summaryrefslogtreecommitdiff
path: root/etc
diff options
context:
space:
mode:
Diffstat (limited to 'etc')
-rw-r--r--etc/dovecot/conf.d/10-mail.conf2
-rw-r--r--etc/dovecot/conf.d/10-master.conf12
-rw-r--r--etc/dovecot/conf.d/10-ssl.conf8
-rw-r--r--etc/nftables.conf16
-rw-r--r--etc/opendkim/opendkim.conf14
-rw-r--r--etc/opendmarc/opendmarc.conf3
-rw-r--r--etc/postfix/main.cf59
-rw-r--r--etc/postfix/master.cf37
8 files changed, 110 insertions, 41 deletions
diff --git a/etc/dovecot/conf.d/10-mail.conf b/etc/dovecot/conf.d/10-mail.conf
index de48f92d..49e70cb9 100644
--- a/etc/dovecot/conf.d/10-mail.conf
+++ b/etc/dovecot/conf.d/10-mail.conf
@@ -27,7 +27,7 @@
#
# <doc/wiki/MailLocation.txt>
#
-#mail_location =
+mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs
# If you need to set multiple mailbox locations or want to change default
# namespace settings, you can do it by defining namespace sections.
diff --git a/etc/dovecot/conf.d/10-master.conf b/etc/dovecot/conf.d/10-master.conf
index 64fa0f2c..fb03c64c 100644
--- a/etc/dovecot/conf.d/10-master.conf
+++ b/etc/dovecot/conf.d/10-master.conf
@@ -100,16 +100,18 @@ service auth {
# To give the caller full permissions to lookup all users, set the mode to
# something else than 0666 and Dovecot lets the kernel enforce the
# permissions (e.g. 0777 allows everyone full permissions).
- unix_listener auth-userdb {
+ #unix_listener auth-userdb {
#mode = 0666
#user =
#group =
- }
+ #}
# Postfix smtp-auth
- #unix_listener /var/spool/postfix/private/auth {
- # mode = 0666
- #}
+ unix_listener /var/spool/postfix/private/auth {
+ mode = 0666
+ user = postfix
+ group = postfix
+ }
# Auth process is run as this user.
#user = $default_internal_user
diff --git a/etc/dovecot/conf.d/10-ssl.conf b/etc/dovecot/conf.d/10-ssl.conf
index ad847664..b9c2263e 100644
--- a/etc/dovecot/conf.d/10-ssl.conf
+++ b/etc/dovecot/conf.d/10-ssl.conf
@@ -3,14 +3,14 @@
##
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
-#ssl = yes
+ssl = required
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </etc/ssl/certs/dovecot.pem
-ssl_key = </etc/ssl/private/dovecot.pem
+ssl_cert = </etc/postfix/flylightning.pem
+ssl_key = </etc/postfix/flylightning.key
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
@@ -51,7 +51,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
-#ssl_dh = </etc/dovecot/dh.pem
+ssl_dh = </etc/dovecot/dh.pem
# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
# TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3, depending on the OpenSSL version used.
diff --git a/etc/nftables.conf b/etc/nftables.conf
index bd943c12..c4ca7f45 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -33,12 +33,16 @@ table inet my_table {
#udp dport qbt accept
#tcp dport iperf3 accept
udp dport wireguard accept
- # email ports
- #tcp dport smtp accept
- #udp dport smtp accept
- # other email ports? seems blocked by crunchbits
- #tcp dport 465 accept
- #tcp dport 587 accept
+ # for acme.sh standalone mode builtin webserver to renew ssl cert
+ tcp dport http accept
+ # email related ports
+ tcp dport smtp accept
+ tcp dport pop3 accept
+ tcp dport imap accept
+ tcp dport submissions accept
+ tcp dport submission accept
+ tcp dport imaps accept
+ tcp dport pop3s accept
pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
counter comment "count any other traffic"
