blog: postfix: nit over the code snippets
This commit is contained in:
parent
74e01a6ce0
commit
8401cd4830
|
@ -7,12 +7,14 @@ extra.hidden = true
|
|||
|
||||
i need software to receive emails, and possibly to send them too. i.e., a mailserver.
|
||||
the mature mailserver implementations were all written in a time where security was
|
||||
even worse than today. Postfix is among the better ones, but even it has 10 CVEs.
|
||||
even worse than today. Postfix is among the better ones, but even it has a fair number of
|
||||
[CVEs](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=postfix).
|
||||
its intended operation -- where it writes to mailboxes owned by different users --
|
||||
relies on elevated access control. although the risks are mitigated by its modular
|
||||
design -- where only select portions of code get elevated permissions -- and the linux
|
||||
capabilities system, i still would not feel comfortable running this without
|
||||
isolating it from other applications operating on the same machine.
|
||||
relies on elevated access control. although the risks are mitigated by its design
|
||||
around separation of concerns --
|
||||
where only select portions of code get elevated permissions --
|
||||
and the linux capabilities system, i still would not feel comfortable running
|
||||
this without isolating it from other applications on the same machine.
|
||||
|
||||
enter systemd-nspawn. nspawn is an extremely lightweight container. it's more of a transparent chroot:
|
||||
package up the userspace of some linux distribution, place it in a directory, and then
|
||||
|
@ -80,10 +82,14 @@ quit
|
|||
|
||||
mail should show up in the container at `var/spool/mail/root`.
|
||||
|
||||
if this is intended as a single-user mailserver, you might want a catch-all mail rule.
|
||||
append `@uninsane.org root` to the bottom of `etc/postfix/virtual`,
|
||||
add `virtual_alias_maps = hash:/etc/postfix/virtual` to `etc/postfix/main.cf`
|
||||
and then (in the container) run `postmap /etc/postfix/virtual` and restart the service.
|
||||
if this is intended as a single-user mailserver, you might want a catch-all mail rule:
|
||||
```sh
|
||||
[root@postfix /]# echo '@uninsane.org root' >> /etc/postfix/virtual
|
||||
[root@postfix /]# echo 'virtual_alias_maps = hash:/etc/postfix/virtual' >> \
|
||||
/etc/postfix/main.cf
|
||||
[root@postfix /]# postmap /etc/postfix/virtual
|
||||
[root@postfix /]# systemctl restart postfix
|
||||
```
|
||||
|
||||
try the `nc` command from above again, but use `rcpt to:<anything@uninsane.org` and
|
||||
the mail should be appended to that same `/var/spool/mail/root` file.
|
||||
|
@ -94,11 +100,23 @@ we'd prefer to be able to read mail _without_ being root. so create a user dedic
|
|||
```sh
|
||||
[root@postfix /]# useradd --create-home --user-group vmail
|
||||
```
|
||||
change `mail_owner` in etc/postfix/main.cf to be `vmail`, and restart the service.
|
||||
in `etc/postfix/aliases` change `root: you` to `root: vmail`.
|
||||
then change `etc/postfix/virtual` to map to `vmail` by appending this to the bottom:
|
||||
|
||||
edit `etc/postfix/main.cf`:
|
||||
```diff
|
||||
- mail_owner = postfix
|
||||
+ mail_owner = vmail
|
||||
```
|
||||
@uninsane.org vmail
|
||||
|
||||
edit `etc/postfix/aliases`:
|
||||
```diff
|
||||
- root: you
|
||||
+ root: vmail
|
||||
```
|
||||
|
||||
edit `etc/postfix/virtual`:
|
||||
```diff
|
||||
- @uninsane.org root
|
||||
+ @uninsane.org vmail
|
||||
```
|
||||
|
||||
update the database mappings and then restart the services:
|
||||
|
@ -106,17 +124,18 @@ update the database mappings and then restart the services:
|
|||
[root@postfix /]# newaliases
|
||||
[root@postfix /]# postmap /etc/postfix/virtual
|
||||
[root@postfix /]# postfix set-permissions
|
||||
[root@postfix /]# systemctl restart postfix
|
||||
```
|
||||
|
||||
the `postfix` Arch package includes the `/var/spool` files which are now owned by `vmail`, and Arch fixes package permissions on each boot.
|
||||
so for these changes to take effect, you'll need to edit `lib/systemd/system/postfix.service` to apply `set-permissions` on each boot:
|
||||
the `postfix` Arch package includes the `/var/spool` files which are now owned by `vmail`, and AFAICT Arch fixes package permissions on each boot.
|
||||
so for these changes to take permanent effect, you'll need to edit `lib/systemd/system/postfix.service` to apply `set-permissions` on each boot:
|
||||
|
||||
```diff
|
||||
- ExecStart=/usr/bin/postfix start
|
||||
+ ExecStart=/usr/bin/bash -c '/usr/bin/postfix set-permissions \
|
||||
+ && /usr/bin/postfix start'
|
||||
```
|
||||
because systemd limits postfix's ability to write outside of `/var/spool`, you'll need to change which files postfix tries to enforce permissions.
|
||||
because systemd limits postfix's ability to write outside of `/var/spool`, you'll need to change which files postfix tries to enforce permissions on if you want this to succeed.
|
||||
in `etc/postfix/postfix-files`, comment out every line which starts with one of:
|
||||
- `$config_directory`
|
||||
- `$daemon_directoy`
|
||||
|
@ -147,13 +166,16 @@ outgoing messages:
|
|||
```sh
|
||||
[root@host /opt/postfix]$ cp usr/share/doc/opendkim/opendkim.conf.sample \
|
||||
etc/opendkim/opendkim.conf
|
||||
# update the `Domain` field
|
||||
# point the `KeyFile` to /home/vmail/dkim/mx1.private (created later)
|
||||
# set `UserID` to `vmail`
|
||||
# make sure `Socket` points to `inet:8891@localhost`
|
||||
# and consider changing Canonicalization from simple/simple to relaxed/simple
|
||||
```
|
||||
|
||||
open `etc/opendkim/opendkim.conf` in an editor and:
|
||||
|
||||
- update the `Domain` field
|
||||
- point the `KeyFile` to `/home/vmail/dkim/mx1.private` (created later)
|
||||
- set `UserID` to `vmail`
|
||||
- make sure `Socket` points to `inet:8891@localhost`
|
||||
- and consider changing Canonicalization from `simple/simple` to `relaxed/simple`
|
||||
|
||||
then append this to `etc/postfix/main.cf`:
|
||||
```sh
|
||||
# For use by dkim milter
|
||||
|
@ -173,7 +195,7 @@ start the service:
|
|||
[root@postfix /]# systemctl enable --now opendkim
|
||||
```
|
||||
|
||||
add the `mx1._domainkey` TXT record (documented in /home/vmail/dkim/mx1.txt) into your zone file.
|
||||
add the `mx1._domainkey` TXT record (documented in `/home/vmail/dkim/mx1.txt`) into your zone file.
|
||||
|
||||
then run the `nc` example again. you should get mail that has an `Authentication-Results` header -- which fails,
|
||||
since we didn't sign our message.
|
||||
|
|
Loading…
Reference in New Issue