Trace: lamp netbsd_pkg_add

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
postfix [2018/10/28 20:53]
steve 		postfix [2018/10/30 16:56]
steve [Security]
Line 75: Line 75:
  
 If creating a new ''/​var/​log/​maillog''​ you will need to restart your system logger **in addition** to postfix for it to populate. If creating a new ''/​var/​log/​maillog''​ you will need to restart your system logger **in addition** to postfix for it to populate.
 +
 +==== Security ====
 +
 +Enable Postfix to use TLS if possible. Clients and servers that connect may use it. In ''​main.cf'':​
 +
 +<​code>​
 +smtp_tls_security_level = may
 +smtpd_tls_security_level = may
 +</​code>​
 +
 +If you have your own certs, enable those as well. In this case, the ''​server.pem''​ is the combination of the CRT PEM and the CA bundle PEM. Be sure to set the key to read-only for the root user as well.
 +
 +<​code>​
 +cat beandog.crt.pem ca_bundle.pem > server.pem
 +</​code>​
 +
 +<​code>​
 +smtpd_tls_cert_file = /​etc/​postfix/​server.pem
 +smtpd_tls_key_file = /​etc/​postfix/​server.key
 +</​code>​
 +
 +Postfix can define which protocols and ciphers to ignore, and set the preferred order as well. Here, ignore TLSv1 and use stronger ciphers.
 +
 +Also, if you are using OpenSSL 1.1.1 or higher, you can add TLSv1.3 to the list.
 +
 +<​code>​
 +smtp_tls_ciphers = high
 +smtp_tls_mandatory_ciphers = high
 +smtp_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1
 +smtp_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1
 +
 +smtpd_tls_ciphers = high
 +smtpd_tls_mandatory_ciphers = high
 +smtpd_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1
 +smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1
 +</​code>​
 +
 +Specific ciphers can be disabled as well. For a list of all ciphers that are available, use ''​openssl'':​
 +
 +<​code>​
 +openssl ciphers
 +</​code>​
 +
 +To make it easier to read, one per line:
 +
 +<​code>​
 +openssl ciphers | tr ':'​ '​\n'​
 +</​code> ​
 +
 +You can find the ciphers or cipher family you'd like to drop by specifying the cipher list. For example::
 +
 +<​code>​
 +openssl ciphers MD5:aNULL
 +</​code>​
 +
 +And then disable those in ''​main.cf'':​
 +
 +<​code>​
 +smtp_tls_exclude_ciphers = MD5, aNULL
 +smtp_tls_mandatory_exclude_ciphers = MD5, aNULL
 +
 +smtpd_tls_exclude_ciphers = MD5, aNULL
 +smtpd_tls_mandatory_exclude_ciphers = MD5, aNULL
 +</​code>​
 +
 +==== Virtual Domains and Aliases ====
 +
 +Configure Postfix to accept email from additional domains. In ''/​etc/​postfix/​main.cf'':​
 +
 +<​code>​
 +virtual_alias_domains = hash:/​etc/​postfix/​virtual_domains
 +virtual_alias_maps = hash:/​etc/​postfix/​virtual_aliases
 +</​code>​
 +
 +In ''/​etc/​postfix/​virtual_domains'':​
 +
 +<​code>​
 +wonkabar.org comment-ignored
 +</​code>​
 +
 +In ''/​etc/​postfix/​virtual_aliases'',​ send all email for ''​wonkabar.org''​ to user root on local box:
 +
 +<​code>​
 +@wonkabar.org root
 +</​code>​
 +
 +Create the database hashes once the files are created and reload postfix:
 +
 +<​code>​
 +postmap virtual_domains
 +postmap virtual_aliases
 +postfix reload
 +</​code>​
 +
 +Here's an example the maillog where an email sent to [email protected] is delivered locally to user [email protected]:​
 +
 +<​code>​
 +Oct 28 20:52:11 lkmx postfix/​local[29196]:​ 8A35EC93E1: to=<​[email protected]>,​ orig_to=<​[email protected]>,​ relay=local,​ delay=0.05, delays=0.05/​0/​0/​0,​ dsn=2.0.0, status=sent (delivered to mailbox)
 +</​code>​
 ==== FreeBSD ==== ==== FreeBSD ====