diff --git a/etc/opendkim/opendkim.conf b/etc/opendkim/opendkim.conf
index fa3559a3..373c7213 100644
--- a/etc/opendkim/opendkim.conf
+++ b/etc/opendkim/opendkim.conf
@@ -127,7 +127,7 @@
## omitted, "simple" is used. Valid values for each are "simple" and
## "relaxed".
-# Canonicalization simple/simple
+Canonicalization relaxed/simple
## ClockDrift n
## default 300
@@ -160,7 +160,7 @@
## Specify for which domain(s) signing should be done. No default; must
## be specified for signing.
-Domain example.com
+Domain flylightning.xyz
## DomainKeysCompat { yes | no }
## default "no"
@@ -245,7 +245,7 @@ Domain example.com
## SigningTable and KeyTable are used. No default; must be specified for
## signing if SigningTable/KeyTable are not in use.
-KeyFile /var/db/dkim/example.private
+KeyFile /etc/opendkim/mail.private
## KeyTable dataset
## default (none)
@@ -570,7 +570,7 @@ KeyFile /var/db/dkim/example.private
## The name of the selector to use when signing. No default; must be
## specified for signing.
-Selector my-selector-name
+Selector mail
## SenderHeaders dataset
## default (none)
@@ -658,7 +658,7 @@ Selector my-selector-name
## inet:port to listen on all interfaces
## local:/path/to/socket to listen on a UNIX domain socket
-Socket inet:port@localhost
+Socket local:/run/opendkim/opendkim.sock
## SoftwareHeader { yes | no }
## default "no"
@@ -758,7 +758,7 @@ Syslog Yes
## The system has its own default which will be used (usually 022).
## See the umask(2) man page for more information.
-# UMask 022
+UMask 002
## Userid userid
## default (none)
@@ -766,4 +766,4 @@ Syslog Yes
## Change to user "userid" before starting normal operation? May include
## a group ID as well, separated from the userid by a colon.
-# UserID userid
+UserID opendkim
diff --git a/etc/opendmarc/opendmarc.conf b/etc/opendmarc/opendmarc.conf
index 84ea1a83..f8d8120c 100644
--- a/etc/opendmarc/opendmarc.conf
+++ b/etc/opendmarc/opendmarc.conf
@@ -286,7 +286,8 @@ IgnoreAuthenticatedClients true
## address is used, it must be enclosed in square brackets.
#
# Socket inet:8893@localhost
-Socket unix:/var/spool/opendmarc/opendmarc.sock
+#Socket unix:/var/spool/opendmarc/opendmarc.sock
+Socket unix:/run/opendmarc/opendmarc.sock
## SoftwareHeader { true | false }
## default "false"
diff --git a/etc/postfix/main.cf b/etc/postfix/main.cf
index 1d93a701..0c36d421 100644
--- a/etc/postfix/main.cf
+++ b/etc/postfix/main.cf
@@ -1,3 +1,62 @@
+# edit configs from:
+# https://wiki.archlinux.org/title/Postfix
+# GPL-3.0-only https://github.com/LukeSmithxyz/emailwiz
+# https://wiki.archlinux.org/title/OpenDMARC
+# https://wiki.archlinux.org/title/OpenDKIM
+# maybe useful things:
+# `man postconf.5`
+# print config: `postconf`
+# default config: `postconf -d`
+myhostname = mail.flylightning.xyz
+
+# fix "relay access denied" error when receiving emails
+# I choose to follow `man postconf.5` instruction to only add $mydomain
+# emailwiz way add a lot more to mydestination, see:
+# https://github.com/LukeSmithxyz/emailwiz/pull/275
+# https://github.com/LukeSmithxyz/emailwiz/issues/265
+mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
+
+smtp_tls_security_level = may
+smtpd_tls_security_level = may
+smtpd_use_tls = yes
+smtpd_tls_cert_file = /etc/postfix/flylightning.pem
+smtpd_tls_key_file = /etc/postfix/flylightning.key
+
+# Here we tell Postfix to look to Dovecot for authenticating users/passwords.
+# Dovecot will be putting an authentication socket in /var/spool/postfix/private/auth
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
+
+# NOTE: the trailing slash here, or for any directory name in the home_mailbox
+# command, is necessary as it distinguishes a maildir (which is the actual
+# directory that we want) from a spoolfile (which is what old unix boomers want
+# and no one else).
