Same for front-smtp

This should enable postfix to have visibility on TLS usage and fix the
following: #1705
main
Florent Daigniere 2 years ago
parent 4ae0d7d768
commit 55c1e55529

@ -292,6 +292,9 @@ mail {
pop3_capabilities TOP UIDL RESP-CODES PIPELINING AUTH-RESP-CODE USER;
imap_capabilities IMAP4 IMAP4rev1 UIDPLUS SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+;
# ensure we talk HAPROXY protocol to the backends
proxy_protocol on;
# Default SMTP server for the webmail (no encryption, but authentication)
server {
listen 10025;
@ -338,7 +341,6 @@ mail {
starttls only;
{% endif %}
protocol imap;
proxy_protocol on;
imap_auth plain;
auth_http_header Auth-Port 143;
}
@ -350,7 +352,6 @@ mail {
starttls only;
{% endif %}
protocol pop3;
proxy_protocol on;
pop3_auth plain;
auth_http_header Auth-Port 110;
}
@ -379,7 +380,6 @@ mail {
listen 993 ssl;
listen [::]:993 ssl;
protocol imap;
proxy_protocol on;
imap_auth plain;
auth_http_header Auth-Port 993;
}
@ -388,7 +388,6 @@ mail {
listen 995 ssl;
listen [::]:995 ssl;
protocol pop3;
proxy_protocol on;
pop3_auth plain;
auth_http_header Auth-Port 995;
}

@ -22,6 +22,8 @@ alias_maps =
# Podop configuration
podop = socketmap:unix:/tmp/podop.socket:
postscreen_upstream_proxy_protocol = haproxy
# Only accept virtual emails
mydestination =
@ -37,9 +39,8 @@ smtp_sasl_tls_security_options = noanonymous
# Recipient delimiter for extended addresses
recipient_delimiter = {{ RECIPIENT_DELIMITER }}
# Only the front server is allowed to perform xclient
# In kubernetes and Docker swarm, such address cannot be determined using the hostname. Allow for the whole Mailu subnet instead.
smtpd_authorized_xclient_hosts={{ SUBNET }}
# We need to allow everything to do xclient and rely on front to filter-out "bad" requests
smtpd_authorized_xclient_hosts=0.0.0.0/0 [::0]/0
###############
# TLS

@ -2,10 +2,10 @@
# (yes) (yes) (yes) (never) (100)
# Exposed SMTP service
smtp inet n - n - - smtpd
smtp inet n - n - 1 postscreen
# Internal SMTP service
10025 inet n - n - - smtpd
10025 inet n - n - 1 postscreen
-o smtpd_sasl_auth_enable=yes
-o smtpd_discard_ehlo_keywords=pipelining
-o smtpd_client_restrictions=$check_ratelimit,reject_unlisted_sender,reject_authenticated_sender_login_mismatch,permit
@ -44,6 +44,7 @@ verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
smtpd pass - - n - - smtpd
relay unix - - n - - smtp
error unix - - n - - error
retry unix - - n - - error
@ -52,4 +53,3 @@ lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
postlog unix-dgram n - n - 1 postlogd

Loading…
Cancel
Save