Archive-Team
/
docker-mailserver
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chore: Use content tabs

This commit is contained in:
Brennan Kinney 2024-04-16 19:04:56 +12:00 committed by GitHub
parent 7c00d61880
commit 304cab45da
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 142 additions and 136 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

198
docs/content/examples/use-cases/external-relay-only-mailserver.md
View File

@ -56,108 +56,111 @@ You will need to install Postfix on your _public server_. The functionality that
It's necessary to adjust some settings afterwards. It's necessary to adjust some settings afterwards.
???+ example "Postfix main config" <!-- This empty quote block is purely for a visual border -->
!!! quote ""
Create or replace `/etc/postfix/main.cf` with this content: === "Postfix main config"
```cf ??? example "Create or replace `/etc/postfix/main.cf`"
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) ```cf
biff = no # See /usr/share/postfix/main.cf.dist for a commented, more complete version
# appending .domain is the MUA's job. smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
append_dot_mydomain = no biff = no
# Uncomment the next line to generate "delayed mail" warnings # appending .domain is the MUA's job.
#delay_warning_time = 4h append_dot_mydomain = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on # Uncomment the next line to generate "delayed mail" warnings
# fresh installs. #delay_warning_time = 4h
compatibility_level = 3.6
# TLS parameters # See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
smtpd_tls_cert_file=/etc/postfix/certificates/mail.example.com.crt # fresh installs.
smtpd_tls_key_file=/etc/postfix/certificates/mail.example.com.key compatibility_level = 3.6
smtpd_tls_security_level=may
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
alias_database = hash:/etc/aliases # TLS parameters
alias_maps = hash:/etc/aliases smtpd_tls_cert_file=/etc/postfix/certificates/mail.example.com.crt
maillog_file = /var/log/postfix.log smtpd_tls_key_file=/etc/postfix/certificates/mail.example.com.key
mailbox_size_limit = 0 smtpd_tls_security_level=may
inet_interfaces = all smtp_tls_CApath=/etc/ssl/certs
inet_protocols = ipv4 smtp_tls_security_level=may
readme_directory = no smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
recipient_delimiter = +
# Customizations relevant to this guide: alias_database = hash:/etc/aliases
myhostname = mail.example.com alias_maps = hash:/etc/aliases
myorigin = example.com maillog_file = /var/log/postfix.log
mydestination = localhost mailbox_size_limit = 0
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.2.0/24 inet_interfaces = all
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination inet_protocols = ipv4
transport_maps = hash:/etc/postfix/transport readme_directory = no
relay_domains = $mydestination, hash:/etc/postfix/relay recipient_delimiter = +
# Disable local system accounts and delivery: # Customizations relevant to this guide:
local_recipient_maps = myhostname = mail.example.com
local_transport = error:local mail delivery is disabled myorigin = example.com
``` mydestination = localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.2.0/24
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
transport_maps = hash:/etc/postfix/transport
relay_domains = $mydestination, hash:/etc/postfix/relay
Let's highlight some of the important parts: # Disable local system accounts and delivery:
local_recipient_maps =
local_transport = error:local mail delivery is disabled
```
- Avoid including `mail.example.com` in `mydestination`, in fact you can just set `localhost` or nothing at all here as we want all mail to be relayed to our _private server_ (DMS). Let's highlight some of the important parts:
- `mynetworks` should contain your VPN network (_eg: `192.168.2.0/24` subnet_).
- Important are `transport_maps = hash:/etc/postfix/transport` and `relay_domains = $mydestination, hash:/etc/postfix/relay`, with their file contents covered below.
- For good measure also disable `local_recipient_maps`.
- You should have a valid certificate configured for `mail.example.com`.
!!! warning "Open relay" - Avoid including `mail.example.com` in `mydestination`, in fact you can just set `localhost` or nothing at all here as we want all mail to be relayed to our _private server_ (DMS).
- `mynetworks` should contain your VPN network (_eg: `192.168.2.0/24` subnet_).
