leap_platform.git/puppet/modules/site_postfix/manifests, branch 0.3.0rc1 [leap_platform] use check_helo_access hash:/helo_checks also for $submission_helo_restrictions 2013-09-03T16:46:09+00:00 varac varacanero@zeromail.org 2013-09-03T16:46:09+00:00 ccdf90ea9c48efbaa34dda8f23d6a95db9970cd9 






fix $master_cf_tail format
2013-09-03T16:41:58+00:00

varac
varacanero@zeromail.org

2013-09-03T14:20:02+00:00

1c0bde0eef6f693a3a67b88eed40173d9f4cf756












Sending mail fails when relaying using non-fully-qualified hostname (Feature #3667)
2013-09-03T16:41:58+00:00

varac
varacanero@zeromail.org

2013-09-03T13:26:23+00:00

d901c602f61697f329e37bc92209c264755094c1












Merge branch 'feature/helo_access' into develop
2013-09-03T16:30:07+00:00

Micah Anderson
micah@leap.se

2013-09-03T16:30:07+00:00

b25d10864798e50dd51b9404903d3c493b44a65e

Conflicts:
	puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp

Change-Id: I51555935f9d9409e45809d6df021b10e926ea520





Conflicts:
	puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp

Change-Id: I51555935f9d9409e45809d6df021b10e926ea520







add /etc/postfix/checks directory and setup a check_helo_access that allows admins to have some control over problem clients connecting that present helo patterns that they wish to block (#3694)
2013-09-03T16:26:17+00:00

Micah Anderson
micah@leap.se

2013-09-03T14:37:21+00:00

cfdbad27fe0b1c5e98b127f2c3d22258e233ef11

Change-Id: I159c29b6fe17e3d75b607d1a6fa82856b976c9b4





Change-Id: I159c29b6fe17e3d75b607d1a6fa82856b976c9b4







Without smtpd_helo_required, the helo restrictions are easily bypassed by not sending a HELO (#3693)
2013-09-03T14:22:40+00:00

Micah Anderson
micah@leap.se

2013-09-03T14:22:40+00:00

8d69a43fe97079f9595ed460bfa36c4bfd6cb0a8

Change-Id: I6a7338136a53e16962a070826493139fa3307df7





Change-Id: I6a7338136a53e16962a070826493139fa3307df7







disable postfix debugging by default
2013-09-02T15:02:55+00:00

varac
varacanero@zeromail.org

2013-09-02T15:02:55+00:00

822f92c3ff3fb8ef640b7e1c10819f367014f8d1












postfix enable submission port using starttls, so the client can transition to the more restrictive TLS wrapper mode
2013-08-31T12:33:53+00:00

Micah Anderson
micah@leap.se

2013-08-30T19:19:43+00:00

ff26ca98604d9e3f3856cca2af678b21c096d1ee

Change-Id: I2a1728788378d9a1b79155ddb9bb4b0464b16baa





Change-Id: I2a1728788378d9a1b79155ddb9bb4b0464b16baa







change the master.cf_tail to pull in -o smtpd_recipient_restrictions=$smtps_recipient_restrictions from main.cf, allowing us to setup specific restrictions for the smtps port
2013-08-31T12:31:55+00:00

Micah Anderson
micah@leap.se

2013-08-30T19:01:15+00:00

27efd6072ecf13b4bbdb098ee70eb81eb5cdc81c

move permit_tls_all_clientcerts from the smtpd_data_restrictions and smtpd_recipient_restrictions to only be in smtps_recipient_restrictions

make a note about the permit_tls_all_clientcerts being something that we don't want in the future

remove check_sender_access check which was doing an unnecessary lookup

Change-Id: If9101512e42f7cd82c0e06543cef696d6063f8dc





move permit_tls_all_clientcerts from the smtpd_data_restrictions and smtpd_recipient_restrictions to only be in smtps_recipient_restrictions

make a note about the permit_tls_all_clientcerts being something that we don't want in the future

remove check_sender_access check which was doing an unnecessary lookup

Change-Id: If9101512e42f7cd82c0e06543cef696d6063f8dc







Make TLS-required smtps (465) be port for sending SMTP. This is preferred over 25 because that is typically blocked, and we cannot force TLS on that port due to other MTAs not being configured for this century. We don't use submission (568) because that uses STARTTLS, and the STARTTLS banner can easily be stripped by an adversary. (#3604)
2013-08-29T20:15:24+00:00

Micah Anderson
micah@leap.se

2013-08-29T20:14:53+00:00

ddcab83dda101ee335bbf37451f37e2bfe358c7f

. enable smtps (port 465) for client submission over TLS, and require that TLS is enabled
. add 465 to the allowed open ports in the firewall
. change the smtp-service.json to use 465 instead of 25

note: I did not use the 'use_smtps' parameter that is available in the postfix
class because it added some options that we do not want/need.

Change-Id: I0040eb2dff6008a1c830d59df9963eb83dc9ea02





. enable smtps (port 465) for client submission over TLS, and require that TLS is enabled
. add 465 to the allowed open ports in the firewall
. change the smtp-service.json to use 465 instead of 25

note: I did not use the 'use_smtps' parameter that is available in the postfix
class because it added some options that we do not want/need.

Change-Id: I0040eb2dff6008a1c830d59df9963eb83dc9ea02