Postfix instead of nginx streams
Signed-off-by: Egor Savkin <es@m-labs.hk>
This commit is contained in:
parent
e5b216f749
commit
c679f0f38c
63
m-labs-intl/main.cf
Normal file
63
m-labs-intl/main.cf
Normal file
@ -0,0 +1,63 @@
|
||||
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
|
||||
|
||||
|
||||
# Debian specific: Specifying a file name will cause the first
|
||||
# line of that file to be used as the name. The Debian default
|
||||
# is /etc/mailname.
|
||||
#myorigin = /etc/mailname
|
||||
|
||||
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
|
||||
biff = no
|
||||
|
||||
# appending .domain is the MUA's job.
|
||||
append_dot_mydomain = no
|
||||
|
||||
# Uncomment the next line to generate "delayed mail" warnings
|
||||
#delay_warning_time = 4h
|
||||
|
||||
readme_directory = no
|
||||
|
||||
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
|
||||
# fresh installs.
|
||||
compatibility_level = 3.6
|
||||
|
||||
|
||||
|
||||
# TLS parameters
|
||||
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
||||
smtpd_tls_security_level=may
|
||||
|
||||
smtp_tls_CApath=/etc/ssl/certs
|
||||
smtp_tls_security_level=may
|
||||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||
|
||||
|
||||
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
|
||||
myhostname = mail.m-labs-intl.com
|
||||
mydomain = m-labs-intl.com
|
||||
alias_maps = hash:/etc/aliases
|
||||
alias_database = hash:/etc/aliases
|
||||
myorigin = $mydomain
|
||||
#mydestination = $myhostname, m-labs-intl.com, localhost.localdomain, localhost
|
||||
mydestination =
|
||||
relayhost = mail.m-labs.hk
|
||||
#relay_domains = $mydomain
|
||||
local_transport = error:local delivery disabled
|
||||
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
|
||||
mailbox_size_limit = 0
|
||||
recipient_delimiter = +
|
||||
inet_interfaces = all
|
||||
inet_protocols = all
|
||||
|
||||
|
||||
|
||||
virtual_alias_maps = hash:/etc/postfix/virtual
|
||||
virtual_alias_domains = $mydomain m-labs.hk
|
||||
|
||||
|
||||
# DKIM
|
||||
milter_default_action = accept
|
||||
milter_protocol = 2
|
||||
smtpd_milters = inet:localhost:8891
|
||||
non_smtpd_milters = inet:localhost:8891
|
@ -59,29 +59,3 @@ http {
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
||||
|
||||
|
||||
stream {
|
||||
# Upstream mail servers
|
||||
upstream smtp_backend {
|
||||
server mail.m-labs.hk:25;
|
||||
}
|
||||
|
||||
upstream submission_backend {
|
||||
server mail.m-labs.hk:587;
|
||||
}
|
||||
|
||||
# SMTP
|
||||
server {
|
||||
listen 25;
|
||||
proxy_pass smtp_backend;
|
||||
proxy_protocol on;
|
||||
}
|
||||
|
||||
# Submission (Authenticated SMTP)
|
||||
server {
|
||||
listen 587;
|
||||
proxy_pass submission_backend;
|
||||
proxy_protocol on;
