1478: Allow to enforce TLS for outbound r=mergify[bot] a=micw

 using OUTBOUND_TLS_LEVEL=encrypt (default is 'may')

## What type of PR?

enhancement

## What does this PR do?

Add an option to postfix to enforce outbound traffic to be TLS encrypted.

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


1501: In setup/flavor, change DMARC RUA and RUF email default settings r=mergify[bot] a=ofthesun9

## What type of PR?
bug-fix

## What does this PR do?
This PR changes the default value used to set DMARC_RUA and DMARC_RUF:
DMARC_RUA and DMARC_RUF defaults will reuse the value defined for POSTMASTER,
instead of 'admin' as previously.
Please note that the setup tool doesn't allow (yet?) to define dmarc_rua nor dmarc_ruf, so the default value is indeed used for the time being.

### Related issue(s)
closes #1463 

## Prerequistes
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


1532: Replace SMPT with SMTP r=mergify[bot] a=dhoppe



1543: Disable Health checks on swarm mode r=mergify[bot] a=ofthesun9

ref: https://github.com/moby/moby/issues/35451

## What type of PR?
bug-fix

## What does this PR do?
Modify the docker-compose.yml template used by setup (swarm flavor) to disable Health checks on swarm mode for each service

### Related issue(s)
closes #1289

## Prerequistes
- [x]  add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Michael Wyraz <michael@wyraz.de>
Co-authored-by: ofthesun9 <olivier@ofthesun.net>
Co-authored-by: Dennis Hoppe <github@debian-solutions.de>
master
bors[bot] 4 years ago committed by GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -52,9 +52,10 @@ tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:
tls_preempt_cipherlist = yes tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION tls_ssl_options = NO_COMPRESSION
# Outgoing TLS is more flexible because 1. not all receiving servers will # By default, outgoing TLS is more flexible because
# support TLS, 2. not all will have and up-to-date TLS stack. # 1. not all receiving servers will support TLS,
smtp_tls_security_level = may # 2. not all will have and up-to-date TLS stack.
smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }}
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols =!SSLv2,!SSLv3 smtp_tls_protocols =!SSLv2,!SSLv3
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

@ -69,6 +69,10 @@ The ``RELAYHOST`` is an optional address of a mail server relaying all outgoing
mail in following format: ``[HOST]:PORT``. mail in following format: ``[HOST]:PORT``.
``RELAYUSER`` and ``RELAYPASSWORD`` can be used when authentication is needed. ``RELAYUSER`` and ``RELAYPASSWORD`` can be used when authentication is needed.
By default postfix uses "opportunistic TLS" for outbound mail. This can be changed
by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt``. This setting is highly recommended
if you are a relayhost that supports TLS.
The ``FETCHMAIL_DELAY`` is a delay (in seconds) for the fetchmail service to The ``FETCHMAIL_DELAY`` is a delay (in seconds) for the fetchmail service to
go and fetch new email if available. Do not use too short delays if you do not go and fetch new email if available. Do not use too short delays if you do not
want to be blacklisted by external services, but not too long delays if you want to be blacklisted by external services, but not too long delays if you

@ -76,8 +76,8 @@ FETCHMAIL_DELAY={{ fetchmail_delay or '600' }}
RECIPIENT_DELIMITER={{ recipient_delimiter or '+' }} RECIPIENT_DELIMITER={{ recipient_delimiter or '+' }}
# DMARC rua and ruf email # DMARC rua and ruf email
DMARC_RUA={{ dmarc_rua or 'admin' }} DMARC_RUA={{ dmarc_rua or postmaster }}
DMARC_RUF={{ dmarc_ruf or 'admin' }} DMARC_RUF={{ dmarc_ruf or postmaster }}
# Welcome email, enable and set a topic and body if you wish to send welcome # Welcome email, enable and set a topic and body if you wish to send welcome
# emails to all users. # emails to all users.

