meaning restart rate is not limited. -# -# AutoRestartRate n/t[u] - -## Background { true | false } -## default "true" -## -## Causes opendmarc to fork and exits immediately, leaving the service -## running in the background. -# -# Background true - -## BaseDirectory (string) -## default (none) -## -## If set, instructs the filter to change to the specified directory using -## chdir(2) before doing anything else. This means any files referenced -## elsewhere in the configuration file can be specified relative to this -## directory. It's also useful for arranging that any crash dumps will be -## saved to a specific location. -# -# BaseDirectory /var/run/opendmarc - -## ChangeRootDirectory (string) -## default (none) -## -## Requests that the operating system change the effective root directory of -## the process to the one specified here prior to beginning execution. -## chroot(2) requires superuser access. A warning will be generated if -## UserID is not also set. -# -# ChangeRootDirectory /var/chroot/opendmarc - -## CopyFailuresTo (string) -## default (none) -## -## Requests addition of the specified email address to the envelope of -## any message that fails the DMARC evaluation. -# -# CopyFailuresTo postmaster@localhost - -## DNSTimeout (integer) -## default 5 -## -## Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. -## (NOT YET IMPLEMENTED) -# -# DNSTimeout 5 - -## EnableCoredumps { true | false } -## default "false" -## -## On systems that have such support, make an explicit request to the kernel -## to dump cores when the filter crashes for some reason. Some modern UNIX -## systems suppress core dumps during crashes for security reasons if the -## user ID has changed during the lifetime of the process. Currently only -## supported on Linux. -# -# EnableCoreDumps false - -## FailureReports { true | false } -## default "false" -## -## Enables generation of failure reports when the DMARC test fails and the -## purported sender of the message has requested such reports. Reports are -## formatted per RFC6591. -# -# FailureReports false - -## FailureReportsBcc (string) -## default (none) -## -## When failure reports are enabled and one is to be generated, always -## send one to the address(es) specified here. If a failure report is -## requested by the domain owner, the address(es) are added in a Bcc: field. -## If no request is made, they address(es) are used in a To: field. There -## is no default. -# -# FailureReportsBcc postmaster@example.coom - -## FailureReportsOnNone { true | false } -## default "false" -## -## Supplements the "FailureReports" setting by generating reports for -## domains that advertise "none" policies. By default, reports are only -## generated (when enabled) for sending domains advertising a "quarantine" -## or "reject" policy. -# -# FailureReportsOnNone false - -## FailureReportsSentBy string -## default "USER@HOSTNAME" -## -## Specifies the email address to use in the From: field of failure -## reports generated by the filter. The default is to use the userid of -## the user running the filter and the local hostname to construct an -## email address. "postmaster" is used in place of the userid if a name -## could not be determined. -# -# FailureReportsSentBy USER@HOSTNAME - -## HistoryFile path -## default (none) -## -## If set, specifies the location of a text file to which records are written -## that can be used to generate DMARC aggregate reports. Records are groups -## of rows containing information about a single received message, and -## include all relevant information needed to generate a DMARC aggregate -## report. It is expected that this will not be used in its raw form, but -## rather periodically imported into a relational database from which the -## aggregate reports can be extracted by a tool such as opendmarc-import(8). -# -# HistoryFile /var/run/opendmarc.dat - -## IgnoreAuthenticatedClients { true | false } -## default "false" -## -## If set, causes mail from authenticated clients (i.e., those that used -## SMTP AUTH) to be ignored by the filter. -# -IgnoreAuthenticatedClients true - -## IgnoreHosts path -## default (internal) -## -## Specifies the path to a file that contains a list of hostnames, IP -## addresses, and/or CIDR expressions identifying hosts whose SMTP -## connections are to be ignored by the filter. If not specified, defaults -## to "127.0.0.1" only. -# -# IgnoreHosts /etc/opendmarc/ignore.hosts - -## IgnoreMailFrom domain[,...] -## default (none) -## -## Gives a list of domain names whose mail (based on the From: domain) is to -## be ignored by the filter. The list should be comma-separated. Matching -## against this list is case-insensitive. The default is an empty list, -## meaning no mail is ignored. -# -# IgnoreMailFrom example.com - -## MilterDebug (integer) -## default 0 -## -## Sets the debug level to be requested from the milter library. -# -# MilterDebug 0 - -## PidFile path -## default (none) -## -## Specifies the path to a file that should be created at process start -## containing the process ID. -# -# PidFile /var/run/opendmarc.pid - -## PublicSuffixList path -## default (none) -## -## Specifies the path to a file that contains top-level domains (TLDs) that -## will be used to compute the Organizational Domain for a given domain name, -## as described in the DMARC specification. If not provided, the filter will -## not be able to determine the Organizational Domain and only the presented -## domain will be evaluated. -# -# PublicSuffixList path - -## RecordAllMessages { true | false } -## default "false" -## -## If set and "HistoryFile" is in use, all received messages are recorded -## to the history file. If not set (the default), only messages for which -## the From: domain published a DMARC record will be recorded in the -## history file. -# -# RecordAllMessages false - -## RejectFailures { true | false } -## default "false" -## -## If set, messages will be rejected if they fail the DMARC evaluation, or -## temp-failed if evaluation could not be completed. By default, no message -## will be rejected or temp-failed regardless of the outcome of the DMARC -## evaluation of the message. Instead, an Authentication-Results header -## field will be added. -# -# RejectFailures false - -## ReportCommand string -## default "/usr/sbin/sendmail -t" -## -## Indicates the shell command to which failure reports should be passed for -## delivery when "FailureReports" is enabled. -# -# ReportCommand /usr/sbin/sendmail -t - -## RequiredHeaders { true | false } -## default "false" -## -## If set, the filter will ensure the header of the message conforms to the -## basic header field count restrictions laid out in RFC5322, Section 3.6. -## Messages failing this test are rejected without further processing. A -## From: field from which no domain name could be extracted will also be -## rejected. -# -# RequiredHeaders false - -## Socket socketspec -## default (none) -## -## Specifies the socket that should be established by the filter to receive -## connections from sendmail(8) in order to provide service. socketspec is -## in one of two forms: local:path, which creates a UNIX domain socket at -## the specified path, or inet:port[@host] or inet6:port[@host] which creates -## a TCP socket on the specified port for the appropriate protocol family. -## If the host is not given as either a hostname or an IP address, the -## socket will be listening on all interfaces. This option is mandatory -## either in the configuration file or on the command line. If an IP -## address is used, it must be enclosed in square brackets. -# -# Socket inet:8893@localhost -#Socket unix:/var/spool/opendmarc/opendmarc.sock -Socket unix:/run/opendmarc/opendmarc.sock - -## SoftwareHeader { true | false } -## default "false" -## -## Causes the filter to add a "DMARC-Filter" header field indicating the -## presence of this filter in the path of the message from injection to -## delivery. The product's name, version, and the job ID are included in -## the header field's contents. -# -# SoftwareHeader false - -## SPFIgnoreResults { true | false } -## default "false" -## -## Causes the filter to ignore any SPF results in the header of the -## message. This is useful if you want the filter to perfrom SPF checks -## itself, or because you don't trust the arriving header. -# -# SPFIgnoreResults false - -## SPFSelfValidate { true | false } -## default false -## -## Enable internal spf checking with --with-spf -## To use libspf2 instead: --with-spf --with-spf2-include=path --with-spf2-lib=path -## -## Causes the filter to perform a fallback SPF check itself when -## it can find no SPF results in the message header. If SPFIgnoreResults -## is also set, it never looks for SPF results in headers and -## always performs the SPF check itself when this is set. -# -SPFSelfValidate true - -## Syslog { true | false } -## default "false" -## -## Log via calls to syslog(3) any interesting activity. -# -# Syslog false - -## SyslogFacility facility-name -## default "mail" -## -## Log via calls to syslog(3) using the named facility. The facility names -## are the same as the ones allowed in syslog.conf(5). -# -# SyslogFacility mail - -## TrustedAuthservIDs string -## default HOSTNAME -## -## Specifies one or more "authserv-id" values to trust as relaying true -## upstream DKIM and SPF results. The default is to use the name of -## the MTA processing the message. To specify a list, separate each entry -## with a comma. The key word "HOSTNAME" will be replaced by the name of -## the host running the filter as reported by the gethostname(3) function. -# -# TrustedAuthservIDs HOSTNAME - -## UMask mask -## default (none) -## -## Requests a specific permissions mask to be used for file creation. This -## only really applies to creation of the socket when Socket specifies a -## UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary -## files are normally created by the mkstemp(3) function that enforces a -## specific file mode on creation regardless of the process umask. See -## umask(2) for more information. -# -# UMask 077 -UMask 002 - -## UserID user[:group] -## default (none) -## -## Attempts to become the specified userid before starting operations. -## The process will be assigned all of the groups and primary group ID of -## the named userid unless an alternate group is specified. -# -# UserID opendmarc -# ATTENTION: user and group are enforced throug the systemd service file diff --git a/etc/postfix/aliases b/etc/postfix/aliases deleted file mode 100644 index a4c4f8a0..00000000 --- a/etc/postfix/aliases +++ /dev/null @@ -1,274 +0,0 @@ -# -# Sample aliases file. Install in the location as specified by the -# output from the command "postconf alias_maps". Typical path names -# are /etc/aliases or /etc/mail/aliases. -# -# >>>>>>>>>> The program "newaliases" must be run after -# >> NOTE >> this file is updated for any changes to -# >>>>>>>>>> show through to Postfix. -# - -# Person who should get root's mail. Don't receive mail as root! -# https://wiki.archlinux.org/title/Postfix#Aliases -root: xyz - -# Basic system aliases -- these MUST be present -MAILER-DAEMON: postmaster -postmaster: root - -# General redirections for pseudo accounts -bin: root -daemon: root -named: root -nobody: root -uucp: root -www: root -ftp-bugs: root -postfix: root - -# Put your local aliases here. - -# Well-known aliases -manager: root -dumper: root -operator: root -abuse: postmaster - -# trap decode to catch security attacks -decode: root - -# ALIASES(5) ALIASES(5) -# -# NAME -# aliases - Postfix local alias database format -# -# SYNOPSIS -# newaliases -# -# DESCRIPTION -# The optional aliases(5) table (alias_maps) redirects mail -# for local recipients. The redirections are processed by -# the Postfix local(8) delivery agent. -# -# This is unlike virtual(5) aliasing (virtual_alias_maps) -# which applies to all recipients: local(8), virtual, and -# remote, and which is implemented by the cleanup(8) daemon. -# -# Normally, the aliases(5) table is specified as a text file -# that serves as input to the postalias(1) command. The -# result, an indexed file in dbm or db format, is used for -# fast lookup by the mail system. Execute the command -# newaliases in order to rebuild the indexed file after -# changing the Postfix alias database. -# -# When the table is provided via other means such as NIS, -# LDAP or SQL, the same lookups are done as for ordinary -# indexed files. -# -# Alternatively, the table can be provided as a regu- -# lar-expression map where patterns are given as regular -# expressions. In this case, the lookups are done in a -# slightly different way as described below under "REGULAR -# EXPRESSION TABLES". -# -# Users can control delivery of their own mail by setting up -# .forward files in their home directory. Lines in per-user -# .forward files have the same syntax as the right-hand side -# of aliases(5) entries. -# -# The format of the alias database input file is as follows: -# -# o An alias definition has the form -# -# name: value1, value2, ... -# -# o Empty lines and whitespace-only lines are ignored, -# as are lines whose first non-whitespace character -# is a `#'. -# -# o A logical line starts with non-whitespace text. A -# line that starts with whitespace continues a logi- -# cal line. -# -# The name is a local address (no domain part). Use double -# quotes when the name contains any special characters such -# as whitespace, `#', `:', or `@'. The name is folded to -# lowercase, in order to make database lookups case insensi- -# tive. -# -# In addition, when an alias exists for owner-name, this -# will override the envelope sender address, so that deliv- -# ery diagnostics are directed to owner-name, instead of the -# originator of the message (for details, see -# owner_request_special, expand_owner_alias and -# reset_owner_alias). This is typically used to direct -# delivery errors to the maintainer of a mailing list, who -# is in a better position to deal with mailing list delivery -# problems than the originator of the undelivered mail. -# -# The value contains one or more of the following: -# -# address -# Mail is forwarded to address, which is compatible -# with the RFC 822 standard. -# -# /file/name -# Mail is appended to /file/name. For details on how -# a file is written see the sections "EXTERNAL FILE -# DELIVERY" and "DELIVERY RIGHTS" in the local(8) -# documentation. Delivery is not limited to regular -# files. For example, to dispose of unwanted mail, -# deflect it to /dev/null. -# -# |command -# Mail is piped into command. Commands that contain -# special characters, such as whitespace, should be -# enclosed between double quotes. For details on how -# a command is executed see "EXTERNAL COMMAND DELIV- -# ERY" and "DELIVERY RIGHTS" in the local(8) documen- -# tation. -# -# When the command fails, a limited amount of command -# output is mailed back to the sender. The