- Important are `transport_maps = hash:/etc/postfix/transport` and `relay_domains = $mydestination, hash:/etc/postfix/relay`, with their file contents covered below.
- For good measure also disable `local_recipient_maps`.
- You should have a valid certificate configured for `mail.example.com`.
Please be aware that setting `mynetworks` to a public CIDR will leave you with an open relay. **Only** set it to the CIDR of your VPN beyond the localhost ranges. !!! warning "Open relay"
!!! example "Route outbound mail through a separate transport" Please be aware that setting `mynetworks` to a public CIDR will leave you with an open relay. **Only** set it to the CIDR of your VPN beyond the localhost ranges.
When mail arrives to the _public server_ for an `@example.com` address, we want to send it via the `relay` transport to our _private server_ over port 25 for delivery to DMS. === "Route outbound mail through a separate transport"
[`transport_maps`][postfix-docs::transport_maps] is configured with a [`transport` table][postfix-docs::transport_table] file that matches recipient addresses and assigns a non-default transport. This setting has priority over [`relay_transport`][postfix-docs::relay_transport]. When mail arrives to the _public server_ for an `@example.com` address, we want to send it via the `relay` transport to our _private server_ over port 25 for delivery to DMS.
Create `/etc/postfix/transport` with contents: [`transport_maps`][postfix-docs::transport_maps] is configured with a [`transport` table][postfix-docs::transport_table] file that matches recipient addresses and assigns a non-default transport. This setting has priority over [`relay_transport`][postfix-docs::relay_transport].
```txt !!! example "Create `/etc/postfix/transport`"
example.com relay:[192.168.2.3]:25
```
Other considerations: ```txt
example.com relay:[192.168.2.3]:25
```
- If you have multiple domains, you can add them there too as separate lines. Other considerations:
- If you use a smarthost add `* relay:[X.X.X.X]:port` to the bottom, eg `* relay:[relay1.org]:587`, which will relay everything outbound via this relay host.
!!! tip - If you have multiple domains, you can add them there too as separate lines.
- If you use a smarthost add `* relay:[X.X.X.X]:port` to the bottom, eg `* relay:[relay1.org]:587`, which will relay everything outbound via this relay host.
Instead of a file, you could alternatively configure `main.cf` with `transport_maps = inline:{ example.com=relay:[192.168.2.3]:25 }` !!! tip
!!! example "Configure recipient domains to relay mail" Instead of a file, you could alternatively configure `main.cf` with `transport_maps = inline:{ example.com=relay:[192.168.2.3]:25 }`
We want `example.com` to be relayed inbound and everything else relayed outbound. === "Configure recipient domains to relay mail"
[`relay_domains`][postfix-docs::relay_domains] is configured with a file with a list of domains that should be relayed (one per line), the 2nd value is required but can be anything. We want `example.com` to be relayed inbound and everything else relayed outbound.
Create `/etc/postfix/relay` with contents: [`relay_domains`][postfix-docs::relay_domains] is configured with a file with a list of domains that should be relayed (one per line), the 2nd value is required but can be anything.
```txt !!! example "Create `/etc/postfix/relay`"
example.com OK
* OK
```
!!! tip ```txt
example.com OK
* OK
```
Instead of a file, you could alternatively configure `main.cf` with `relay_domains = example.com`. !!! tip
Run `postmap /etc/postfix/transport` and `postmap /etc/postfix/relay` after creating or updating those files to make them compatible for Postfix to use. Instead of a file, you could alternatively configure `main.cf` with `relay_domains = example.com`.
Run `postmap /etc/postfix/transport` and `postmap /etc/postfix/relay` after creating or updating those files to make them compatible for Postfix to use.
## Private Server (Running DMS) ## Private Server (Running DMS)
@ -168,49 +171,52 @@ You can setup your DMS instance as you normally would.
Next we need to configure our _private server_ to relay all outbound mail through the _public server_ (or a separate smarthost service). The setup is [similar to the default relay setup][docs::relay-host-details]. Next we need to configure our _private server_ to relay all outbound mail through the _public server_ (or a separate smarthost service). The setup is [similar to the default relay setup][docs::relay-host-details].
