| Age | Commit message (Collapse) | Author |
|---|
|
Change-Id: I029ffabd33299a5b42e5f262e372eafb6272d094
|
|
Change-Id: Idf550ed004bcb42d6e19ac0a2c5286f52a390935
|
|
smtp_tls_security_level of 'encrypt', so it is not optional (#1902)
Change-Id: I61ad0823e3eb8df6c224767d63f0911dcba42a16
|
|
because the DNS lookup is either impossible (.local domain), or
incorrect (certain openstack/amazon/piston cloud configurations create
this setup when the relayhost is in the same cluster as the satellite).
Fixes #5225
Change-Id: Ifbc201678f2c0e97ee0e12bbf1c7f71d035d45c1
|
|
the mynetworks parameter. Previously we only allowed other mx servers to
relay to each other, but this prevents system mail from non-mx nodes
from getting out.
Fixes "Helo command rejected: You are not in domain bitmask.net (in reply to RCPT TO command))" (#5343)
Change-Id: I5e204958cb235808eedc3a1724fb2dc6c7a5b73b
|
|
|
|
Helo as the domain (#4495)
Change-Id: I6c8ac28faceb8b0c6129a606ede04837efd3d261
|
|
Change-Id: I959fa40ff508bbeaf7baa0b6ba90c10c9e6b0ef7
|
|
Change-Id: I779ea60e6d726d042203fa0756d73b4af079d728
|
|
class for smtp vs. smtpd tls configurations
Change-Id: Ic1cc560c76924fcbbc15e245bec7b78ac2de83d3
|
|
wrapper mode on the smtps port 465 now (#4366)
enable the missing smtpd_helo_restrictions for smtps
Change-Id: Iac497369d65c5ad8fd7e93e6fcabb830b855b4f6
|
|
Change-Id: I4ffb5b9203741d1152dfd93ef9ecc45f6a6088d4
|
|
Change-Id: I547b99becb8b16fec0ac89f06fb6d833cbde3c2b
|
|
|
|
|
|
|
|
|
|
|
|
implementing RFC2142 and more (#3602)
Change-Id: Ic2765b25ff9e1560def4900a1bf38dc8023b0ffa
|
|
a file of arbitrary length (#4012)
Neither Postfix nor OpenSSL actually care about the size of the prime in
"smtpd_tls_dh1024_param_file". You can make it 2048 bits
Change-Id: Id60deec93547e7df6dfc414209afaf9d53c710b5
|
|
Change-Id: I6d78286f84144bba5fd3166cc0264570e4fd3ee0
|
|
Disable on the client-side with postfix (smtp) SSLv2/SSLv3 and only allow for TLSv1 or later
SMTP servers almost universally support TLSv1. There are very few servers that don't (the few that are would result sending in the clear for these, but the alternative isn't much better). This is unlikely to cause any significant problems.
Change-Id: I8f98ba32973537905b71f63b100f41a420b6aa3f
|
|
|
|
a file of arbitrary length (#4012)
Neither Postfix nor OpenSSL actually care about the size of the prime in
"smtpd_tls_dh1024_param_file". You can make it 2048 bits
Change-Id: Id60deec93547e7df6dfc414209afaf9d53c710b5
|
|
smtpd_tls_dh1024_param file, after generating it (#3953)
Change-Id: I8e88a4862cda052c2f0ca0149f1d0753c7c83cb5
|
|
default would otherwise be set to be something like starfish.local instead of the fully qualified domain (#3869)
Change-Id: I4a537402de08b41446d344d8c21973b8d09e7ad6
|
|
|
|
Change-Id: I0b82930f6f6a453e57f1d57fd8b5df78d464e206
|
|
|
|
Change-Id: Ia5f35977b3dad08c10256f0281ab36ffb230c9fd
|
|
cipher used as well as the client and issuer CommonName into the "Received:" header
Also, clean up the parameters to standardize them
Change-Id: Ib6be27f0f93e0a9e20fbdffa1d42220a25fc8ed4
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#3667)
|
|
Conflicts:
puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
Change-Id: I51555935f9d9409e45809d6df021b10e926ea520
|
|
admins to have some control over problem clients connecting that present helo patterns that they wish to block (#3694)
Change-Id: I159c29b6fe17e3d75b607d1a6fa82856b976c9b4
|
|
not sending a HELO (#3693)
Change-Id: I6a7338136a53e16962a070826493139fa3307df7
|
|
|
|
to the more restrictive TLS wrapper mode
Change-Id: I2a1728788378d9a1b79155ddb9bb4b0464b16baa
|
|
smtpd_recipient_restrictions=$smtps_recipient_restrictions from main.cf, allowing us to setup specific restrictions for the smtps port
move permit_tls_all_clientcerts from the smtpd_data_restrictions and smtpd_recipient_restrictions to only be in smtps_recipient_restrictions
make a note about the permit_tls_all_clientcerts being something that we don't want in the future
remove check_sender_access check which was doing an unnecessary lookup
Change-Id: If9101512e42f7cd82c0e06543cef696d6063f8dc
|
|
over 25 because that is typically blocked, and we cannot force TLS on that port due to other MTAs not being configured for this century. We don't use submission (568) because that uses STARTTLS, and the STARTTLS banner can easily be stripped by an adversary. (#3604)
. enable smtps (port 465) for client submission over TLS, and require that TLS is enabled
. add 465 to the allowed open ports in the firewall
. change the smtp-service.json to use 465 instead of 25
note: I did not use the 'use_smtps' parameter that is available in the postfix
class because it added some options that we do not want/need.
Change-Id: I0040eb2dff6008a1c830d59df9963eb83dc9ea02
|
|
|
|
|
|
|
|
|
|
|