file -# /usr/include/sysexits.h defines the expected exit -# status codes. For example, use "|exit 67" to simu- -# late a "user unknown" error, and "|exit 0" to -# implement an expensive black hole. -# -# :include:/file/name -# Mail is sent to the destinations listed in the -# named file. Lines in :include: files have the same -# syntax as the right-hand side of alias entries. -# -# A destination can be any destination that is -# described in this manual page. However, delivery to -# "|command" and /file/name is disallowed by default. -# To enable, edit the allow_mail_to_commands and -# allow_mail_to_files configuration parameters. -# -# ADDRESS EXTENSION -# When alias database search fails, and the recipient local- -# part contains the optional recipient delimiter (e.g., -# user+foo), the search is repeated for the unextended -# address (e.g., user). -# -# The propagate_unmatched_extensions parameter controls -# whether an unmatched address extension (+foo) is propa- -# gated to the result of table lookup. -# -# CASE FOLDING -# The local(8) delivery agent always folds the search string -# to lowercase before database lookup. -# -# REGULAR EXPRESSION TABLES -# This section describes how the table lookups change when -# the table is given in the form of regular expressions. For -# a description of regular expression lookup table syntax, -# see regexp_table(5) or pcre_table(5). NOTE: these formats -# do not use ":" at the end of a pattern. -# -# Each regular expression is applied to the entire search -# string. Thus, a search string user+foo is not broken up -# into user and foo. -# -# Regular expressions are applied in the order as specified -# in the table, until a regular expression is found that -# matches the search string. -# -# Lookup results are the same as with indexed file lookups. -# For security reasons there is no support for $1, $2 etc. -# substring interpolation. -# -# SECURITY -# The local(8) delivery agent disallows regular expression -# substitution of $1 etc. in alias_maps, because that would -# open a security hole. -# -# The local(8) delivery agent will silently ignore requests -# to use the proxymap(8) server within alias_maps. Instead -# it will open the table directly. Before Postfix version -# 2.2, the local(8) delivery agent will terminate with a -# fatal error. -# -# CONFIGURATION PARAMETERS -# The following main.cf parameters are especially relevant. -# The text below provides only a parameter summary. See -# postconf(5) for more details including examples. -# -# alias_database (see 'postconf -d' output) -# The alias databases for local(8) delivery that are -# updated with "newaliases" or with "sendmail -bi". -# -# alias_maps (see 'postconf -d' output) -# Optional lookup tables with aliases that apply only -# to local(8) recipients; this is unlike vir- -# tual_alias_maps that apply to all recipients: -# local(8), virtual, and remote. -# -# allow_mail_to_commands (alias, forward) -# Restrict local(8) mail delivery to external com- -# mands. -# -# allow_mail_to_files (alias, forward) -# Restrict local(8) mail delivery to external files. -# -# expand_owner_alias (no) -# When delivering to an alias "aliasname" that has an -# "owner-aliasname" companion alias, set the envelope -# sender address to the expansion of the -# "owner-aliasname" alias. -# -# propagate_unmatched_extensions (canonical, virtual) -# What address lookup tables copy an address exten- -# sion from the lookup key to the lookup result. -# -# owner_request_special (yes) -# Enable special treatment for owner-listname entries -# in the aliases(5) file, and don't split owner-list- -# name and listname-request address localparts when -# the recipient_delimiter is set to "-". -# -# recipient_delimiter (empty) -# The set of characters that can separate an email -# address localpart, user name, or a .forward file -# name from its extension. -# -# Available in Postfix version 2.3 and later: -# -# frozen_delivered_to (yes) -# Update the local(8) delivery agent's idea of the -# Delivered-To: address (see prepend_deliv- -# ered_header) only once, at the start of a delivery -# attempt; do not update the Delivered-To: address -# while expanding aliases or .forward files. -# -# STANDARDS -# RFC 822 (ARPA Internet Text Messages) -# -# SEE ALSO -# local(8), local delivery agent -# newaliases(1), create/update alias database -# postalias(1), create/update alias database -# postconf(5), configuration parameters -# -# README FILES -# Use "postconf readme_directory" or "postconf html_direc- -# tory" to locate this information. -# DATABASE_README, Postfix lookup table overview -# -# LICENSE -# The Secure Mailer license must be distributed with this -# software. -# -# AUTHOR(S) -# Wietse Venema -# IBM T.J. Watson Research -# P.O. Box 704 -# Yorktown Heights, NY 10598, USA -# -# Wietse Venema -# Google, Inc. -# 111 8th Avenue -# New York, NY 10011, USA -# -# ALIASES(5) diff --git a/etc/postfix/main.cf b/etc/postfix/main.cf deleted file mode 100644 index 5ca97507..00000000 --- a/etc/postfix/main.cf +++ /dev/null @@ -1,748 +0,0 @@ -# edit configs from: -# https://wiki.archlinux.org/title/Postfix -# GPL-3.0-only https://github.com/LukeSmithxyz/emailwiz -# https://wiki.archlinux.org/title/OpenDMARC -# https://wiki.archlinux.org/title/OpenDKIM -# maybe useful things: -# `man postconf.5` -# print config: `postconf` -# default config: `postconf -d` -myhostname = mail.flylightning.xyz - -# fix "relay access denied" error when receiving emails -# I choose to follow `man postconf.5` instruction to only add $mydomain -# emailwiz way add a lot more to mydestination, see: -# https://github.com/LukeSmithxyz/emailwiz/pull/275 -# https://github.com/LukeSmithxyz/emailwiz/issues/265 -mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain - -smtp_tls_security_level = may -smtpd_tls_security_level = may -smtpd_use_tls = yes -smtpd_tls_cert_file = /etc/postfix/flylightning.pem -smtpd_tls_key_file = /etc/postfix/flylightning.key - -# Here we tell Postfix to look to Dovecot for authenticating users/passwords. -# Dovecot will be putting an authentication socket in /var/spool/postfix/private/auth -smtpd_sasl_auth_enable = yes -smtpd_sasl_type = dovecot -smtpd_sasl_path = private/auth - -# NOTE: the trailing slash here, or for any directory name in the home_mailbox -# command, is necessary as it distinguishes a maildir (which is the actual -# directory that we want) from a spoolfile (which is what old unix boomers want -# and no one else). -home_mailbox = Mail/Inbox/ - -# https://wiki.archlinux.org/title/OpenDKIM -non_smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock -smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock - -# more emailwiz configs, maybe useful: - -# TLS required for authentication. -#smtpd_tls_auth_only = yes - -# Exclude insecure and obsolete encryption protocols. -#smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 -#smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 -#smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 -#smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 - -# helo, sender, relay and recipient restrictions -#smtpd_sender_login_maps = pcre:/etc/postfix/login_maps.pcre -#smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_sender_login_mismatch, reject_unknown_reverse_client_hostname, reject_unknown_sender_domain -#smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain -#smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination -#smtpd_helo_required = yes -#smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname - -# Global Postfix configuration file. This file lists only a subset -# of all parameters. For the syntax, and for a complete parameter -# list, see the postconf(5) manual page (command: "man 5 postconf"). -# -# TIP: use the command "postconf -n" to view main.cf parameter -# settings, "postconf parametername" to view a specific parameter, -# and "postconf 'parametername=value'" to set a specific parameter. -# -# For common configuration examples, see BASIC_CONFIGURATION_README -# and STANDARD_CONFIGURATION_README. To find these documents, use -# the command "postconf html_directory readme_directory", or go to -# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc. -# -# For best results, change no more than 2-3 parameters at a time, -# and test if Postfix still works after every change. - -# COMPATIBILITY -# -# The compatibility_level determines what default settings Postfix -# will use for main.cf and master.cf settings. These defaults will -# change over time. -# -# To avoid breaking things, Postfix will use backwards-compatible -# default settings and log where it uses those old backwards-compatible -# default settings, until the system administrator has determined -# if any backwards-compatible default settings need to be made -# permanent in main.cf or master.cf. -# -# When this review is complete, update the compatibility_level setting -# below as recommended in the RELEASE_NOTES file. -# -# The level below is what should be used with new (not upgrade) installs. -# -compatibility_level = 3.9 - -# SOFT BOUNCE -# -# The soft_bounce parameter provides a limited safety net for -# testing. When soft_bounce is enabled, mail will remain queued that -# would otherwise bounce. This parameter disables locally-generated -# bounces, and prevents the SMTP server from rejecting mail permanently -# (by changing 5xx replies into 4xx replies). However, soft_bounce -# is no cure for address rewriting mistakes or mail routing mistakes. -# -#soft_bounce = no - -# LOCAL PATHNAME INFORMATION -# -# The queue_directory specifies the location of the Postfix queue. -# This is also the root directory of Postfix daemons that run chrooted. -# See the files in examples/chroot-setup for setting up Postfix chroot -# environments on different UNIX systems. -# -queue_directory = /var/spool/postfix - -# The command_directory parameter specifies the location of all -# postXXX commands. -# -command_directory = /usr/bin - -# The daemon_directory parameter specifies the location of all Postfix -# daemon programs (i.e. programs listed in the master.cf file). This -# directory must be owned by root. -# -daemon_directory = /usr/lib/postfix/bin - -# The data_directory parameter specifies the location of Postfix-writable -# data files (caches, random numbers). This directory must be owned -# by the mail_owner account (see below). -# -data_directory = /var/lib/postfix - -# QUEUE AND PROCESS OWNERSHIP -# -# The mail_owner parameter specifies the owner of the Postfix queue -# and of most Postfix daemon processes. Specify the name of a user -# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS -# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In -# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED -# USER. -# -mail_owner = postfix - -# The default_privs parameter specifies the default rights used by -# the local delivery agent for delivery to external file or command. -# These rights are used in the absence of a recipient user context. -# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER. -# -#default_privs = nobody - -# INTERNET HOST AND DOMAIN NAMES -# -# The myhostname parameter specifies the internet hostname of this -# mail system. The default is to use the fully-qualified domain name -# from gethostname(). $myhostname is used as a default value for many -# other configuration parameters. -# -#myhostname = host.domain.tld -#myhostname = virtual.domain.tld - -# The mydomain parameter specifies the local internet domain name. -# The default is to use $myhostname minus the first component. -# $mydomain is used as a default value for many other configuration -# parameters. -# -#mydomain = domain.tld - -# SENDING MAIL -# -# The myorigin parameter specifies the domain that locally-posted -# mail appears to come from. The default is to append $myhostname, -# which is fine for small sites. If you run a domain with multiple -# machines, you should (1) change this to $mydomain and (2) set up -# a domain-wide alias database that aliases each user to -# user@that.users.mailhost. -# -# For the sake of consistency between sender and recipient addresses, -# myorigin also specifies the default domain name that is appended -# to recipient addresses that have no @domain part. -# -#myorigin = $myhostname -#myorigin = $mydomain - -# RECEIVING MAIL - -# The inet_interfaces parameter specifies the network interface -# addresses that this mail system receives mail on. By default, -# the software claims all active interfaces on the machine. The -# parameter also controls delivery of mail to user@[ip.address]. -# -# See also the proxy_interfaces parameter, for network addresses that -# are forwarded to us via a proxy or network address translator. -# -# Note: you need to stop/start Postfix when this parameter changes. -# -#inet_interfaces = all -#inet_interfaces = $myhostname -#inet_interfaces = $myhostname, localhost - -# The proxy_interfaces parameter specifies the network interface -# addresses that this mail system receives mail on by way of a -# proxy or network address translation unit. This setting extends -# the address list specified with the inet_interfaces parameter. -# -# You must specify your proxy/NAT addresses when your system is a -# backup MX host for other domains, otherwise mail delivery loops -# will happen when the primary MX host is down. -# -#proxy_interfaces = -#proxy_interfaces = 1.2.3.4 - -# The mydestination parameter specifies the list of domains that this -# machine considers itself the final destination for. -# -# These domains are routed to the delivery agent specified with the -# local_transport parameter setting. By default, that is the UNIX -# compatible delivery agent that lookups all recipients in /etc/passwd -# and /etc/aliases or their equivalent. -# -# The default is $myhostname + localhost.$mydomain + localhost. On -# a mail domain gateway, you should also include $mydomain. -# -# Do not specify the names of virtual domains - those domains are -# specified elsewhere (see VIRTUAL_README). -# -# Do not specify the names of domains that this machine is backup MX -# host for. Specify those names via the relay_domains settings for -# the SMTP server, or use permit_mx_backup if you are lazy (see -# STANDARD_CONFIGURATION_README). -# -# The local machine is always the final destination for mail addressed -# to user@[the.net.work.address] of an interface that the mail system -# receives mail on (see the inet_interfaces parameter). -# -# Specify a list of host or domain names, /file/name or type:table -# patterns, separated by commas and/or whitespace. A /file/name -# pattern is replaced by its contents; a type:table is matched when -# a name matches a lookup key (the right-hand side is ignored). -# Continue long lines by starting the next line with whitespace. -# -# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS". -# -#mydestination = $myhostname, localhost.