Almost done with new server, was: SSL not working after unwanted server migratio

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Almost done with new server, was: SSL not working after unwanted server migratio

Marco Fioretti
Hello!

first of all, thanks again to everybody who helped, both on and off-list!

Right now, the original SSL problems seem all gone, and after turning
off ipv6 even gmail started to accept my email. Now I can connect with
mutt from home, access mailboxes over imaps, send email using ssl/tls
to any domain I have been able to try.

To get there, I had as I said to turn off ipv6, as shown in postconf
-n output below. Honestly, I have no idea if and what exactly I am
missing by not using ipv6, thanks in advance to whoever steps in to
explain.

In any case, I can say that the configuration below seems to be a
decent solution so far for running postfix 2.10 on Centos, for a small
number of users and domains, and without running any rdbms.

Next step is to figure out which between rainloop and roundcube is a
better/easier/safer webmail to set up.

General comments and/or tips on how to harden this, with stronger
ciphers or other stuff, are very welcome. Ditto for pointers to online
services to test if anything is OK wrt dkim, spf, dns, blacklists,
greylisting... (I DO know some of them, but not sure if they are the
most efficient). If anybody feels like receiving one email from that
server, just to confirm to me that everything is fine, please let me
know.

Thanks, and off to dinner and bed now...

Marco

postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
html_directory = /usr/share/doc/postfix-2.4.3-documentation/html
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost
mydomain = $myhostname
myhostname = a.mx.example.com
mynetworks = 127.0.0.0/8, myhomeipaddress
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = inet:localhost:8891
procmail_destination_recipient_limit = 1
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.4.3-documentation/readme
relay_domains =
sample_directory = /etc/postfix
sender_dependent_relayhost_maps = hash:/etc/postfix/mymaps/relayhost_maps
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_address_preference = ipv4
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter =
smtp_sasl_password_maps = hash:/etc/postfix/mymaps/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_type = cyrus
smtp_sender_dependent_authentication = yes
smtp_tls_mandatory_ciphers = high
smtp_tls_security_level = may
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_milters = inet:localhost:8891
smtpd_recipient_restrictions = check_client_access
cidr:/etc/postfix/client_checks, reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_sender_domain,
reject_unknown_recipient_domain, permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
check_helo_access hash:/etc/postfix/reject_own_helo,
check_policy_service unix:postgrey/socket
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/archive/example.com/fullchain1.pem
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
smtpd_tls_key_file = /etc/letsencrypt/archive/example.com/privkey1.pem
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/mymaps/valias.map
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/mail/mymail_storage
virtual_mailbox_domains = /etc/postfix/mymaps/vhosts.map
virtual_mailbox_maps = hash:/etc/postfix/mymaps/vmailboxes.map
virtual_transport = procmail
virtual_uid_maps = static:1001

################################################################

postconf -Mf:

smtp       inet  n       -       n       -       -       smtpd
submission inet  n       -       n       -       -       smtpd
    -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
smtps      inet  n       -       n       -       -       smtpd
    -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
628        inet  n       -       n       -       -       qmqpd
pickup     fifo  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       fifo  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
    -o fallback_relay=
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
procmail   unix  -       n       n       -       -       pipe
    flags=D user=myvmail_user argv=/usr/bin/procmail -t -m USER=${recipient}
    EXTENSION=${extension} /usr/local/etc/procmailrc.common