davrot/ciphermail_notes
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
32 commits 1 branch 0 tags 66 KiB
Find a file
Exact
davrot 9aad07749f Upload files to "/"
2025-05-29 18:01:26 +02:00
root Update root/make_user.sh 2025-05-21 12:33:26 +02:00
get_public_cert.sh Upload files to "/" 2025-05-29 18:01:26 +02:00
HARICA-GEANT.pem Upload files to "/" 2025-05-28 21:53:52 +02:00
README.md Update README.md 2025-05-21 15:50:30 +02:00

README.md 

hostname: ciphermail.uni-bremen.de
SSL: force_tls
Port: 465

Create SMTPds user:

[root@ciphermail ~]# sh make_user.sh USERNAME

Firewall

firewall-cmd --list-services
firewall-cmd --add-port=465/tcp
firewall-cmd --permanent --add-port=465/tcp

/etc/ssh/sshd_config

44c44
< PermitRootLogin yes
---
> PermitRootLogin prohibit-password
71c71
< PasswordAuthentication yes
---
> PasswordAuthentication no

/etc/postfix/master.cf

--- master.cf_backup	2025-05-21 10:35:05.572755028 +0000
+++ master.cf	2025-05-21 13:12:07.862702651 +0000
@@ -8,6 +8,12 @@
 # ==========================================================================
 smtp      inet  n       -       n       -       -       smtpd
             -o message_size_limit=${djigzo_before_filter_message_size_limit}
+            -o smtpd_sasl_auth_enable=no
+smtps     inet  n       -       n       -       -       smtpd
+            -o message_size_limit=${djigzo_before_filter_message_size_limit}
+            -o smtpd_sasl_auth_enable=yes
+            -o smtpd_tls_auth_only=yes
+            -o smtpd_tls_wrappermode=yes
 pickup    fifo  n       -       n       60      1       pickup
 cleanup   unix  n       -       n       -       0       cleanup
 qmgr      fifo  n       -       n       300     1       qmgr

/etc/postfix/main.cf

--- main.cf_backup	2025-05-21 11:03:20.115193598 +0000
+++ main.cf	2025-05-21 11:02:39.787396945 +0000
@@ -47,10 +47,14 @@
 relayhost = ${djigzo_relayhost_mx_lookup:${djigzo_relayhost?[}}${djigzo_relayhost}${djigzo_relayhost_mx_lookup:${djigzo_relayhost?]}}${djigzo_relayhost?:${djigzo_relayhost_port}}
 
 # Optional restrictions that the Postfix SMTP server applies in the context of a client RCPT TO command
-smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination 
+#smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination 
+#    ${djigzo_rbl_clients} 
+#    ${djigzo_reject_unverified_recipient? reject_unverified_recipient}
+smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination 
     ${djigzo_rbl_clients} 
     ${djigzo_reject_unverified_recipient? reject_unverified_recipient}
 
+
 # The numerical Postfix SMTP server response when a recipient address is rejected by the reject_unverified_recipient restriction     
 unverified_recipient_reject_code = ${djigzo_unverified_recipient_reject_code}
 
@@ -100,6 +104,16 @@
 #
 smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
 
+# We want SASL Authentication for incoming SMTP
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_security_options = noanonymous
+smtpd_sasl_local_domain = $myhostname
+smtpd_sasl_type = cyrus
+smtpd_sasl_path = smtpd
+# smtpd_tls_auth_only = yes
+
+
+
 # Announce STARTTLS support to remote SMTP clients, but do not require that
 # clients use TLS encryption (opportunistic TLS inbound).
 #

SSL Certificates:

/etc/pki/tls/private/apache.ssl.pem : Combination of key, crt, ca
/etc/pki/tls/private/postfix.key : Key
/etc/pki/tls/certs/postfix.pem : Combination of crt, ca