Merge #1478 #1501 #1532 #1543

1478: Allow to enforce TLS for outbound r=mergify[bot] a=micw using OUTBOUND_TLS_LEVEL=encrypt (default is 'may') ## What type of PR? enhancement ## What does this PR do? Add an option to postfix to enforce outbound traffic to be TLS encrypted. ## Prerequistes Before we can consider review and merge, please make sure the following list is done and checked. If an entry in not applicable, you can check it or remove it from the list. - [x] In case of feature or enhancement: documentation updated accordingly - [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file. 1501: In setup/flavor, change DMARC RUA and RUF email default settings r=mergify[bot] a=ofthesun9 ## What type of PR? bug-fix ## What does this PR do? This PR changes the default value used to set DMARC_RUA and DMARC_RUF: DMARC_RUA and DMARC_RUF defaults will reuse the value defined for POSTMASTER, instead of 'admin' as previously. Please note that the setup tool doesn't allow (yet?) to define dmarc_rua nor dmarc_ruf, so the default value is indeed used for the time being. ### Related issue(s) closes #1463 ## Prerequistes - [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file. 1532: Replace SMPT with SMTP r=mergify[bot] a=dhoppe 1543: Disable Health checks on swarm mode r=mergify[bot] a=ofthesun9 ref: https://github.com/moby/moby/issues/35451 ## What type of PR? bug-fix ## What does this PR do? Modify the docker-compose.yml template used by setup (swarm flavor) to disable Health checks on swarm mode for each service ### Related issue(s) closes #1289 ## Prerequistes - [x] add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file. Co-authored-by: Michael Wyraz <michael@wyraz.de> Co-authored-by: ofthesun9 <olivier@ofthesun.net> Co-authored-by: Dennis Hoppe <github@debian-solutions.de>
2025-01-12 02:28:20 +02:00 · 2020-08-08 16:01:16 +00:00 · 2020-08-08 16:01:16 +00:00 · 64f21d5b84
commit 64f21d5b84
parent 05a7f7f93a 6234da3786 b1f012d53b c3cbac65f9 f48a13336f
8 changed files with 33 additions and 7 deletions
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@ -52,9 +52,10 @@ tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:
 tls_preempt_cipherlist = yes
 tls_ssl_options = NO_COMPRESSION

-# Outgoing TLS is more flexible because 1. not all receiving servers will
-# support TLS, 2. not all will have and up-to-date TLS stack.
-smtp_tls_security_level = may
+# By default, outgoing TLS is more flexible because
+# 1. not all receiving servers will support TLS,
+# 2. not all will have and up-to-date TLS stack.
+smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }}
 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtp_tls_protocols =!SSLv2,!SSLv3
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@ -69,6 +69,10 @@ The ``RELAYHOST`` is an optional address of a mail server relaying all outgoing
 mail in following format: ``[HOST]:PORT``.
 ``RELAYUSER`` and ``RELAYPASSWORD`` can be used when authentication is needed.

+By default postfix uses "opportunistic TLS" for outbound mail. This can be changed
+by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt``. This setting is highly recommended
+if you are a relayhost that supports TLS.
+
 The ``FETCHMAIL_DELAY`` is a delay (in seconds) for the fetchmail service to
 go and fetch new email if available. Do not use too short delays if you do not
 want to be blacklisted by external services, but not too long delays if you
--- a/setup/flavors/compose/mailu.env
+++ b/setup/flavors/compose/mailu.env
@ -76,8 +76,8 @@ FETCHMAIL_DELAY={{ fetchmail_delay or '600' }}
 RECIPIENT_DELIMITER={{ recipient_delimiter or '+' }}

 # DMARC rua and ruf email
-DMARC_RUA={{ dmarc_rua or 'admin' }}
-DMARC_RUF={{ dmarc_ruf or 'admin' }}
+DMARC_RUA={{ dmarc_rua or postmaster }}
+DMARC_RUF={{ dmarc_ruf or postmaster }}

