search

modoboa / modoboa-installer

An installer for Modoboa
MIT License
258 stars 135 forks source link

Enable SMTPS per RFC 8314 #564

Open almereyda opened 2 months ago

almereyda commented 2 months ago

Impacted versions

all

Steps to reproduce

  1. Read RFC 8314
  2. Find the unconfigured SMTPS port in https://github.com/modoboa/modoboa-installer/blob/d05618e53d5b3864c668da59d446e8d516fcf6a2/modoboa_installer/scripts/files/postfix/master.cf.tpl#L30-L40

Expected behavior

master.cf

26,28c26,28
<   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
<   -o smtpd_helo_restrictions=
<   -o smtpd_sender_restrictions=reject_sender_login_mismatch
---
>   -o smtpd_client_restrictions=$mua_client_restrictions
>   -o smtpd_helo_restrictions=$mua_helo_restrictions
>   -o smtpd_sender_restrictions=$mua_sender_restrictions
31,38c31,39
< #smtps     inet  n       -       -       -       -       smtpd
< #  -o syslog_name=postfix/smtps
< #  -o smtpd_tls_wrappermode=yes
< #  -o smtpd_sasl_auth_enable=yes
< #  -o smtpd_reject_unlisted_recipient=no
< #  -o smtpd_client_restrictions=$mua_client_restrictions
< #  -o smtpd_helo_restrictions=$mua_helo_restrictions
< #  -o smtpd_sender_restrictions=$mua_sender_restrictions
---
> smtps     inet  n       -       -       -       -       smtpd
>   -o syslog_name=postfix/smtps
>   -o tls_preempt_cipherlist=yes
>   -o smtpd_tls_wrappermode=yes
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_reject_unlisted_recipient=no
>   -o smtpd_client_restrictions=$mua_client_restrictions
>   -o smtpd_helo_restrictions=$mua_helo_restrictions
>   -o smtpd_sender_restrictions=$mua_sender_restrictions
41c42,43
< #  -o milter_macro_daemon_name=ORIGINATING
---
>   -o milter_macro_daemon_name=ORIGINATING
>   -o smtpd_proxy_filter=inet:[127.0.0.1]:10026
153c155
<         -o local_header_rewrite_clients=
---
>         -o local_header_rewrite_clients=permit_mynetworks,permit_sasl_authenticated

main.cf, between ## Recipient restriction rules and ## Postscreen settings

# Sender restriction rules
smtpd_sender_restrictions =
    permit_mynetworks
    reject_non_fqdn_sender
    reject_unknown_sender_domain
    reject_unknown_reverse_client_hostname

# Relay restriction rules
smtpd_relay_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination

# Custom restriction classes
smtpd_restriction_classes =
    mua_sender_restrictions
    mua_client_restrictions
    mua_helo_restrictions

mua_client_restrictions =
    permit_sasl_authenticated
    reject

mua_sender_restrictions =
    permit_sasl_authenticated
    reject_sender_login_mismatch

mua_helo_restrictions =
    permit_mynetworks
    reject_invalid_hostname
#    reject_non_fqdn_hostname

We're running this configuration quite stable since a few years. It has not been audited for security.

Also note the commented reject_non_fqdn_hostname rule, which hasn't affected us badly, yet. Also smtpd_recipient_restrictions and smtpd_relay_restrictions from the commented smtps part in master.cf remain untouched, to mirror the given submission configuration.

There's more discussion in the thread at https://discord.com/channels/930814728928895078/1203376038793584720