colin
/
uninsane
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

blog: postfix: nit over the code snippets

This commit is contained in:
Colin 2022-04-06 21:13:01 +00:00
parent 74e01a6ce0
commit 8401cd4830
1 changed files with 44 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
content/blog/2022-04-05-systemd-nspawn-postfix.md
View File

@ -7,12 +7,14 @@ extra.hidden = true
i need software to receive emails, and possibly to send them too. i.e., a mailserver.
the mature mailserver implementations were all written in a time where security was
even worse than today. Postfix is among the better ones, but even it has 10 CVEs.
even worse than today. Postfix is among the better ones, but even it has a fair number of
[CVEs](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=postfix).
its intended operation -- where it writes to mailboxes owned by different users --
relies on elevated access control. although the risks are mitigated by its modular
design -- where only select portions of code get elevated permissions -- and the linux
capabilities system, i still would not feel comfortable running this without
isolating it from other applications operating on the same machine.
relies on elevated access control. although the risks are mitigated by its design
around separation of concerns --
where only select portions of code get elevated permissions --
and the linux capabilities system, i still would not feel comfortable running
this without isolating it from other applications on the same machine.
enter systemd-nspawn. nspawn is an extremely lightweight container. it's more of a transparent chroot:
package up the userspace of some linux distribution, place it in a directory, and then
@ -80,10 +82,14 @@ quit
mail should show up in the container at `var/spool/mail/root`.
if this is intended as a single-user mailserver, you might want a catch-all mail rule.
append `@uninsane.org root` to the bottom of `etc/postfix/virtual`,
add `virtual_alias_maps = hash:/etc/postfix/virtual` to `etc/postfix/main.cf`
and then (in the container) run `postmap /etc/postfix/virtual` and restart the service.
if this is intended as a single-user mailserver, you might want a catch-all mail rule:
```sh
[root@postfix /]# echo '@uninsane.org root' >> /etc/postfix/virtual
[root@postfix /]# echo 'virtual_alias_maps = hash:/etc/postfix/virtual' >> \
/etc/postfix/main.cf
[root@postfix /]# postmap /etc/postfix/virtual
[root@postfix /]# systemctl restart postfix
```
try the `nc` command from above again, but use `rcpt to:<anything@uninsane.org` and
the mail should be appended to that same `/var/spool/mail/root` file.
@ -94,11 +100,23 @@ we'd prefer to be able to read mail _without_ being root. so create a user dedic
```sh
[root@postfix /]# useradd --create-home --user-group vmail
```
change `mail_owner` in etc/postfix/main.cf to be `vmail`, and restart the service.
in `etc/postfix/aliases` change `root: you` to `root: vmail`.
then change `etc/postfix/virtual` to map to `vmail` by appending this to the bottom:
edit `etc/postfix/main.cf`:
```diff
- mail_owner = postfix
+ mail_owner = vmail
```
@uninsane.org vmail
edit `etc/postfix/aliases`:
```diff
- root: you
+ root: vmail
```
edit `etc/postfix/virtual`:
```diff
- @uninsane.org root
+ @uninsane.org vmail
```
update the database mappings and then restart the services:
@ -106,17 +124,18 @@ update the database mappings and then restart the services:
[root@postfix /]# newaliases
[root@postfix /]# postmap /etc/postfix/virtual
[root@postfix /]# postfix set-permissions
[root@postfix /]# systemctl restart postfix
```
the `postfix` Arch package includes the `/var/spool` files which are now owned by `vmail`, and Arch fixes package permissions on each boot.
so for these changes to take effect, you'll need to edit `lib/systemd/system/postfix.service` to apply `set-permissions` on each boot:
the `postfix` Arch package includes the `/var/spool` files which are now owned by `vmail`, and AFAICT Arch fixes package permissions on each boot.
so for these changes to take permanent effect, you'll need to edit `lib/systemd/system/postfix.service` to apply `set-permissions` on each boot:
```diff
- ExecStart=/usr/bin/postfix start
+ ExecStart=/usr/bin/bash -c '/usr/bin/postfix set-permissions \
+ && /usr/bin/postfix start'
```
because systemd limits postfix's ability to write outside of `/var/spool`, you'll need to change which files postfix tries to enforce permissions.
because systemd limits postfix's ability to write outside of `/var/spool`, you'll need to change which files postfix tries to enforce permissions on if you want this to succeed.
in `etc/postfix/postfix-files`, comment out every line which starts with one of:
- `$config_directory`
- `$daemon_directoy`
@ -147,13 +166,16 @@ outgoing messages:
```sh
[root@host /opt/postfix]$ cp usr/share/doc/opendkim/opendkim.conf.sample \
etc/opendkim/opendkim.conf
# update the `Domain` field
# point the `KeyFile` to /home/vmail/dkim/mx1.private (created later)
# set `UserID` to `vmail`
# make sure `Socket` points to `inet:8891@localhost`
# and consider changing Canonicalization from simple/simple to relaxed/simple
```
open `etc/opendkim/opendkim.conf` in an editor and:
- update the `Domain` field
- point the `KeyFile` to `/home/vmail/dkim/mx1.private` (created later)
- set `UserID` to `vmail`
- make sure `Socket` points to `inet:8891@localhost`
- and consider changing Canonicalization from `simple/simple` to `relaxed/simple`
then append this to `etc/postfix/main.cf`:
```sh
# For use by dkim milter
@ -173,7 +195,7 @@ start the service:
[root@postfix /]# systemctl enable --now opendkim
```
add the `mx1._domainkey` TXT record (documented in /home/vmail/dkim/mx1.txt) into your zone file.
add the `mx1._domainkey` TXT record (documented in `/home/vmail/dkim/mx1.txt`) into your zone file.
then run the `nc` example again. you should get mail that has an `Authentication-Results` header -- which fails,
since we didn't sign our message.