 # Welcome email, enable and set a topic and body if you wish to send welcome
 # emails to all users.
--- a/setup/flavors/stack/docker-compose.yml
+++ b/setup/flavors/stack/docker-compose.yml
@ -43,6 +43,8 @@ services:
      - "{{ root }}/dkim:/dkim"
    deploy:
      replicas: {{ admin_replicas }}
+    healthcheck:
+      disable: true

  imap:
    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${MAILU_VERSION:-{{ version }}}
@ -52,6 +54,8 @@ services:
      - "{{ root }}/overrides:/overrides"
    deploy:
      replicas: {{ imap_replicas }}
+    healthcheck:
+      disable: true

  smtp:
    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}postfix:${MAILU_VERSION:-{{ version }}}
@ -61,6 +65,8 @@ services:
      - "{{ root }}/overrides:/overrides"
    deploy:
      replicas: {{ smtp_replicas }}
+    healthcheck:
+      disable: true

  antispam:
    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-{{ version }}}
@ -71,6 +77,8 @@ services:
      - "{{ root }}/overrides/rspamd:/etc/rspamd/override.d"
    deploy:
      replicas: 1
+    healthcheck:
+      disable: true

  # Optional services
  {% if antivirus_enabled %}
@ -81,6 +89,8 @@ services:
      - "{{ root }}/filter:/data"
    deploy:
      replicas: 1
+    healthcheck:
+      disable: true
  {% endif %}

  {% if webdav_enabled %}
@ -91,6 +101,8 @@ services:
      - "{{ root }}/dav:/data"
    deploy:
      replicas: 1
+    healthcheck:
+      disable: true
  {% endif %}

  {% if fetchmail_enabled %}
@ -101,6 +113,8 @@ services:
      - "{{ root }}/data:/data"
    deploy:
      replicas: 1
+    healthcheck:
+      disable: true
  {% endif %}

  {% if webmail_type != 'none' %}
@ -111,6 +125,8 @@ services:
      - "{{ root }}/webmail:/data"
    deploy:
      replicas: 1
+    healthcheck:
+      disable: true
  {% endif %}

  {% if db_flavor == 'postgresql' and postgresql == 'internal' %}
@ -119,6 +135,8 @@ services:
    env_file: {{ env }}
    volumes:
      - "{{ root }}/data/psql_backup:/backup"
+    healthcheck:
+      disable: true
  {% endif %}

 networks:
--- a/setup/templates/steps/stack/04_replicas.html
+++ b/setup/templates/steps/stack/04_replicas.html
@ -22,7 +22,7 @@
 <div class="form-group">
  <input class="form-control" type="number" name=smtp_replicas min="1" required value="1"
  		style="width: 6%; display: inline;">
-  <label>SMPT</label>
+  <label>SMTP</label>
 </div>

-{% endcall %}
+{% endcall %}
--- a/towncrier/1478.feature
+++ b/towncrier/1478.feature
@ -0,0 +1 @@
+Allow to enforce TLS for outbound mail by setting OUTBOUND_TLS_LEVEL=encrypt for postfix.
--- a/towncrier/newsfragments/1289.bugfix
+++ b/towncrier/newsfragments/1289.bugfix
@ -0,0 +1 @@
+Disable Health checks on swarm mode
--- a/towncrier/newsfragments/1463.bugfix
+++ b/towncrier/newsfragments/1463.bugfix
@ -0,0 +1 @@
+Defining POSTMASTER through setup tool apply also to DMARC_RUA and DMARC_RUF settings
				`@ -0,0 +1 @@`
				`Allow to enforce TLS for outbound mail by setting OUTBOUND_TLS_LEVEL=encrypt for postfix.`
				`@ -0,0 +1 @@`
				`Defining POSTMASTER through setup tool apply also to DMARC_RUA and DMARC_RUF settings`