Complete postfix configuration to implement the solution

[buzzzo]

Would be wonderful to have: 1) snippet of postfix conf regarding configuration of x509 certificate vertification 2) snipper of opendkim conf

Generally, all the stuff needed to implement your solution.

Thx

[chillout2k]

@buzzzo: thank you for the issue!

Yes, in fact the current documentation lacks a setup part. A first attempt is documented here. The next attempt will include specific/partial configuration for postfix and opendkim as well.

First of all: Running an external accessible mailserver (inbound/outbound) is not a simple task! There are many pitfalls that must be taken under consideration!

As postfix is a very powerful and flexible mail server software it's hard to tell other people how to configure it in the right way. The real use cases may differ. Therefore it´s very important to know how postfix works and how to integrate a milter into the traffic flow. The postfix developer(s) provide very good documentation which can be found here

[buzzzo]

@chillout2k thx !!!

With your conf i was able to use the milter. What i've missed out was the config about certificate verification, as i already have a config based only on postfix mta acl.

Thx again

[chillout2k]

@chillout2k thx !!!

With your conf i was able to use the milter. What i've missed out was the config about certificate verification, as i already have a config based only on postfix mta acl.

Thx again

TLS with postfix is quite well documented: http://www.postfix.org/TLS_README.html

It´s not necessary to configure postfix to enforce a relaying policy based on client certificates. The ExOTA-Milter will do it for you. You just need to configure postfix to force the client to present a client certificate like this:

[...]
# TLS is a MUST as the ExOTA-Milter expects a client certificate (CN: `mail.protection.outlook.com`)
smtpd_tls_security_level = encrypt
smtpd_tls_req_ccert = yes
[...]

Dependent on how your postfix was built (self compiled or installed from package of your linux distribution) the right place where all the root CA certificates are stored in your system is also very important! If not correctly configured postfix will not be able to validate the client certificate presented by exchange online. In the consequence postfix will not pass information about the client certificate to the milter which results in milter reject action. ONE of the following postfix configuration attributes should be setup explicitly if your postfix is not able to validate the client certificate presented by Microsoft:

• smtpd_tls_CAfile OR
• smtpd_tls_CApath

[buzzzo]

on my conf i need explicit declared: [smtpd_tls_CApath] in order to let postfix verify the ca of office365 (digicert) i was also able to "convert" the milter in a systemd service quite easily without the needs of docker.

Thx again for your help.

[chillout2k]

i was also able to "convert" the milter in a systemd service quite easily without the needs of docker.

Nice! May I ask you to share the systemd definition here? Would be good to have an alternative deployment way documented ;)

[buzzzo]

Sure.

Nothing fancy:

this is the unit file (/lib/systemd/system/exota-milter.service) [Unit] Description=Office 365 ACL Milter

[Service] ExecStart=/var/custom/exota/run.sh

[Install] WantedBy=multi-user.target

------------------ END OF UNIT FILE --------------- This is run.sh:

--- start

!/bin/sh

app="/var/custom/exota/app/exota-milter.py" log_file="/var/log/exota.log"

export LOG_LEVEL='info' export MILTER_SOCKET='inet:10086@127.0.0.1' export MILTER_POLICY_FILE='/var/custom/exota/data/policy.json' export MILTER_DKIM_ENABLED='True' export MILTER_DKIM_ALIGNMENT_REQUIRED='True' export MILTER_TRUSTED_AUTHSERVID='DKIMAuthservID' export MILTER_X509_ENABLED='True' export MILTER_X509_TRUSTED_CN='mail.protection.outlook.com' export MILTER_X509_IP_WHITELIST='127.0.0.1,::1' export MILTER_ADD_HEADER='True' export MILTER_AUTHSERVID='pmg-auth-serv-id' export MILTER_REJECT_MESSAGE='This Service is ONLY for authorized tenant. GO AWAY!!!'

rm -f $log_file

exec /usr/bin/python3 $app >$log_file 2>&1

--- end

Quite simplier.

Thx

[chillout2k]

@buzzzo: thank you very much for contributing to this project 👍

I´ve got jus one hint: a restart directive for the case the milter dies unexpectedly:

[Unit]
Description=Office 365 ACL Milter

[Service]
Restart=always
ExecStart=/var/custom/exota/run.sh

[Install]
WantedBy=multi-user.target