!!! example "Configure the relay host" <!-- This empty quote block is purely for a visual border -->
!!! quote ""
Create `postfix-relaymap.cf` with contents: === "Configure the relay host"
```txt !!! example "Create `postfix-relaymap.cf`"
@example.com [192.168.2.2]:25
```
Meaning all mail sent outbound from `@example.com` addresses will be relayed through the _public server_ at the VPN IP. ```txt
@example.com [192.168.2.2]:25
```
The _public server_ `mynetworks` setting from earlier trusts any mail received on port 25 from the VPN network, which is what allows the mail to be sent outbound when it'd otherwise be denied. Meaning all mail sent outbound from `@example.com` addresses will be relayed through the _public server_ at that VPN IP.
!!! example "Trust the _public server_" The _public server_ `mynetworks` setting from earlier trusts any mail received on port 25 from the VPN network, which is what allows the mail to be sent outbound when it'd otherwise be denied.
Create `postfix-main.cf` with contents: === "Trust the _public server_"
```txt !!! example "Create `postfix-main.cf`"
mynetworks = 192.168.2.0/24
```
This will trust any connection from the VPN network to DMS, such as from the _public server_ when relaying mail over to DMS at the _private server_. ```txt
mynetworks = 192.168.2.0/24
```
This step is necessary to skip some security measures that DMS normally checks for, like verifying DNS records like SPF are valid. As the mail is being relayed, those checks would fail otherwise as the IP of your _public server_ would not be authorized to send mail on behalf of the sender address in mail being relayed. This will trust any connection from the VPN network to DMS, such as from the _public server_ when relaying mail over to DMS at the _private server_.
!!! tip "Alternative to `mynetworks`" This step is necessary to skip some security measures that DMS normally checks for, like verifying DNS records like SPF are valid. As the mail is being relayed, those checks would fail otherwise as the IP of your _public server_ would not be authorized to send mail on behalf of the sender address in mail being relayed.
Instead of trusting connections by their IP with the `mynetworks` setting, those same security measures can be skipped for any authenticated deliveries to DMS over port 587 instead. ??? tip "Alternative to `mynetworks` setting"
This is a bit more work. `mynetworks` on the _public server_ config is for trusting DMS to send mail from the _private server_, thus you'll need to have that public Postfix service configured with a login account that DMS can use. Instead of trusting connections by their IP with the `mynetworks` setting, those same security measures can be skipped for any authenticated deliveries to DMS over port 587 instead.
On the DMS side, `postfix-sasl-password.cf` configures which credentials should be used for a SASL login address: This is a bit more work. `mynetworks` on the _public server_ `main.cf` Postfix config is for trusting DMS when it sends mail from the _private server_, thus you'll need to have that public Postfix service configured with a login account that DMS can use.
```txt On the _private server_ DMS needs to know the credentials for that login account, that is handled with `postfix-sasl-password.cf`:
@example.com user:secret
```
You could also relay mail through SendGrid, AWS SES or similar instead of the _public server_ you're running, providing login credentials through the same `postfix-sasl-password.cf` file. ```txt
@example.com user:secret
```
--- You could also relay mail through SendGrid, AWS SES or similar instead of the _public server_ you're running to receive mail from. Login credentials for those relay services are provided via the same `postfix-sasl-password.cf` file.
Likewise for the _public server_ to send mail to DMS, it would need to be configured to relay mail with credentials too, removing the need for `mynetworks` on the DMS `postfix-main.cf` config. ---
The extra effort to require authentication instead of blind trust of your private subnet can be beneficial at reducing the impact of a compromised system or service on that network that wasn't expected to be permitted to send mail. Likewise for the _public server_ to send mail to DMS, it would need to be configured to relay mail with credentials too, removing the need for `mynetworks` on the DMS `postfix-main.cf` config.
The extra effort to require authentication instead of blind trust of your private subnet can be beneficial at reducing the impact of a compromised system or service on that network that wasn't expected to be permitted to send mail.
## IMAP / POP3 ## IMAP / POP3