Postfix instead of nginx streams

Signed-off-by: Egor Savkin <es@m-labs.hk>
2024-08-01 16:34:12 +08:00 · 2024-08-01 16:34:12 +08:00 · bc3f4608d5
parent fbb6a9b570
commit bc3f4608d5
6 changed files with 165 additions and 27 deletions
--- a/m-labs-intl/main.cf
+++ b/m-labs-intl/main.cf
@ -0,0 +1,63 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
+# fresh installs.
+compatibility_level = 3.6
+
+
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_security_level=may
+
+smtp_tls_CApath=/etc/ssl/certs
+smtp_tls_security_level=may
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = mail.m-labs-intl.com
+mydomain = m-labs-intl.com
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = $mydomain
+#mydestination = $myhostname, m-labs-intl.com, localhost.localdomain, localhost
+mydestination = 
+relayhost = mail.m-labs.hk
+#relay_domains = $mydomain
+local_transport = error:local delivery disabled
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
+
+
+	
+virtual_alias_maps = hash:/etc/postfix/virtual
+virtual_alias_domains = $mydomain m-labs.hk
+
+
+# DKIM
+milter_default_action = accept
+milter_protocol = 2
+smtpd_milters = inet:localhost:8891
+non_smtpd_milters = inet:localhost:8891
--- a/m-labs-intl/nginx.conf
+++ b/m-labs-intl/nginx.conf
@ -59,29 +59,3 @@ http {
 	include /etc/nginx/conf.d/*.conf;
 	include /etc/nginx/sites-enabled/*;
 }
-
-
-stream {
-    # Upstream mail servers
-    upstream smtp_backend {
-        server mail.m-labs.hk:25;
-    }
-
-    upstream submission_backend {
-        server mail.m-labs.hk:587;
-    }
-
-    # SMTP
-    server {
-        listen 25;
-        proxy_pass smtp_backend;
-        proxy_protocol on;
-    }
-
-    # Submission (Authenticated SMTP)
-    server {
-        listen 587;
-        proxy_pass submission_backend;
-        proxy_protocol on;
-    }
-}
--- a/m-labs-intl/opendkim
+++ b/m-labs-intl/opendkim
@ -0,0 +1,32 @@
+# NOTE: This is a legacy configuration file. It is not used by the opendkim
+# systemd service. Please use the corresponding configuration parameters in
+# /etc/opendkim.conf instead.
+#
+# Previously, one would edit the default settings here, and then execute
+# /lib/opendkim/opendkim.service.generate to generate systemd override files at
+# /etc/systemd/system/opendkim.service.d/override.conf and
+# /etc/tmpfiles.d/opendkim.conf. While this is still possible, it is now
+# recommended to adjust the settings directly in /etc/opendkim.conf.
+#
+#DAEMON_OPTS=""
+# Change to /var/spool/postfix/run/opendkim to use a Unix socket with
+# postfix in a chroot:
+#RUNDIR=/var/spool/postfix/run/opendkim
+RUNDIR=/run/opendkim
+#
+# Uncomment to specify an alternate socket
+# Note that setting this will override any Socket value in opendkim.conf
+# default:
+SOCKET=local:$RUNDIR/opendkim.sock
+# listen on all interfaces on port 54321:
+#SOCKET=inet:54321
+# listen on loopback on port 12345:
+#SOCKET=inet:12345@localhost
+# listen on 192.0.2.1 on port 12345:
+#SOCKET=inet:12345@192.0.2.1
+USER=opendkim
+GROUP=opendkim
+PIDFILE=$RUNDIR/$NAME.pid
+EXTRAAFTER=
+
+SOCKET="inet:8891@localhost"
--- a/m-labs-intl/opendkim.conf
+++ b/m-labs-intl/opendkim.conf
@ -0,0 +1,57 @@
+# This is a basic configuration for signing and verifying. It can easily be
+# adapted to suit a basic installation. See opendkim.conf(5) and
+# /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete
+# documentation of available configuration parameters.
+
+Syslog			yes
+SyslogSuccess		yes
+#LogWhy			no
+
+# Common signing and verification parameters. In Debian, the "From" header is
+# oversigned, because it is often the identity key used by reputation systems
+# and thus somewhat security sensitive.
+Canonicalization	relaxed/simple
+#Mode			sv
+#SubDomains		no
+OversignHeaders		From
+
+# Signing domain, selector, and key (required). For example, perform signing
+# for domain "example.com" with selector "2020" (2020._domainkey.example.com),
+# using the private key stored in /etc/dkimkeys/example.private. More granular
+# setup options can be found in /usr/share/doc/opendkim/README.opendkim.
+#Domain			example.com
+#Selector		2020
+#KeyFile		/etc/dkimkeys/example.private
+
+# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
+# using a local socket with MTAs that access the socket as a non-privileged
+# user (for example, Postfix). You may need to add user "postfix" to group
+# "opendkim" in that case.
+UserID			opendkim
+UMask			007
+
+# Socket for the MTA connection (required). If the MTA is inside a chroot jail,
+# it must be ensured that the socket is accessible. In Debian, Postfix runs in
+# a chroot in /var/spool/postfix, therefore a Unix socket would have to be
+# configured as shown on the last line below.
+Socket			local:/run/opendkim/opendkim.sock
+#Socket			inet:8891@localhost
+#Socket			inet:8891
+#Socket			local:/var/spool/postfix/opendkim/opendkim.sock
+
+PidFile			/run/opendkim/opendkim.pid
+
+# Hosts for which to sign rather than verify, default is 127.0.0.1. See the
+# OPERATION section of opendkim(8) for more information.
+#InternalHosts		192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
+
+# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
+# by the package dns-root-data.
+TrustAnchorFile		/usr/share/dns/root.key
+#Nameservers		127.0.0.1
+
+
+Domain                  m-labs-intl.com
+KeyFile                 /etc/postfix/dkim.key
+Selector                mail
+SOCKET                  inet:8891@localhost
--- a/m-labs-intl/setup.sh
+++ b/m-labs-intl/setup.sh
@ -1,6 +1,6 @@
 #!/usr/bin/env bash

-apt install git nginx-full python3 python3.12-venv python3-pip
+apt install git nginx-full python3 python3.12-venv python3-pip postfix opendkim opendkim-tools
 snap install --classic certbot
 ln -s /snap/bin/certbot /usr/bin/certbot
 useradd -m rfqserver
@ -49,3 +49,14 @@ service nginx restart
 certbot --nginx

 service nginx restart
+
+cp main.cf /etc/postfix/main.cf
+cp virtual /etc/postfix/virtual
+postmap /etc/postfix/virtual
+
+cp opendkim /etc/default/opendkim
+cp opendkim.conf /etc/opendkim.conf
+opendkim-genkey -t -s mail -d m-labs-intl.com
+cp mail.private /etc/postfix/dkim.key
+service opendkim restart
+service postfix restart
--- a/m-labs-intl/virtual
+++ b/m-labs-intl/virtual
@ -0,0 +1 @@
+es@m-labs-intl.com es@m-labs.hk