diff --git a/.gitignore b/.gitignore index 49380b8..ac2657c 100644 --- a/.gitignore +++ b/.gitignore @@ -2,4 +2,6 @@ *.tmp ssl/certs ssl/tmp -ssl/db \ No newline at end of file +ssl/db +*/ssl +*/postfix/relay_clientcerts diff --git a/docker-compose.yml b/docker-compose.yml index 481eb72..663d771 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -88,7 +88,6 @@ services: - 8025:25 volumes: - spool:/var/spool/postfix - # - ./etc-zntrl/postfix:/etc/postfix networks: traefik: external: true @@ -98,4 +97,3 @@ volumes: search: z-push: spool: - diff --git a/etc-relay/postfix/main.cf b/etc-relay/postfix/main.cf index 023fb66..76a74ed 100644 --- a/etc-relay/postfix/main.cf +++ b/etc-relay/postfix/main.cf @@ -33,8 +33,8 @@ default_transport = smtp: # SMPTD (inbound) TLS parameters smtpd_tls_CApath = /etc/ssl/certs -smtpd_tls_CAfile = /etc/ssl/certs/balusign-signing-ca.pem -smtpd_tls_key_file=/etc/ssl/private/relay.de.key +smtpd_tls_CAfile = /etc/ssl/certs/kopano-ca.crt +smtpd_tls_key_file=/etc/ssl/private/pf-relay.key smtpd_tls_cert_file=/etc/ssl/relay-full-chain.pem smtpd_tls_security_level=may smtpd_tls_loglevel = 1 @@ -47,7 +47,7 @@ smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination # SMTP (outbound) smtp_tls_CApath=/etc/ssl/certs -smtp_tls_key_file=/etc/ssl/private/relay.de.key +smtp_tls_key_file=/etc/ssl/private/pf-relay.key smtp_tls_cert_file=/etc/ssl/relay-full-chain.pem smtp_tls_security_level=may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache diff --git a/etc-zntrl/postfix/main.cf b/etc-zntrl/postfix/main.cf new file mode 100644 index 0000000..6e573bb --- /dev/null +++ b/etc-zntrl/postfix/main.cf @@ -0,0 +1,60 @@ +# See /usr/share/postfix/main.cf.dist for a commented, more complete version +smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) +biff = no +maillog_file = /dev/stdout + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h +readme_directory = no + +# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on fresh installs. +compatibility_level = 2 + +# local domains +myhostname = mta.zntrl.de +mydestination = $mydomain, localhost.$mydomain, localhost +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +myorigin = zntrl.de +# mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 +# trusts all hosts in the kopano docker network +mynetworks_style = subnet + +# virtual domains +virtual_mailbox_domains = zntrl.de ads64.de +virtual_mailbox_maps = hash:/etc/postfix/vmailbox +virtual_alias_maps = hash:/etc/postfix/virtual +# virtual_transport = lmtp:unix:/var/spool/kopano/dagent.sock +virtual_transport = lmtp:dagent:2003 + +# default outbound transport for all domains, use one relay for all domains +# authenticates to relay.zntrl.de for authorisation to relay mail, see also: SMTP (outbound) +default_transport = smtp:[relay.zntrl.de]:465 + +# SMTPD (inbound) TLS parameters +smtpd_tls_key_file = /etc/postfix/ssl/private/nuc0.lan.key +smtpd_tls_cert_file = /etc/postfix/ssl/nuc0-full-chain.pem +smtpd_tls_CApath = /etc/ssl/certs +smtpd_tls_CAfile = /etc/postfix/ssl/certs/balusign-signing-ca.pem +smtpd_tls_security_level=may +smtpd_tls_loglevel = 1 + +smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination + +# SMTP (outbound) +smtp_tls_key_file = /etc/postfix/ssl/private/nuc0.lan.key +smtp_tls_cert_file = /etc/postfix/ssl/nuc0-full-chain.pem +smtp_tls_CApath=/etc/ssl/certs +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +smtp_tls_wrappermode = yes +smtp_tls_security_level = encrypt +smtp_tls_loglevel = 1 + +mailbox_size_limit = 0 +message_size_limit = 50000000 +recipient_delimiter = + +inet_interfaces = all +inet_protocols = all diff --git a/etc-zntrl/postfix/master.cf b/etc-zntrl/postfix/master.cf new file mode 100644 index 0000000..26f51e5 --- /dev/null +++ b/etc-zntrl/postfix/master.cf @@ -0,0 +1,67 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - y - - smtpd +#smtp inet n - y - 1 postscreen +#smtpd pass - - y - - smtpd +#dnsblog unix - - y - 0 dnsblog +#tlsproxy unix - - y - 0 tlsproxy +#submission inet n - y - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_tls_auth_only=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#smtps inet n - y - - smtpd +# -o syslog_name=postfix/smtps +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +relay unix - - y - - smtp + -o syslog_name=postfix/$service_name +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - n - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +postlog unix-dgram n - n - 1 postlogd diff --git a/etc-zntrl/postfix/relay_clientcerts b/etc-zntrl/postfix/relay_clientcerts new file mode 100644 index 0000000..192f3b1 --- /dev/null +++ b/etc-zntrl/postfix/relay_clientcerts @@ -0,0 +1,2 @@ +57:6c:b5:f6:49:0e:9d:62:cc:c5:63:80:e5:64:58:ed relay.de +d4:16:18:1e:21:37:45:fa:a9:ad:d7:7f:0c:37:8f:7c