mirror of
https://github.com/Mailu/Mailu.git
synced 2024-12-12 10:45:38 +02:00
Merge #1902
1902: Make smtp_tls_policy_maps easily configurable r=mergify[bot] a=nextgens ## What type of PR? Feature ## What does this PR do? - Make smtp_tls_policy_maps easily configurable. This is useful to force TLS verification of specific destinations (or relays). We should probably discuss what's on the list by default. I have found a top100 list online, ran it through a script to check all the records and found 90 destinations we could use. - disable TLS session tickets (this reduces the PFS window from 1day to 1h) - enable system CAs by default (to allow for OUTBOUND_TLS_LEVEL above encrypt without additional overrides) ### Related issue(s) - closes #1558 - #707 ## Prerequistes Before we can consider review and merge, please make sure the following list is done and checked. If an entry in not applicable, you can check it or remove it from the list. - [x] In case of feature or enhancement: documentation updated accordingly - [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file. Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
This commit is contained in:
commit
7efce99769
@ -56,11 +56,15 @@ tls_ssl_options = NO_COMPRESSION, NO_TICKET
|
|||||||
# By default, outgoing TLS is more flexible because
|
# By default, outgoing TLS is more flexible because
|
||||||
# 1. not all receiving servers will support TLS,
|
# 1. not all receiving servers will support TLS,
|
||||||
# 2. not all will have and up-to-date TLS stack.
|
# 2. not all will have and up-to-date TLS stack.
|
||||||
smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }}
|
|
||||||
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
|
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
|
||||||
smtp_tls_protocols =!SSLv2,!SSLv3
|
smtp_tls_protocols =!SSLv2,!SSLv3
|
||||||
|
smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }}
|
||||||
|
smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map
|
||||||
|
smtp_tls_CApath = /etc/ssl/certs
|
||||||
smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
|
smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
|
||||||
smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache
|
smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache
|
||||||
|
smtp_host_lookup = dns
|
||||||
|
smtp_dns_support_level = dnssec
|
||||||
|
|
||||||
###############
|
###############
|
||||||
# Virtual
|
# Virtual
|
||||||
|
@ -68,6 +68,12 @@ for map_file in glob.glob("/overrides/*.map"):
|
|||||||
os.system("postmap {}".format(destination))
|
os.system("postmap {}".format(destination))
|
||||||
os.remove(destination)
|
os.remove(destination)
|
||||||
|
|
||||||
|
if not os.path.exists("/etc/postfix/tls_policy.map.db"):
|
||||||
|
with open("/etc/postfix/tls_policy.map", "w") as f:
|
||||||
|
for domain in ['gmail.com', 'yahoo.com', 'hotmail.com', 'aol.com', 'outlook.com', 'comcast.net', 'icloud.com', 'msn.com', 'hotmail.co.uk', 'live.com', 'yahoo.co.in', 'me.com', 'mail.ru', 'cox.net', 'yahoo.co.uk', 'verizon.net', 'ymail.com', 'hotmail.it', 'kw.com', 'yahoo.com.tw', 'mac.com', 'live.se', 'live.nl', 'yahoo.com.br', 'googlemail.com', 'libero.it', 'web.de', 'allstate.com', 'btinternet.com', 'online.no', 'yahoo.com.au', 'live.dk', 'earthlink.net', 'yahoo.fr', 'yahoo.it', 'gmx.de', 'hotmail.fr', 'shawinc.com', 'yahoo.de', 'moe.edu.sg', 'naver.com', 'bigpond.com', 'statefarm.com', 'remax.net', 'rocketmail.com', 'live.no', 'yahoo.ca', 'bigpond.net.au', 'hotmail.se', 'gmx.at', 'live.co.uk', 'mail.com', 'yahoo.in', 'yandex.ru', 'qq.com', 'charter.net', 'indeedemail.com', 'alice.it', 'hotmail.de', 'bluewin.ch', 'optonline.net', 'wp.pl', 'yahoo.es', 'hotmail.no', 'pindotmedia.com', 'orange.fr', 'live.it', 'yahoo.co.id', 'yahoo.no', 'hotmail.es', 'morganstanley.com', 'wellsfargo.com', 'wanadoo.fr', 'facebook.com', 'yahoo.se', 'fema.dhs.gov', 'rogers.com', 'yahoo.com.hk', 'live.com.au', 'nic.in', 'nab.com.au', 'ubs.com', 'shaw.ca', 'umich.edu', 'westpac.com.au', 'yahoo.com.mx', 'yahoo.com.sg', 'farmersagent.com', 'yahoo.dk', 'dhs.gov']:
|
||||||
|
f.write(f'{domain}\tsecure\n')
|
||||||
|
os.system("postmap /etc/postfix/tls_policy.map")
|
||||||
|
|
||||||
if "RELAYUSER" in os.environ:
|
if "RELAYUSER" in os.environ:
|
||||||
path = "/etc/postfix/sasl_passwd"
|
path = "/etc/postfix/sasl_passwd"
|
||||||
conf.jinja("/conf/sasl_passwd", os.environ, path)
|
conf.jinja("/conf/sasl_passwd", os.environ, path)
|
||||||
|
@ -72,8 +72,8 @@ mail in following format: ``[HOST]:PORT``.
|
|||||||
``RELAYUSER`` and ``RELAYPASSWORD`` can be used when authentication is needed.
|
``RELAYUSER`` and ``RELAYPASSWORD`` can be used when authentication is needed.
|
||||||
|
|
||||||
By default postfix uses "opportunistic TLS" for outbound mail. This can be changed
|
By default postfix uses "opportunistic TLS" for outbound mail. This can be changed
|
||||||
by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt``. This setting is highly recommended
|
by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is highly recommended
|
||||||
if you are a relayhost that supports TLS.
|
if you are using a relayhost that supports TLS.
|
||||||
|
|
||||||
Similarily by default nginx uses "opportunistic TLS" for inbound mail. This can be changed
|
Similarily by default nginx uses "opportunistic TLS" for inbound mail. This can be changed
|
||||||
by setting ``INBOUND_TLS_ENFORCE`` to ``True``. Please note that this is forbidden for
|
by setting ``INBOUND_TLS_ENFORCE`` to ``True``. Please note that this is forbidden for
|
||||||
|
1
towncrier/newsfragments/1558.feature
Normal file
1
towncrier/newsfragments/1558.feature
Normal file
@ -0,0 +1 @@
|
|||||||
|
Make smtp_tls_policy_maps easily configurable
|
Loading…
Reference in New Issue
Block a user