From 20708ade1f56a1ef84b22ecdca42af9f9bd45c69 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 15 Feb 2024 14:21:02 +0100 Subject: Postfix: Use relay-smtps as relayhost transport. --- files/etc/postfix/master.cf | 44 ++++++++++++++++++++++++++++++++++++++++ files/etc/postfix/tls_policy | 2 +- tasks/mail.yml | 10 ++++++++- templates/etc/postfix/main.cf.j2 | 5 ++--- 4 files changed, 56 insertions(+), 5 deletions(-) create mode 100644 files/etc/postfix/master.cf diff --git a/files/etc/postfix/master.cf b/files/etc/postfix/master.cf new file mode 100644 index 0000000..3c60f31 --- /dev/null +++ b/files/etc/postfix/master.cf @@ -0,0 +1,44 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - y - - smtpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +qmgr unix n - n 300 1 qmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +relay unix - - y - - smtp + -o syslog_name=postfix/$service_name +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 + -o smtp_tls_security_level=fingerprint +relay-smtps unix - - y - - smtp + -o syslog_name=postfix/$service_name +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 + -o smtp_tls_wrappermode=yes + -o smtp_tls_security_level=fingerprint +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +postlog unix-dgram n - n - 1 postlogd diff --git a/files/etc/postfix/tls_policy b/files/etc/postfix/tls_policy index 2af19c5..c5641d3 100644 --- a/files/etc/postfix/tls_policy +++ b/files/etc/postfix/tls_policy @@ -1,3 +1,3 @@ # WARN: smtp_tls_fingerprint_digest MUST be sha256! -[smtp.guilhem.org]:587 fingerprint ciphers=high protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1:!TLSv1.2 +[smtp.guilhem.org]:465 fingerprint ciphers=high protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1:!TLSv1.2 match=B2:37:09:EC:B9:54:DC:51:FA:77:A1:31:0D:30:06:84:7E:10:81:5B:9B:30:B0:31:6E:9A:7B:53:13:C8:37:62 diff --git a/tasks/mail.yml b/tasks/mail.yml index 89d8530..8f58c8a 100644 --- a/tasks/mail.yml +++ b/tasks/mail.yml @@ -13,7 +13,7 @@ notify: - Run newaliases -- name: Configure Postfix +- name: Configure Postfix (main.cf) template: src=etc/postfix/main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root @@ -21,6 +21,14 @@ notify: - Reload Postfix +- name: Configure Postfix (master.cf) + copy: src=etc/postfix/master.cf + dest=/etc/postfix/master.cf + owner=root group=root + mode=0644 + notify: + - Restart Postfix + - name: Start Postfix service: name=postfix.service enabled=true state=started diff --git a/templates/etc/postfix/main.cf.j2 b/templates/etc/postfix/main.cf.j2 index 9557cc4..35a6790 100644 --- a/templates/etc/postfix/main.cf.j2 +++ b/templates/etc/postfix/main.cf.j2 @@ -29,10 +29,9 @@ alias_database = $virtual_alias_maps mailbox_size_limit = 0 # Forward everything to our internal outgoing proxy -# TODO: User relay-smtps on 465/tcp once Hetzner opens it relay_domains = -relayhost = [smtp.guilhem.org]:587 -default_transport = relay +relayhost = [smtp.guilhem.org]:465 +default_transport = relay-smtps smtpd_tls_security_level = none smtp_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 -- cgit v1.2.3