$mydomain, localhost -#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain -#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, -# mail.$mydomain, www.$mydomain, ftp.$mydomain - -# REJECTING MAIL FOR UNKNOWN LOCAL USERS -# -# The local_recipient_maps parameter specifies optional lookup tables -# with all names or addresses of users that are local with respect -# to $mydestination, $inet_interfaces or $proxy_interfaces. -# -# If this parameter is defined, then the SMTP server will reject -# mail for unknown local users. This parameter is defined by default. -# -# To turn off local recipient checking in the SMTP server, specify -# local_recipient_maps = (i.e. empty). -# -# The default setting assumes that you use the default Postfix local -# delivery agent for local delivery. You need to update the -# local_recipient_maps setting if: -# -# - You define $mydestination domain recipients in files other than -# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files. -# For example, you define $mydestination domain recipients in -# the $virtual_mailbox_maps files. -# -# - You redefine the local delivery agent in master.cf. -# -# - You redefine the "local_transport" setting in main.cf. -# -# - You use the "luser_relay", "mailbox_transport", or "fallback_transport" -# feature of the Postfix local delivery agent (see local(8)). -# -# Details are described in the LOCAL_RECIPIENT_README file. -# -# Beware: if the Postfix SMTP server runs chrooted, you probably have -# to access the passwd file via the proxymap service, in order to -# overcome chroot restrictions. The alternative, having a copy of -# the system passwd file in the chroot jail is just not practical. -# -# The right-hand side of the lookup tables is conveniently ignored. -# In the left-hand side, specify a bare username, an @domain.tld -# wild-card, or specify a user@domain.tld address. -# -#local_recipient_maps = unix:passwd.byname $alias_maps -#local_recipient_maps = proxy:unix:passwd.byname $alias_maps -#local_recipient_maps = - -# The unknown_local_recipient_reject_code specifies the SMTP server -# response code when a recipient domain matches $mydestination or -# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty -# and the recipient address or address local-part is not found. -# -# The default setting is 550 (reject mail) but it is safer to start -# with 450 (try again later) until you are certain that your -# local_recipient_maps settings are OK. -# -unknown_local_recipient_reject_code = 550 - -# TRUST AND RELAY CONTROL - -# The mynetworks parameter specifies the list of "trusted" SMTP -# clients that have more privileges than "strangers". -# -# In particular, "trusted" SMTP clients are allowed to relay mail -# through Postfix. See the smtpd_recipient_restrictions parameter -# in postconf(5). -# -# You can specify the list of "trusted" network addresses by hand -# or you can let Postfix do it for you (which is the default). -# -# By default (mynetworks_style = host), Postfix "trusts" only -# the local machine. -# -# Specify "mynetworks_style = subnet" when Postfix should "trust" -# SMTP clients in the same IP subnetworks as the local machine. -# On Linux, this works correctly only with interfaces specified -# with the "ifconfig" or "ip" command. -# -# Specify "mynetworks_style = class" when Postfix should "trust" SMTP -# clients in the same IP class A/B/C networks as the local machine. -# Don't do this with a dialup site - it would cause Postfix to "trust" -# your entire provider's network. Instead, specify an explicit -# mynetworks list by hand, as described below. -# -# Specify "mynetworks_style = host" when Postfix should "trust" -# only the local machine. -# -#mynetworks_style = class -#mynetworks_style = subnet -#mynetworks_style = host - -# Alternatively, you can specify the mynetworks list by hand, in -# which case Postfix ignores the mynetworks_style setting. -# -# Specify an explicit list of network/netmask patterns, where the -# mask specifies the number of bits in the network part of a host -# address. -# -# You can also specify the absolute pathname of a pattern file instead -# of listing the patterns here. Specify type:table for table-based lookups -# (the value on the table right-hand side is not used). -# -#mynetworks = 168.100.3.0/28, 127.0.0.0/8 -#mynetworks = $config_directory/mynetworks -#mynetworks = hash:/etc/postfix/network_table - -# The relay_domains parameter restricts what destinations this system will -# relay mail to. See the smtpd_relay_restrictions and -# smtpd_recipient_restrictions descriptions in postconf(5) for detailed -# information. -# -# By default, Postfix relays mail -# - from "trusted" clients (IP address matches $mynetworks, or is -# SASL authenticated) to any destination, -# - from "untrusted" clients to destinations that match $relay_domains or -# subdomains thereof, except addresses with sender-specified routing. -# The default relay_domains value is empty. -# -# In addition to the above, the Postfix SMTP server by default accepts mail -# that Postfix is final destination for: -# - destinations that match $inet_interfaces or $proxy_interfaces, -# - destinations that match $mydestination -# - destinations that match $virtual_alias_domains, -# - destinations that match $virtual_mailbox_domains. -# These destinations do not need to be listed in $relay_domains. -# -# Specify a list of hosts or domains, /file/name patterns or type:name -# lookup tables, separated by commas and/or whitespace. Continue -# long lines by starting the next line with whitespace. A file name -# is replaced by its contents; a type:name table is matched when a -# (parent) domain appears as lookup key. -# -# NOTE: Postfix will not automatically forward mail for domains that -# list this system as their primary or backup MX host. See the -# permit_mx_backup restriction description in postconf(5). -# -#relay_domains = - -# INTERNET OR INTRANET - -# The relayhost parameter specifies the default host to send mail to -# when no entry is matched in the optional transport(5) table. When -# no relayhost is given, mail is routed directly to the destination. -# -# On an intranet, specify the organizational domain name. If your -# internal DNS uses no MX records, specify the name of the intranet -# gateway host instead. -# -# In the case of SMTP, specify a domain, host, host:port, [host]:port, -# [address] or [address]:port; the form [host] turns off MX lookups. -# -# If you're connected via UUCP, see also the default_transport parameter. -# -#relayhost = $mydomain -#relayhost = [gateway.my.domain] -#relayhost = [mailserver.isp.tld] -#relayhost = uucphost -#relayhost = [an.ip.add.ress] - -# REJECTING UNKNOWN RELAY USERS -# -# The relay_recipient_maps parameter specifies optional lookup tables -# with all addresses in the domains that match $relay_domains. -# -# If this parameter is defined, then the SMTP server will reject -# mail for unknown relay users. This feature is off by default. -# -# The right-hand side of the lookup tables is conveniently ignored. -# In the left-hand side, specify an @domain.tld wild-card, or specify -# a user@domain.tld address. -# -#relay_recipient_maps = hash:/etc/postfix/relay_recipients - -# INPUT RATE CONTROL -# -# The in_flow_delay configuration parameter implements mail input -# flow control. This feature is turned on by default, although it -# still needs further development (it's disabled on SCO UNIX due -# to an SCO bug). -# -# A Postfix