Ik heb al een paar weken een Postfix server draaien die Dovecot gebruikt voor IMAP en (blijkbaar onvolledig) SMTP authenticatie. Het maakt blijkbaar niet uit wat voor username/password mijn systemen in hun Postfix client hebben staan, ze kunnen altijd iets versturen. Dus iedereen kan dat blijkbaar doen... Het is vast ergens een reject rule aanpassen/toevoegen, maar ik kan hem maar niet vinden... Mochten er andere opmerkingen zijn over de config dan hoor ik dat ook graag!
For the record, systemen buiten $mynetworks kunnen ook gewoon mailen zonder authenticatie.
De server.
main.cf
master.cf
dovecot snippets
De client:
For the record, systemen buiten $mynetworks kunnen ook gewoon mailen zonder authenticatie.
De server.
main.cf
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
| # postconf -nf
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
config_directory = /etc/postfix
delay_warning_time = 4h
disable_vrfy_command = yes
inet_interfaces = localhost, 10.1.0.1
inet_protocols = ipv4
lmtp_tls_protocols = TLSv1.2
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
milter_default_action = accept
myhostname = mail.server.nl
mynetworks = localhost, 10.1.0.0/24, 10.1.1.0/24
myorigin = $mydomain
non_smtpd_milters = $smtpd_milters
policy-spf_time_limit = 3600s
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_cert_file = /etc/letsencrypt/live/$mydomain/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/$mydomain/privkey.pem
smtp_tls_loglevel = 1
smtp_tls_protocols = TLSv1.2
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:$data_directory/smtp_scache
smtpd_banner = $myhostname
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unknown_client_hostname, reject_rbl_client zen.spamhaus.org,
reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_helo
dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit
smtpd_milters = inet:localhost:8891
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination, reject_unlisted_recipient,
reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unauth_pipelining,
reject_unauth_destination, reject_rbl_client zen.spamhaus.org,
reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_helo
dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org check_policy_service
unix:private/policy-spf, check_policy_service inet:localhost:10023, permit
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = $virtual_alias_maps
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/$mydomain/fullchain.pem
smtpd_tls_dh1024_param_file = $config_directory/dh2048.pem
smtpd_tls_key_file = /etc/letsencrypt/live/$mydomain/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5, DES, ADH, RC4, PSD, SRP, 3DES,
eNULL
smtpd_tls_mandatory_protocols = TLSv1.2
smtpd_tls_protocols = TLSv1.2
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_preempt_cipherlist = yes
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
virtual_alias_maps = hash:$config_directory/$mydomain/virtual_alias_maps.cf
virtual_gid_maps = static:997
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains =
hash:$config_directory/$mydomain/virtual_mailbox_domains.cf
virtual_mailbox_maps = hash:$config_directory/$mydomain/virtual_mailbox_maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:997 |
master.cf
code:
1
2
3
4
5
6
7
8
| # postconf -Pf
submission/inet/smtpd_recipient_restrictions =
reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
submission/inet/smtpd_sasl_auth_enable = yes
submission/inet/smtpd_sasl_path = private/auth
submission/inet/smtpd_sasl_security_options = noanonymous
submission/inet/smtpd_sasl_type = dovecot
submission/inet/smtpd_tls_security_level = encrypt |
dovecot snippets
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
| passdb {
args = scheme=SHA512-CRYPT username_format=%u /etc/dovecot/%d/passwd
driver = passwd-file
}
service {
unix_listener {
group = postfix
mode = 0660
user = postfix
path = /var/spool/postfix/private/auth
}
name = auth
}
service {
inet_listener {
port = 0
name = imap
}
inet_listener {
port = 993
ssl = yes
name = imaps
}
name = imap-login
}
service {
unix_listener {
group = postfix
mode = 0600
user = postfix
path = /var/spool/postfix/private/dovecot-lmtp
}
name = lmtp
}
userdb {
args = uid=vmail gid=nogroup home=/var/vmail/%d/%n
driver = static
}
disable_plaintext_auth = yes
auth_mechanisms = plain |
De client:
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| $ postconf -nf compatibility_level = 2 inet_interfaces = inet_protocols = ipv4 myhostname = user.home.lan mynetworks = smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/passwd smtp_sasl_security_options = noanonymous smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_mandatory_ciphers = high smtp_tls_mandatory_protocols = TLSv1.2 smtp_tls_protocols = TLSv1.2 smtp_tls_security_level = may smtp_use_tls = yes |
:strip_exif()/u/70496/glowmouse2.gif?f=community)
Staat ook in de intro tekst 