@ -43,6 +43,8 @@ services:
- "{{ root }}/dkim:/dkim" - "{{ root }}/dkim:/dkim"
deploy: deploy:
replicas: {{ admin_replicas }} replicas: {{ admin_replicas }}
healthcheck:
disable: true
imap: imap:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${MAILU_VERSION:-{{ version }}} image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${MAILU_VERSION:-{{ version }}}
@ -52,6 +54,8 @@ services:
- "{{ root }}/overrides:/overrides" - "{{ root }}/overrides:/overrides"
deploy: deploy:
replicas: {{ imap_replicas }} replicas: {{ imap_replicas }}
healthcheck:
disable: true
smtp: smtp:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}postfix:${MAILU_VERSION:-{{ version }}} image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}postfix:${MAILU_VERSION:-{{ version }}}
@ -61,6 +65,8 @@ services:
- "{{ root }}/overrides:/overrides" - "{{ root }}/overrides:/overrides"
deploy: deploy:
replicas: {{ smtp_replicas }} replicas: {{ smtp_replicas }}
healthcheck:
disable: true
antispam: antispam:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-{{ version }}} image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-{{ version }}}
@ -71,6 +77,8 @@ services:
- "{{ root }}/overrides/rspamd:/etc/rspamd/override.d" - "{{ root }}/overrides/rspamd:/etc/rspamd/override.d"
deploy: deploy:
replicas: 1 replicas: 1
healthcheck:
disable: true
# Optional services # Optional services
{% if antivirus_enabled %} {% if antivirus_enabled %}
@ -81,6 +89,8 @@ services:
- "{{ root }}/filter:/data" - "{{ root }}/filter:/data"
deploy: deploy:
replicas: 1 replicas: 1
healthcheck:
disable: true
{% endif %} {% endif %}
{% if webdav_enabled %} {% if webdav_enabled %}
@ -91,6 +101,8 @@ services:
- "{{ root }}/dav:/data" - "{{ root }}/dav:/data"
deploy: deploy:
replicas: 1 replicas: 1
healthcheck:
disable: true
{% endif %} {% endif %}
{% if fetchmail_enabled %} {% if fetchmail_enabled %}
@ -101,6 +113,8 @@ services:
- "{{ root }}/data:/data" - "{{ root }}/data:/data"
deploy: deploy:
replicas: 1 replicas: 1
healthcheck:
disable: true
{% endif %} {% endif %}
{% if webmail_type != 'none' %} {% if webmail_type != 'none' %}
@ -111,6 +125,8 @@ services:
- "{{ root }}/webmail:/data" - "{{ root }}/webmail:/data"
deploy: deploy:
replicas: 1 replicas: 1
healthcheck:
disable: true
{% endif %} {% endif %}
{% if db_flavor == 'postgresql' and postgresql == 'internal' %} {% if db_flavor == 'postgresql' and postgresql == 'internal' %}
@ -119,6 +135,8 @@ services:
env_file: {{ env }} env_file: {{ env }}
volumes: volumes:
- "{{ root }}/data/psql_backup:/backup" - "{{ root }}/data/psql_backup:/backup"
healthcheck:
disable: true
{% endif %} {% endif %}
networks: networks:

@ -22,7 +22,7 @@
<div class="form-group"> <div class="form-group">
<input class="form-control" type="number" name=smtp_replicas min="1" required value="1" <input class="form-control" type="number" name=smtp_replicas min="1" required value="1"
style="width: 6%; display: inline;"> style="width: 6%; display: inline;">
<label>SMPT</label> <label>SMTP</label>
</div> </div>
{% endcall %} {% endcall %}

@ -0,0 +1 @@
Allow to enforce TLS for outbound mail by setting OUTBOUND_TLS_LEVEL=encrypt for postfix.

@ -0,0 +1 @@
Disable Health checks on swarm mode

@ -0,0 +1 @@
Defining POSTMASTER through setup tool apply also to DMARC_RUA and DMARC_RUF settings
Loading…
Cancel
Save