process will pause for $in_flow_delay seconds before -# accepting a new message, when the message arrival rate exceeds the -# message delivery rate. With the default 100 SMTP server process -# limit, this limits the mail inflow to 100 messages a second more -# than the number of messages delivered per second. -# -# Specify 0 to disable the feature. Valid delays are 0..10. -# -#in_flow_delay = 1s - -# ADDRESS REWRITING -# -# The ADDRESS_REWRITING_README document gives information about -# address masquerading or other forms of address rewriting including -# username->Firstname.Lastname mapping. - -# ADDRESS REDIRECTION (VIRTUAL DOMAIN) -# -# The VIRTUAL_README document gives information about the many forms -# of domain hosting that Postfix supports. - -# "USER HAS MOVED" BOUNCE MESSAGES -# -# See the discussion in the ADDRESS_REWRITING_README document. - -# TRANSPORT MAP -# -# See the discussion in the ADDRESS_REWRITING_README document. - -# ALIAS DATABASE -# -# The alias_maps parameter specifies the list of alias databases used -# by the local delivery agent. The default list is system dependent. -# -# On systems with NIS, the default is to search the local alias -# database, then the NIS alias database. See aliases(5) for syntax -# details. -# -# If you change the alias database, run "postalias /etc/aliases" (or -# wherever your system stores the mail alias file), or simply run -# "newaliases" to build the necessary DBM or DB file. -# -# It will take a minute or so before changes become visible. Use -# "postfix reload" to eliminate the delay. -# -#alias_maps = dbm:/etc/aliases -#alias_maps = hash:/etc/aliases -#alias_maps = hash:/etc/aliases, nis:mail.aliases -#alias_maps = netinfo:/aliases -alias_maps = lmdb:/etc/postfix/aliases - -# The alias_database parameter specifies the alias database(s) that -# are built with "newaliases" or "sendmail -bi". This is a separate -# configuration parameter, because alias_maps (see above) may specify -# tables that are not necessarily all under control by Postfix. -# -#alias_database = dbm:/etc/aliases -#alias_database = dbm:/etc/mail/aliases -#alias_database = hash:/etc/aliases -#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases -alias_database = $alias_maps - -# ADDRESS EXTENSIONS (e.g., user+foo) -# -# The recipient_delimiter parameter specifies the separator between -# user names and address extensions (user+foo). See canonical(5), -# local(8), relocated(5) and virtual(5) for the effects this has on -# aliases, canonical, virtual, relocated and .forward file lookups. -# Basically, the software tries user+foo and .forward+foo before -# trying user and .forward. -# -#recipient_delimiter = + - -# DELIVERY TO MAILBOX -# -# The home_mailbox parameter specifies the optional pathname of a -# mailbox file relative to a user's home directory. The default -# mailbox file is /var/spool/mail/user or /var/mail/user. Specify -# "Maildir/" for qmail-style delivery (the / is required). -# -#home_mailbox = Mailbox -#home_mailbox = Maildir/ - -# The mail_spool_directory parameter specifies the directory where -# UNIX-style mailboxes are kept. The default setting depends on the -# system type. -# -#mail_spool_directory = /var/mail -#mail_spool_directory = /var/spool/mail - -# The mailbox_command parameter specifies the optional external -# command to use instead of mailbox delivery. The command is run as -# the recipient with proper HOME, SHELL and LOGNAME environment settings. -# Exception: delivery for root is done as $default_privs. -# -# Other environment variables of interest: USER (recipient username), -# EXTENSION (address extension), DOMAIN (domain part of address), -# and LOCAL (the address localpart). -# -# Unlike other Postfix configuration parameters, the mailbox_command -# parameter is not subjected to $parameter substitutions. This is to -# make it easier to specify shell syntax (see example below). -# -# Avoid shell meta characters because they will force Postfix to run -# an expensive shell process. Procmail alone is expensive enough. -# -# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN -# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER. -# -#mailbox_command = /some/where/procmail -#mailbox_command = /some/where/procmail -a "$EXTENSION" - -# The mailbox_transport specifies the optional transport in master.cf -# to use after processing aliases and .forward files. This parameter -# has precedence over the mailbox_command, fallback_transport and -# luser_relay parameters. -# -# Specify a string of the form transport:nexthop, where transport is -# the name of a mail delivery transport defined in master.cf. The -# :nexthop part is optional. For more details see the sample transport -# configuration file. -# -# NOTE: if you use this feature for accounts not in the UNIX password -# file, then you must update the "local_recipient_maps" setting in -# the main.cf file, otherwise the SMTP server will reject mail for -# non-UNIX accounts with "User unknown in local recipient table". -# -# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd" -# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf. -#mailbox_transport = lmtp:unix:/var/imap/socket/lmtp -# -# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and -# subsequent line in master.cf. -#mailbox_transport = cyrus - -# The fallback_transport specifies the optional transport in master.cf -# to use for recipients that are not found in the UNIX passwd database. -# This parameter has precedence over the luser_relay parameter. -# -# Specify a string of the form transport:nexthop, where transport is -# the name of a mail delivery transport defined in master.cf. The -# :nexthop part is optional. For more details see the sample transport -# configuration file. -# -# NOTE: if you use this feature for accounts not in the UNIX password -# file, then you must update the "local_recipient_maps" setting in -# the main.cf file, otherwise the SMTP server will reject mail for -# non-UNIX accounts with "User unknown in local recipient table". -# -#fallback_transport = lmtp:unix:/file/name -#fallback_transport = cyrus -#fallback_transport = - -# The luser_relay parameter specifies an optional destination address -# for unknown recipients. By default, mail for unknown@$mydestination, -# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned -# as undeliverable. -# -# The following expansions are done on luser_relay: $user (recipient -# username), $shell (recipient shell), $home (recipient home directory), -# $recipient (full recipient address), $extension (recipient address -# extension), $domain (recipient domain), $local (entire recipient -# localpart), $recipient_delimiter. Specify ${name?value} or -# ${name:value} to expand value only when $name does (does not) exist. -# -# luser_relay works only for the default Postfix local delivery agent. -# -# NOTE: if you use this feature for accounts not in the UNIX password -# file, then you must specify "local_recipient_maps =" (i.e. empty) in -# the main.cf file, otherwise the SMTP server will reject mail for -# non-UNIX accounts with "User unknown in local recipient table". -# -#luser_relay = $user@other.host -#luser_relay = $local@other.host -#luser_relay = admin+$local - -# JUNK MAIL CONTROLS -# -# The controls listed here are only a very small subset. The file -# SMTPD_ACCESS_README provides an overview. - -# The header_checks parameter specifies an optional table with patterns -# that each logical message header