|
||||
}
|
||||
}
|
||||
|
32
m-labs-intl/opendkim
Normal file
32
m-labs-intl/opendkim
Normal file
@ -0,0 +1,32 @@
|
||||
# NOTE: This is a legacy configuration file. It is not used by the opendkim
|
||||
# systemd service. Please use the corresponding configuration parameters in
|
||||
# /etc/opendkim.conf instead.
|
||||
#
|
||||
# Previously, one would edit the default settings here, and then execute
|
||||
# /lib/opendkim/opendkim.service.generate to generate systemd override files at
|
||||
# /etc/systemd/system/opendkim.service.d/override.conf and
|
||||
# /etc/tmpfiles.d/opendkim.conf. While this is still possible, it is now
|
||||
# recommended to adjust the settings directly in /etc/opendkim.conf.
|
||||
#
|
||||
#DAEMON_OPTS=""
|
||||
# Change to /var/spool/postfix/run/opendkim to use a Unix socket with
|
||||
# postfix in a chroot:
|
||||
#RUNDIR=/var/spool/postfix/run/opendkim
|
||||
RUNDIR=/run/opendkim
|
||||
#
|
||||
# Uncomment to specify an alternate socket
|
||||
# Note that setting this will override any Socket value in opendkim.conf
|
||||
# default:
|
||||
SOCKET=local:$RUNDIR/opendkim.sock
|
||||
# listen on all interfaces on port 54321:
|
||||
#SOCKET=inet:54321
|
||||
# listen on loopback on port 12345:
|
||||
#SOCKET=inet:12345@localhost
|
||||
# listen on 192.0.2.1 on port 12345:
|
||||
#SOCKET=inet:12345@192.0.2.1
|
||||
USER=opendkim
|
||||
GROUP=opendkim
|
||||
PIDFILE=$RUNDIR/$NAME.pid
|
||||
EXTRAAFTER=
|
||||
|
||||
SOCKET="inet:8891@localhost"
|
57
m-labs-intl/opendkim.conf
Normal file
57
m-labs-intl/opendkim.conf
Normal file
@ -0,0 +1,57 @@
|
||||
# This is a basic configuration for signing and verifying. It can easily be
|
||||
# adapted to suit a basic installation. See opendkim.conf(5) and
|
||||
# /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete
|
||||
# documentation of available configuration parameters.
|
||||
|
||||
Syslog yes
|
||||
SyslogSuccess yes
|
||||
#LogWhy no
|
||||
|
||||
# Common signing and verification parameters. In Debian, the "From" header is
|
||||
# oversigned, because it is often the identity key used by reputation systems
|
||||
# and thus somewhat security sensitive.
|
||||
Canonicalization relaxed/simple
|
||||
#Mode sv
|
||||
#SubDomains no
|
||||
OversignHeaders From
|
||||
|
||||
# Signing domain, selector, and key (required). For example, perform signing
|
||||
# for domain "example.com" with selector "2020" (2020._domainkey.example.com),
|
||||
# using the private key stored in /etc/dkimkeys/example.private. More granular
|
||||
# setup options can be found in /usr/share/doc/opendkim/README.opendkim.
|
||||
#Domain example.com
|
||||
#Selector 2020
|
||||
#KeyFile /etc/dkimkeys/example.private
|
||||
|
||||
# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
|
||||
# using a local socket with MTAs that access the socket as a non-privileged
|
||||
# user (for example, Postfix). You may need to add user "postfix" to group
|
||||
# "opendkim" in that case.
|
||||
UserID opendkim
|
||||
UMask 007
|
||||
|
||||
# Socket for the MTA connection (required). If the MTA is inside a chroot jail,
|
||||
# it must be ensured that the socket is accessible. In Debian, Postfix runs in
|
||||
# a chroot in /var/spool/postfix, therefore a Unix socket would have to be
|
||||
# configured as shown on the last line below.
|
||||
Socket local:/run/opendkim/opendkim.sock
|
||||
#Socket inet:8891@localhost
|
||||
#Socket inet:8891
|
||||
#Socket local:/var/spool/postfix/opendkim/opendkim.sock
|
||||
|
||||
PidFile /run/opendkim/opendkim.pid
|
||||
|
||||
# Hosts for which to sign rather than verify, default is 127.0.0.1. See the
|
||||
# OPERATION section of opendkim(8) for more information.
|
||||
#InternalHosts 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
|
||||
|
||||
# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
|
||||
# by the package dns-root-data.
|
||||
TrustAnchorFile /usr/share/dns/root.key
|
||||
#Nameservers 127.0.0.1
|
||||
|
||||
|
||||
Domain m-labs-intl.com
|
||||
KeyFile /etc/postfix/dkim.key
|
||||
Selector mail
|
||||
SOCKET inet:8891@localhost
|
@ -1,6 +1,6 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
apt install git nginx-full python3 python3.12-venv python3-pip
|
||||
apt install git nginx-full python3 python3.12-venv python3-pip postfix opendkim opendkim-tools
|
||||
snap install --classic certbot
|
||||
ln -s /snap/bin/certbot /usr/bin/certbot
|
||||
useradd -m rfqserver
|
||||
@ -49,3 +49,14 @@ service nginx restart
|
||||
certbot --nginx
|
||||
|
||||
service nginx restart
|
||||
|
||||
cp main.cf /etc/postfix/main.cf
|
||||
cp virtual /etc/postfix/virtual
|
||||
postmap /etc/postfix/virtual
|
||||
|
||||
cp opendkim /etc/default/opendkim
|
||||
cp opendkim.conf /etc/opendkim.conf
|
||||
opendkim-genkey -t -s mail -d m-labs-intl.com
|
||||
cp mail.private /etc/postfix/dkim.key
|
||||
service opendkim restart
|
||||
service postfix restart
|
||||
|
1
m-labs-intl/virtual
Normal file
1
m-labs-intl/virtual
Normal file
@ -0,0 +1 @@
|
||||
es@m-labs-intl.com es@m-labs.hk
|
Loading…
Reference in New Issue
Block a user