+home_mailbox = Mail/Inbox/
+
+# https://wiki.archlinux.org/title/OpenDKIM
+non_smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock
+smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock
+
+# more emailwiz configs, maybe useful:
+
+# TLS required for authentication.
+#smtpd_tls_auth_only = yes
+
+# Exclude insecure and obsolete encryption protocols.
+#smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+#smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+#smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+#smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+
+# helo, sender, relay and recipient restrictions
+#smtpd_sender_login_maps = pcre:/etc/postfix/login_maps.pcre
+#smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_sender_login_mismatch, reject_unknown_reverse_client_hostname, reject_unknown_sender_domain
+#smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain
+#smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination
+#smtpd_helo_required = yes
+#smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
+
# Global Postfix configuration file. This file lists only a subset
# of all parameters. For the syntax, and for a complete parameter
# list, see the postconf(5) manual page (command: "man 5 postconf").
diff --git a/etc/postfix/master.cf b/etc/postfix/master.cf
index fd282dd2..7ce6e816 100644
--- a/etc/postfix/master.cf
+++ b/etc/postfix/master.cf
@@ -1,3 +1,6 @@
+# I follow these guides:
+# https://wiki.archlinux.org/title/Postfix#Secure_SMTP_(receiving)
+
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
@@ -16,13 +19,13 @@ smtp inet n - n - - smtpd
#tlsproxy unix - - n - 0 tlsproxy
# Choose one: enable submission for loopback clients only, or for any client.
#127.0.0.1:submission inet n - n - - smtpd
-#submission inet n - n - - smtpd
-# -o syslog_name=postfix/submission
-# -o smtpd_tls_security_level=encrypt
-# -o smtpd_sasl_auth_enable=yes
-# -o smtpd_tls_auth_only=yes
+submission inet n - n - - smtpd
+ -o syslog_name=postfix/submission
+ -o smtpd_tls_security_level=encrypt
+ -o smtpd_sasl_auth_enable=yes
+ -o smtpd_tls_auth_only=yes
# -o local_header_rewrite_clients=static:all
-# -o smtpd_reject_unlisted_recipient=no
+ -o smtpd_reject_unlisted_recipient=no
# Instead of specifying complex smtpd_<xxx>_restrictions here,
# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
# here, and specify mua_<xxx>_restrictions in main.cf (where
@@ -30,17 +33,17 @@ smtp inet n - n - - smtpd
# -o smtpd_client_restrictions=
# -o smtpd_helo_restrictions=
# -o smtpd_sender_restrictions=
-# -o smtpd_relay_restrictions=
-# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-# -o milter_macro_daemon_name=ORIGINATING
+ -o smtpd_relay_restrictions=
+ -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
+ -o milter_macro_daemon_name=ORIGINATING
# Choose one: enable submissions for loopback clients only, or for any client.
#127.0.0.1:submissions inet n - n - - smtpd
-#submissions inet n - n - - smtpd
-# -o syslog_name=postfix/submissions
-# -o smtpd_tls_wrappermode=yes
-# -o smtpd_sasl_auth_enable=yes
+submissions inet n - n - - smtpd
+ -o syslog_name=postfix/submissions
+ -o smtpd_tls_wrappermode=yes
+ -o smtpd_sasl_auth_enable=yes
# -o local_header_rewrite_clients=static:all
-# -o smtpd_reject_unlisted_recipient=no
+ -o smtpd_reject_unlisted_recipient=no
# Instead of specifying complex smtpd_<xxx>_restrictions here,
# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
# here, and specify mua_<xxx>_restrictions in main.cf (where
@@ -48,9 +51,9 @@ smtp inet n - n - - smtpd
# -o smtpd_client_restrictions=
# -o smtpd_helo_restrictions=
# -o smtpd_sender_restrictions=
-# -o smtpd_relay_restrictions=
-# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-# -o milter_macro_daemon_name=ORIGINATING
+ -o smtpd_relay_restrictions=
+ -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
+ -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
generated by cgit v1.2.3-70-g09d2 (git 2.49.0) at 2025-04-20 08:38:34 +0000