is matched against, including -# headers that span multiple physical lines. -# -# By default, these patterns also apply to MIME headers and to the -# headers of attached messages. With older Postfix versions, MIME and -# attached message headers were treated as body text. -# -# For details, see "man header_checks". -# -#header_checks = regexp:/etc/postfix/header_checks - -# FAST ETRN SERVICE -# -# Postfix maintains per-destination logfiles with information about -# deferred mail, so that mail can be flushed quickly with the SMTP -# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld". -# See the ETRN_README document for a detailed description. -# -# The fast_flush_domains parameter controls what destinations are -# eligible for this service. By default, they are all domains that -# this server is willing to relay mail to. -# -#fast_flush_domains = $relay_domains - -# SHOW SOFTWARE VERSION OR NOT -# -# The smtpd_banner parameter specifies the text that follows the 220 -# code in the SMTP server's greeting banner. Some people like to see -# the mail version advertised. By default, Postfix shows no version. -# -# You MUST specify $myhostname at the start of the text. That is an -# RFC requirement. Postfix itself does not care. -# -#smtpd_banner = $myhostname ESMTP $mail_name -#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) - -# PARALLEL DELIVERY TO THE SAME DESTINATION -# -# How many parallel deliveries to the same user or domain? With local -# delivery, it does not make sense to do massively parallel delivery -# to the same user, because mailbox updates must happen sequentially, -# and expensive pipelines in .forward files can cause disasters when -# too many are run at the same time. With SMTP deliveries, 10 -# simultaneous connections to the same domain could be sufficient to -# raise eyebrows. -# -# Each message delivery transport has its XXX_destination_concurrency_limit -# parameter. The default is $default_destination_concurrency_limit for -# most delivery transports. For the local delivery agent the default is 2. - -#local_destination_concurrency_limit = 2 -#default_destination_concurrency_limit = 20 - -# DEBUGGING CONTROL -# -# The debug_peer_level parameter specifies the increment in verbose -# logging level when an SMTP client or server host name or address -# matches a pattern in the debug_peer_list parameter. -# -debug_peer_level = 2 - -# The debug_peer_list parameter specifies an optional list of domain -# or network patterns, /file/name patterns or type:name tables. When -# an SMTP client or server host name or address matches a pattern, -# increase the verbose logging level by the amount specified in the -# debug_peer_level parameter. -# -#debug_peer_list = 127.0.0.1 -#debug_peer_list = some.domain - -# The debugger_command specifies the external command that is executed -# when a Postfix daemon program is run with the -D option. -# -# Use "command .. & sleep 5" so that the debugger can attach before -# the process marches on. If you use an X-based debugger, be sure to -# set up your XAUTHORITY environment variable before starting Postfix. -# -debugger_command = - PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin - ddd $daemon_directory/$process_name $process_id & sleep 5 - -# If you can't use X, use this to capture the call stack when a -# daemon crashes. The result is in a file in the configuration -# directory, and is named after the process name and the process ID. -# -# debugger_command = -# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont; -# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1 -# >$config_directory/$process_name.$process_id.log & sleep 5 -# -# Another possibility is to run gdb under a detached screen session. -# To attach to the screen session, su root and run "screen -r -# <id_string>" where <id_string> uniquely matches one of the detached -# sessions (from "screen -list"). -# -# debugger_command = -# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen -# -dmS $process_name gdb $daemon_directory/$process_name -# $process_id & sleep 1 - -# INSTALL-TIME CONFIGURATION INFORMATION -# -# The following parameters are used when installing a new Postfix version. -# -# sendmail_path: The full pathname of the Postfix sendmail command. -# This is the Sendmail-compatible mail posting interface. -# -sendmail_path = /usr/bin/sendmail - -# newaliases_path: The full pathname of the Postfix newaliases command. -# This is the Sendmail-compatible command to build alias databases. -# -newaliases_path = /usr/bin/newaliases - -# mailq_path: The full pathname of the Postfix mailq command. This -# is the Sendmail-compatible mail queue listing command. -# -mailq_path = /usr/bin/mailq - -# setgid_group: The group for mail submission and queue management -# commands. This must be a group name with a numerical group ID that -# is not shared with other accounts, not even with the Postfix account. -# -setgid_group = postdrop - -# html_directory: The location of the Postfix HTML documentation. -# -html_directory = no - -# manpage_directory: The location of the Postfix on-line manual pages. -# -manpage_directory = /usr/share/man - -# sample_directory: The location of the Postfix sample configuration files. -# This parameter is obsolete as of Postfix 2.1. -# -sample_directory = /etc/postfix - -# readme_directory: The location of the Postfix README files. -# -readme_directory = /usr/share/doc/postfix -inet_protocols = ipv4 -meta_directory = /etc/postfix -shlib_directory = /usr/lib/postfix diff --git a/etc/postfix/master.cf b/etc/postfix/master.cf deleted file mode 100644 index 7ce6e816..00000000 --- a/etc/postfix/master.cf +++ /dev/null @@ -1,150 +0,0 @@ -# I follow these guides: -# https://wiki.archlinux.org/title/Postfix#Secure_SMTP_(receiving) - -# -# Postfix master process configuration file. For details on the format -# of the file, see the master(5) manual page (command: "man 5 master" or -# on-line: http://www.postfix.org/master.5.html). -# -# Do not forget to execute "postfix reload" after editing this file. -# -# ========================================================================== -# service type private unpriv chroot wakeup maxproc command + args -# (yes) (yes) (no) (never) (100) -# ========================================================================== -smtp inet n - n - - smtpd -#smtp inet n - n - 1 postscreen -#smtpd pass - - n - - smtpd -#dnsblog unix - - n - 0 dnsblog -#tlsproxy unix - - n - 0 tlsproxy -# Choose one: enable submission for loopback clients only, or for any client. -#127.0.0.1:submission inet n - n - - smtpd -submission inet n - n - - smtpd - -o syslog_name=postfix/submission - -o smtpd_tls_security_level=encrypt - -o smtpd_sasl_auth_enable=yes - -o smtpd_tls_auth_only=yes -# -o local_header_rewrite_clients=static:all - -o smtpd_reject_unlisted_recipient=no -# Instead of specifying complex smtpd_<xxx>_restrictions here, -# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions" -# here, and specify mua_<xxx>_restrictions in main.cf (where -# "<xxx>" is "client", "helo", "sender", "relay", or "recipient"). -# -o smtpd_client_restrictions= -# -o smtpd_helo_restrictions= -# -o smtpd_sender_restrictions= - -o smtpd_relay_restrictions= - -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject - -o milter_macro_daemon_name=ORIGINATING -# Choose one: enable submissions for loopback clients only, or for any client. -#127.0.0.1:submissions inet n - n - - smtpd -submissions inet n - n - - smtpd - -o syslog_name=postfix/submissions - -o smtpd_tls_wrappermode=yes - -o smtpd_sasl_auth_enable=yes -# -o local_header_rewrite_clients=static:all - -o smtpd_reject_unlisted_recipient=no -# Instead of specifying complex smtpd_<xxx>_restrictions here, -# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions" -# here, and specify mua_<xxx>_restrictions in main.cf (where -# "<xxx>" is "client", "helo", "sender", "relay", or "recipient"). -# -o smtpd_client_restrictions= -# -o smtpd_helo_restrictions= -# -o smtpd_sender_restrictions= - -o smtpd_relay_restrictions= - -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject - -o milter_macro_daemon_name=ORIGINATING -#628 inet n - n - - qmqpd -pickup unix n - n 60 1 pickup -cleanup unix n - n - 0 cleanup -qmgr unix n - n 300 1 qmgr -#qmgr unix n - n 300 1 oqmgr -tlsmgr unix - - n 1000? 