zntrl.de diff --git a/etc-zntrl/postfix/virtual b/etc-zntrl/postfix/virtual new file mode 100644 index 0000000..1734f7f --- /dev/null +++ b/etc-zntrl/postfix/virtual @@ -0,0 +1,3 @@ +postmaster@zntrl.de postmaster +abuse@zntrl.de postmaster + diff --git a/etc-zntrl/postfix/vmailbox b/etc-zntrl/postfix/vmailbox new file mode 100644 index 0000000..a8e24a6 --- /dev/null +++ b/etc-zntrl/postfix/vmailbox @@ -0,0 +1,8 @@ +baloan@zntrl.de notused +blu3prince@zntrl.de notused +fafnir@zntrl.de notused +postmaster@zntrl.de notused +andreas@ads64.de notused +postmaster@ads64.de notused +# Comment out the entry below to implement a catch-all. +# @zntrl.de notused diff --git a/ssl/create-key b/ssl/create-key index 3a49fc5..62e59c3 100644 --- a/ssl/create-key +++ b/ssl/create-key @@ -4,5 +4,7 @@ echo creating keys for $1 # private key for client, public key for server sslkeys export CN=$1 export SAN=DNS:$CN -openssl req -new -out tmp/$CN.csr -nodes -keyout certs/$CN.key -openssl ca -batch -in tmp/$CN.csr -passin env:CA_PWD -out certs/$CN.crt -extensions server_ext +openssl req -new -out tmp/$CN.csr -nodes -keyout certs/$CN.key +openssl rsa -in certs/$CN.key -pubout -out certs/$CN-public-key.pem +openssl ca -batch -in tmp/$CN.csr -passin env:CA_PWD -notext -out certs/$CN.crt -extensions server_ext +cat certs/$CN.key certs/$CN.crt >certs/$CN-key-certs.pem \ No newline at end of file diff --git a/ssl/create-postfix-certs b/ssl/create-postfix-certs new file mode 100644 index 0000000..faecb46 --- /dev/null +++ b/ssl/create-postfix-certs @@ -0,0 +1,12 @@ +#!/usr/bin/bash +export CN=$1 +./create-key $CN +pushd certs +# The default algorithm is sha256 with Postfix ≥ 3.6 and the compatibility_level set to 3.6 or higher. +# With Postfix ≤ 3.5, the default algorithm is md5. +# https://www.postfix.org/postconf.5.html#relay_clientcerts +openssl x509 -in $CN.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -md5 -c | ( read D FP; echo $FP $CN ) >>relay_clientcerts +cp $CN.key ~/kopano-docker/etc-$CN/ssl/private +cp kopano-ca.crt ~/kopano-docker/etc-$CN/ssl/certs +cat kopano-ca.crt $CN.crt >~/kopano-docker/etc-$CN/ssl/$CN-full-chain.pem +popd diff --git a/ssl/mkcerts b/ssl/mkcerts index 4b51f96..2cdf14e 100644 --- a/ssl/mkcerts +++ b/ssl/mkcerts @@ -3,6 +3,7 @@ export OPENSSL_CONF=./etc/kopano-ca.conf export CA_PWD=kopano export CA_SUBJ="/DC=de/DC=dts/O=Digital Trust Solutions/OU=Information Security Unit/CN=DTS Signing CA/" # create ssl certificates for docker network +rm certs/* rm tmp/*.csr rm db/*.pem rm db/*.db @@ -12,8 +13,9 @@ touch db/kopano-ca.db.attr echo 01 >db/kopano-ca.crt.srl echo 01 >db/kopano-ca.crl.srl # create signing ca (minimal pki) +# inject distinguished_name (subj) and req_extensions (-reqexts) because -section req_ca is not yet available (section default: req) openssl req -new -reqexts ca_reqext -subj "$CA_SUBJ" -out tmp/kopano-ca.csr -passout pass:$CA_PWD -keyout certs/kopano-ca.key -openssl ca -batch -selfsign -in tmp/kopano-ca.csr -passin env:CA_PWD -out certs/kopano-ca.crt -extensions signing_ca_ext +openssl ca -batch -selfsign -in tmp/kopano-ca.csr -passin env:CA_PWD -notext -out certs/kopano-ca.crt -extensions signing_ca_ext # create kopano server ssl key (for encryption) ./create-key server @@ -25,3 +27,13 @@ openssl ca -batch -selfsign -in tmp/kopano-ca.csr -passin env:CA_PWD -out certs/ ./create-key search ./create-key webapp ./create-key z-push + +# create postfix clients ssl key pair (for authentification) +echo >certs/relay_clientcerts +./create-postfix-certs relay +./create-postfix-certs zntrl +./create-postfix-certs baloghs + +cp certs/relay_clientcerts ~/kopano-docker/etc-relay/postfix +cp certs/relay_clientcerts ~/kopano-docker/etc-zntrl/postfix +cp certs/relay_clientcerts ~/kopano-docker/etc-baloghs/postfix diff --git a/todo b/todo index e499235..4d70ba5 100644 --- a/todo +++ b/todo @@ -1,10 +1,11 @@ -complete internal SSL key generation and injection -complete relay SSL key generation and injection (manual for distribution to relay) -recipe: how to add a domain (dns, postfix virtual domains, webapp, z-push) -bareos mysql backup (mysqldump, or database shutdown during backup) -remove all etc volume mounts -kopano server and database tuning -check logging for all containers +ok - complete internal SSL key generation and injection +ok - complete relay SSL key generation and injection (manual for distribution to relay) +enable zntrl.de remove passwords from gitlab & docker add spamd -baloghs.de migration \ No newline at end of file +check logging for all containers +bareos mysql backup (mysqldump, or database shutdown during backup) +recipe: how to add a domain (dns, postfix virtual domains, webapp, z-push) +kopano server and database tuning +? - remove all etc volume mounts +baloghs.de migration