From 55c1e555294c4232b2d8385c67f1a9a81691dc26 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Wed, 28 Dec 2022 15:21:28 +0100 Subject: [PATCH] Same for front-smtp This should enable postfix to have visibility on TLS usage and fix the following: #1705 --- core/nginx/conf/nginx.conf | 7 +++---- core/postfix/conf/main.cf | 7 ++++--- core/postfix/conf/master.cf | 6 +++--- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf index 7e5e7b5c..7dc3be90 100644 --- a/core/nginx/conf/nginx.conf +++ b/core/nginx/conf/nginx.conf @@ -292,6 +292,9 @@ mail { pop3_capabilities TOP UIDL RESP-CODES PIPELINING AUTH-RESP-CODE USER; imap_capabilities IMAP4 IMAP4rev1 UIDPLUS SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+; + # ensure we talk HAPROXY protocol to the backends + proxy_protocol on; + # Default SMTP server for the webmail (no encryption, but authentication) server { listen 10025; @@ -338,7 +341,6 @@ mail { starttls only; {% endif %} protocol imap; - proxy_protocol on; imap_auth plain; auth_http_header Auth-Port 143; } @@ -350,7 +352,6 @@ mail { starttls only; {% endif %} protocol pop3; - proxy_protocol on; pop3_auth plain; auth_http_header Auth-Port 110; } @@ -379,7 +380,6 @@ mail { listen 993 ssl; listen [::]:993 ssl; protocol imap; - proxy_protocol on; imap_auth plain; auth_http_header Auth-Port 993; } @@ -388,7 +388,6 @@ mail { listen 995 ssl; listen [::]:995 ssl; protocol pop3; - proxy_protocol on; pop3_auth plain; auth_http_header Auth-Port 995; } diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf index 2f0275b7..474bf42c 100644 --- a/core/postfix/conf/main.cf +++ b/core/postfix/conf/main.cf @@ -22,6 +22,8 @@ alias_maps = # Podop configuration podop = socketmap:unix:/tmp/podop.socket: +postscreen_upstream_proxy_protocol = haproxy + # Only accept virtual emails mydestination = @@ -37,9 +39,8 @@ smtp_sasl_tls_security_options = noanonymous # Recipient delimiter for extended addresses recipient_delimiter = {{ RECIPIENT_DELIMITER }} -# Only the front server is allowed to perform xclient -# In kubernetes and Docker swarm, such address cannot be determined using the hostname. Allow for the whole Mailu subnet instead. -smtpd_authorized_xclient_hosts={{ SUBNET }} +# We need to allow everything to do xclient and rely on front to filter-out "bad" requests +smtpd_authorized_xclient_hosts=0.0.0.0/0 [::0]/0 ############### # TLS diff --git a/core/postfix/conf/master.cf b/core/postfix/conf/master.cf index bec96a30..116633f1 100644 --- a/core/postfix/conf/master.cf +++ b/core/postfix/conf/master.cf @@ -2,10 +2,10 @@ # (yes) (yes) (yes) (never) (100) # Exposed SMTP service -smtp inet n - n - - smtpd +smtp inet n - n - 1 postscreen # Internal SMTP service -10025 inet n - n - - smtpd +10025 inet n - n - 1 postscreen -o smtpd_sasl_auth_enable=yes -o smtpd_discard_ehlo_keywords=pipelining -o smtpd_client_restrictions=$check_ratelimit,reject_unlisted_sender,reject_authenticated_sender_login_mismatch,permit @@ -44,6 +44,7 @@ verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - n - - smtp +smtpd pass - - n - - smtpd relay unix - - n - - smtp error unix - - n - - error retry unix - - n - - error @@ -52,4 +53,3 @@ lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache postlog unix-dgram n - n - 1 postlogd -