1 tlsmgr -rewrite unix - - n - - trivial-rewrite -bounce unix - - n - 0 bounce -defer unix - - n - 0 bounce -trace unix - - n - 0 bounce -verify unix - - n - 1 verify -flush unix n - n 1000? 0 flush -proxymap unix - - n - - proxymap -proxywrite unix - - n - 1 proxymap -smtp unix - - n - - smtp -relay unix - - n - - smtp - -o syslog_name=postfix/$service_name -# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 -showq unix n - n - - showq -error unix - - n - - error -retry unix - - n - - error -discard unix - - n - - discard -local unix - n n - - local -virtual unix - n n - - virtual -lmtp unix - - n - - lmtp -anvil unix - - n - 1 anvil -scache unix - - n - 1 scache -postlog unix-dgram n - n - 1 postlogd -# -# ==================================================================== -# Interfaces to non-Postfix software. Be sure to examine the manual -# pages of the non-Postfix software to find out what options it wants. -# -# Many of the following services use the Postfix pipe(8) delivery -# agent. See the pipe(8) man page for information about ${recipient} -# and other message envelope options. -# ==================================================================== -# -# maildrop. See the Postfix MAILDROP_README file for details. -# Also specify in main.cf: maildrop_destination_recipient_limit=1 -# -#maildrop unix - n n - - pipe -# flags=DRXhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} -# -# ==================================================================== -# -# Recent Cyrus versions can use the existing "lmtp" master.cf entry. -# -# Specify in cyrus.conf: -# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 -# -# Specify in main.cf one or more of the following: -# mailbox_transport = lmtp:inet:localhost -# virtual_transport = lmtp:inet:localhost -# -# ==================================================================== -# -# Cyrus 2.1.5 (Amos Gouaux) -# Also specify in main.cf: cyrus_destination_recipient_limit=1 -# -#cyrus unix - n n - - pipe -# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} -# -# ==================================================================== -# -# Old example of delivery via Cyrus. -# -#old-cyrus unix - n n - - pipe -# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} -# -# ==================================================================== -# -# See the Postfix UUCP_README file for configuration details. -# -#uucp unix - n n - - pipe -# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) -# -# ==================================================================== -# -# Other external delivery methods. -# -#ifmail unix - n n - - pipe -# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) -# -#bsmtp unix - n n - - pipe -# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient -# -#scalemail-backend unix - n n - 2 pipe -# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store -# ${nexthop} ${user} ${extension} -# -#mailman unix - n n - - pipe -# flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py -# ${nexthop} ${user} diff --git a/etc/services b/etc/services index aa270681..91a89df2 100644 --- a/etc/services +++ b/etc/services @@ -11510,5 +11510,7 @@ inspider 49150/tcp # my services # My ISP verizon block incomming to gateway port 22. So I need to use another port to ssh into my home server. # https://www.reddit.com/r/verizon/comments/to1q43/verizon_5g_home_internet_blocking_ssh_service_port/ +wireguard 49432/udp ssh-isp 49812/tcp iperf3 53497/tcp +swgp 54635/udp diff --git a/etc/sysctl.d/99-sysctl.conf b/etc/sysctl.d/99-sysctl.conf new file mode 100644 index 00000000..b9677c02 --- /dev/null +++ b/etc/sysctl.d/99-sysctl.conf @@ -0,0 +1,7 @@ +# at least `net.ipv4.ip_forward = 1` is needed for wireguard masquerade? to work. Without will result into can't ping ips, can't curl websites, browser can't visit websites +# ka seems has this as default, maybe arch linux cloud-init image has this as default? +# https://forums.rockylinux.org/t/wireguard-masquerade-wont-work/7752 +# https://wiki.archlinux.org/title/Nftables#NAT_with_port_forwarding +# https://github.com/teddysun/across/blob/acef6b00a6ad062c0e99286ea136d1a246def644/wireguard.sh#L514-L522 +net.ipv4.ip_forward = 1 +net.ipv6.conf.all.forwarding = 1 diff --git a/etc/systemd/network/10-cloud-init-eth0.network b/etc/systemd/network/10-cloud-init-eth0.network deleted file mode 100644 index 1bc579b9..00000000 --- a/etc/systemd/network/10-cloud-init-eth0.network +++ /dev/null @@ -1,28 +0,0 @@ -# not fully understood -# https://unix.stackexchange.com/q/509430/ -# man `systemd.network` -# https://superuser.com/q/1562380 -# https://docs.netgate.com/pfsense/en/latest/network/ipv6/subnets.html - -[Match] -Name=eth0 - -[Address] -Address=38.175.201.185/22 - -[Address] -Address=2606:a8c0:3::75f/128 - -[Address] -# ...:1/64 also works, but I use ...:a/64 because crunchbits panel reverse DNS support this address -Address=2606:a8c0:3:773::a/64 -# use the following will not need GatewayOnLink=yes in [Route] section, but I'm not sure if it is correct, I'm not sure if those ips could be accessed without gateway, more see https://superuser.com/q/1562380 -#Address=2606:a8c0:3:773::a/48 - -[Route] -Gateway=38.175.200.1 - -[Route] -Gateway=2606:a8c0:3::1 -# GatewayOnLink=yes needed for 2606:a8c0:3::1 gateway, maybe because 2606:a8c0:3::1 is not in the same subnet as 2606:a8c0:3:38d::a/64? see: https://serverfault.com/q/814419 -GatewayOnLink=yes diff --git a/etc/systemd/network/default.network b/etc/systemd/network/default.network new file mode 100644 index 00000000..c20fc696 --- /dev/null +++ b/etc/systemd/network/default.network @@ -0,0 +1,6 @@ +[Match] +Name=eth0 + +[Network] +Gateway=172.22.255.253 +Address=172.22.246.184/20 diff --git a/etc/systemd/system/acme.sh.service.d/override.conf b/etc/systemd/system/acme.sh.service.d/override.conf deleted file mode 100644 index 722f60a6..00000000 --- a/etc/systemd/system/acme.sh.service.d/override.conf +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -ReadWritePaths=/etc/acme.sh /var/log/acme.sh /etc/postfix diff --git a/etc/systemd/system/opendmarc.service.d/override.conf b/etc/systemd/system/opendmarc.service.d/override.conf deleted file mode 100644 index 40ab443c..00000000 --- a/etc/systemd/system/opendmarc.service.d/override.conf +++ /dev/null @@ -1,4 +0,0 @@ -# https://wiki.archlinux.org/title/OpenDMARC -[Service] -Group= -Group=postfix diff --git a/etc/tmpfiles.d/opendmarc.conf b/etc/tmpfiles.d/opendmarc.conf deleted file mode 100644 index 126d2922..00000000 --- a/etc/tmpfiles.d/opendmarc.conf +++ /dev/null @@ -1 +0,0 @@ -D /run/opendmarc 0750 opendmarc postfix |