From c679f0f38c1f64c82082652c9da949b7244ea53e Mon Sep 17 00:00:00 2001 From: Egor Savkin Date: Thu, 1 Aug 2024 16:34:12 +0800 Subject: [PATCH] Postfix instead of nginx streams Signed-off-by: Egor Savkin --- m-labs-intl/main.cf | 63 +++++++++++++++++++++++++++++++++++++++ m-labs-intl/nginx.conf | 26 ---------------- m-labs-intl/opendkim | 32 ++++++++++++++++++++ m-labs-intl/opendkim.conf | 57 +++++++++++++++++++++++++++++++++++ m-labs-intl/setup.sh | 13 +++++++- m-labs-intl/virtual | 1 + 6 files changed, 165 insertions(+), 27 deletions(-) create mode 100644 m-labs-intl/main.cf create mode 100644 m-labs-intl/opendkim create mode 100644 m-labs-intl/opendkim.conf create mode 100644 m-labs-intl/virtual diff --git a/m-labs-intl/main.cf b/m-labs-intl/main.cf new file mode 100644 index 0000000..31fc163 --- /dev/null +++ b/m-labs-intl/main.cf @@ -0,0 +1,63 @@ +# See /usr/share/postfix/main.cf.dist for a commented, more complete version + + +# Debian specific: Specifying a file name will cause the first +# line of that file to be used as the name. The Debian default +# is /etc/mailname. +#myorigin = /etc/mailname + +smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) +biff = no + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h + +readme_directory = no + +# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on +# fresh installs. +compatibility_level = 3.6 + + + +# TLS parameters +smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +smtpd_tls_security_level=may + +smtp_tls_CApath=/etc/ssl/certs +smtp_tls_security_level=may +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + + +smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination +myhostname = mail.m-labs-intl.com +mydomain = m-labs-intl.com +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +myorigin = $mydomain +#mydestination = $myhostname, m-labs-intl.com, localhost.localdomain, localhost +mydestination = +relayhost = mail.m-labs.hk +#relay_domains = $mydomain +local_transport = error:local delivery disabled +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = all +inet_protocols = all + + + +virtual_alias_maps = hash:/etc/postfix/virtual +virtual_alias_domains = $mydomain m-labs.hk + + +# DKIM +milter_default_action = accept +milter_protocol = 2 +smtpd_milters = inet:localhost:8891 +non_smtpd_milters = inet:localhost:8891 diff --git a/m-labs-intl/nginx.conf b/m-labs-intl/nginx.conf index 621d6a9..01fb137 100644 --- a/m-labs-intl/nginx.conf +++ b/m-labs-intl/nginx.conf @@ -59,29 +59,3 @@ http { include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } - - -stream { - # Upstream mail servers - upstream smtp_backend { - server mail.m-labs.hk:25; - } - - upstream submission_backend { - server mail.m-labs.hk:587; - } - - # SMTP - server { - listen 25; - proxy_pass smtp_backend; - proxy_protocol on; - } - - # Submission (Authenticated SMTP) - server { - listen 587; - proxy_pass submission_backend; - proxy_protocol on; - } -} diff --git a/m-labs-intl/opendkim b/m-labs-intl/opendkim new file mode 100644 index 0000000..ae2aced --- /dev/null +++ b/m-labs-intl/opendkim @@ -0,0 +1,32 @@ +# NOTE: This is a legacy configuration file. It is not used by the opendkim +# systemd service. Please use the corresponding configuration parameters in +# /etc/opendkim.conf instead. +# +# Previously, one would edit the default settings here, and then execute +# /lib/opendkim/opendkim.service.generate to generate systemd override files at +# /etc/systemd/system/opendkim.service.d/override.conf and +# /etc/tmpfiles.d/opendkim.conf. While this is still possible, it is now +# recommended to adjust the settings directly in /etc/opendkim.conf. +# +#DAEMON_OPTS="" +# Change to /var/spool/postfix/run/opendkim to use a Unix socket with +# postfix in a chroot: +#RUNDIR=/var/spool/postfix/run/opendkim +RUNDIR=/run/opendkim +# +# Uncomment to specify an alternate socket +# Note that setting this will override any Socket value in opendkim.conf +# default: +SOCKET=local:$RUNDIR/opendkim.sock +# listen on all interfaces on port 54321: +#SOCKET=inet:54321 +# listen on loopback on port 12345: +#SOCKET=inet:12345@localhost +# listen on 192.0.2.1 on port 12345: +#SOCKET=inet:12345@192.0.2.1 +USER=opendkim +GROUP=opendkim +PIDFILE=$RUNDIR/$NAME.pid +EXTRAAFTER= + +SOCKET="inet:8891@localhost" diff --git a/m-labs-intl/opendkim.conf b/m-labs-intl/opendkim.conf new file mode 100644 index 0000000..37aa68f --- /dev/null +++ b/m-labs-intl/opendkim.conf @@ -0,0 +1,57 @@ +# This is a basic configuration for signing and verifying. It can easily be +# adapted to suit a basic installation. See opendkim.conf(5) and +# /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete +# documentation of available configuration parameters. + +Syslog yes +SyslogSuccess yes +#LogWhy no + +# Common signing and verification parameters. In Debian, the "From" header is +# oversigned, because it is often the identity key used by reputation systems +# and thus somewhat security sensitive. +Canonicalization relaxed/simple +#Mode sv +#SubDomains no +OversignHeaders From + +# Signing domain, selector, and key (required). For example, perform signing +# for domain "example.com" with selector "2020" (2020._domainkey.example.com), +# using the private key stored in /etc/dkimkeys/example.private. More granular +# setup options can be found in /usr/share/doc/opendkim/README.opendkim. +#Domain example.com +#Selector 2020 +#KeyFile /etc/dkimkeys/example.private + +# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when +# using a local socket with MTAs that access the socket as a non-privileged +# user (for example, Postfix). You may need to add user "postfix" to group +# "opendkim" in that case. +UserID opendkim +UMask 007 + +# Socket for the MTA connection (required). If the MTA is inside a chroot jail, +# it must be ensured that the socket is accessible. In Debian, Postfix runs in +# a chroot in /var/spool/postfix, therefore a Unix socket would have to be +# configured as shown on the last line below. +Socket local:/run/opendkim/opendkim.sock +#Socket inet:8891@localhost +#Socket inet:8891 +#Socket local:/var/spool/postfix/opendkim/opendkim.sock + +PidFile /run/opendkim/opendkim.pid + +# Hosts for which to sign rather than verify, default is 127.0.0.1. See the +# OPERATION section of opendkim(8) for more information. +#InternalHosts 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 + +# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided +# by the package dns-root-data. +TrustAnchorFile /usr/share/dns/root.key +#Nameservers 127.0.0.1 + + +Domain m-labs-intl.com +KeyFile /etc/postfix/dkim.key +Selector mail +SOCKET inet:8891@localhost diff --git a/m-labs-intl/setup.sh b/m-labs-intl/setup.sh index 1ab58f2..5932913 100644 --- a/m-labs-intl/setup.sh +++ b/m-labs-intl/setup.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -apt install git nginx-full python3 python3.12-venv python3-pip +apt install git nginx-full python3 python3.12-venv python3-pip postfix opendkim opendkim-tools snap install --classic certbot ln -s /snap/bin/certbot /usr/bin/certbot useradd -m rfqserver @@ -49,3 +49,14 @@ service nginx restart certbot --nginx service nginx restart + +cp main.cf /etc/postfix/main.cf +cp virtual /etc/postfix/virtual +postmap /etc/postfix/virtual + +cp opendkim /etc/default/opendkim +cp opendkim.conf /etc/opendkim.conf +opendkim-genkey -t -s mail -d m-labs-intl.com +cp mail.private /etc/postfix/dkim.key +service opendkim restart +service postfix restart diff --git a/m-labs-intl/virtual b/m-labs-intl/virtual new file mode 100644 index 0000000..6aa1999 --- /dev/null +++ b/m-labs-intl/virtual @@ -0,0 +1 @@ +es@m-labs-intl.com es@m-labs.hk