Same for front-smtp

This should enable postfix to have visibility on TLS usage and fix the
following: #1705
main
Florent Daigniere 2 years ago
parent 4ae0d7d768
commit 55c1e55529

@ -292,6 +292,9 @@ mail {
pop3_capabilities TOP UIDL RESP-CODES PIPELINING AUTH-RESP-CODE USER; pop3_capabilities TOP UIDL RESP-CODES PIPELINING AUTH-RESP-CODE USER;
imap_capabilities IMAP4 IMAP4rev1 UIDPLUS SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+; imap_capabilities IMAP4 IMAP4rev1 UIDPLUS SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+;
# ensure we talk HAPROXY protocol to the backends
proxy_protocol on;
# Default SMTP server for the webmail (no encryption, but authentication) # Default SMTP server for the webmail (no encryption, but authentication)
server { server {
listen 10025; listen 10025;
@ -338,7 +341,6 @@ mail {
starttls only; starttls only;
{% endif %} {% endif %}
protocol imap; protocol imap;
proxy_protocol on;
imap_auth plain; imap_auth plain;
auth_http_header Auth-Port 143; auth_http_header Auth-Port 143;
} }
@ -350,7 +352,6 @@ mail {
starttls only; starttls only;
{% endif %} {% endif %}
protocol pop3; protocol pop3;
proxy_protocol on;
pop3_auth plain; pop3_auth plain;
auth_http_header Auth-Port 110; auth_http_header Auth-Port 110;
} }
@ -379,7 +380,6 @@ mail {
listen 993 ssl; listen 993 ssl;
listen [::]:993 ssl; listen [::]:993 ssl;
protocol imap; protocol imap;
proxy_protocol on;
imap_auth plain; imap_auth plain;
auth_http_header Auth-Port 993; auth_http_header Auth-Port 993;
} }
@ -388,7 +388,6 @@ mail {
listen 995 ssl; listen 995 ssl;
listen [::]:995 ssl; listen [::]:995 ssl;
protocol pop3; protocol pop3;
proxy_protocol on;
pop3_auth plain; pop3_auth plain;
auth_http_header Auth-Port 995; auth_http_header Auth-Port 995;
} }

@ -22,6 +22,8 @@ alias_maps =
# Podop configuration # Podop configuration
podop = socketmap:unix:/tmp/podop.socket: podop = socketmap:unix:/tmp/podop.socket:
postscreen_upstream_proxy_protocol = haproxy
# Only accept virtual emails # Only accept virtual emails
mydestination = mydestination =
@ -37,9 +39,8 @@ smtp_sasl_tls_security_options = noanonymous
# Recipient delimiter for extended addresses # Recipient delimiter for extended addresses
recipient_delimiter = {{ RECIPIENT_DELIMITER }} recipient_delimiter = {{ RECIPIENT_DELIMITER }}
# Only the front server is allowed to perform xclient # We need to allow everything to do xclient and rely on front to filter-out "bad" requests
# In kubernetes and Docker swarm, such address cannot be determined using the hostname. Allow for the whole Mailu subnet instead. smtpd_authorized_xclient_hosts=0.0.0.0/0 [::0]/0
smtpd_authorized_xclient_hosts={{ SUBNET }}
############### ###############
# TLS # TLS

@ -2,10 +2,10 @@
# (yes) (yes) (yes) (never) (100) # (yes) (yes) (yes) (never) (100)
# Exposed SMTP service # Exposed SMTP service
smtp inet n - n - - smtpd smtp inet n - n - 1 postscreen
# Internal SMTP service # Internal SMTP service
10025 inet n - n - - smtpd 10025 inet n - n - 1 postscreen
-o smtpd_sasl_auth_enable=yes -o smtpd_sasl_auth_enable=yes
-o smtpd_discard_ehlo_keywords=pipelining -o smtpd_discard_ehlo_keywords=pipelining
-o smtpd_client_restrictions=$check_ratelimit,reject_unlisted_sender,reject_authenticated_sender_login_mismatch,permit -o smtpd_client_restrictions=$check_ratelimit,reject_unlisted_sender,reject_authenticated_sender_login_mismatch,permit
@ -44,6 +44,7 @@ verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap proxymap unix - - n - - proxymap
smtp unix - - n - - smtp smtp unix - - n - - smtp
smtpd pass - - n - - smtpd
relay unix - - n - - smtp relay unix - - n - - smtp
error unix - - n - - error error unix - - n - - error
retry unix - - n - - error retry unix - - n - - error
@ -52,4 +53,3 @@ lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil anvil unix - - n - 1 anvil
scache unix - - n - 1 scache scache unix - - n - 1 scache
postlog unix-dgram n - n - 1 postlogd postlog unix-dgram n - n - 1 postlogd

Loading…
Cancel
Save