docker
/
docker-mailserver
mirror of https://github.com/tomav/docker-mailserver.git
1
0
Fork 0
Code Issues Releases Wiki Activity

chore: Use content tabs

This commit is contained in:
Brennan Kinney 2024-04-16 19:04:56 +12:00 committed by GitHub
parent 7c00d61880
commit 304cab45da
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 142 additions and 136 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

198
docs/content/examples/use-cases/external-relay-only-mailserver.md
View File

@ -56,108 +56,111 @@ You will need to install Postfix on your _public server_. The functionality that
It's necessary to adjust some settings afterwards.
???+ example "Postfix main config"
<!-- This empty quote block is purely for a visual border -->
!!! quote ""
Create or replace `/etc/postfix/main.cf` with this content:
=== "Postfix main config"
```cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
??? example "Create or replace `/etc/postfix/main.cf`"
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
```cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# appending .domain is the MUA's job.
append_dot_mydomain = no
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
# appending .domain is the MUA's job.
append_dot_mydomain = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
# TLS parameters
smtpd_tls_cert_file=/etc/postfix/certificates/mail.example.com.crt
smtpd_tls_key_file=/etc/postfix/certificates/mail.example.com.key
smtpd_tls_security_level=may
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
maillog_file = /var/log/postfix.log
mailbox_size_limit = 0
inet_interfaces = all
inet_protocols = ipv4
readme_directory = no
recipient_delimiter = +
# TLS parameters
smtpd_tls_cert_file=/etc/postfix/certificates/mail.example.com.crt
smtpd_tls_key_file=/etc/postfix/certificates/mail.example.com.key
smtpd_tls_security_level=may
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# Customizations relevant to this guide:
myhostname = mail.example.com
myorigin = example.com
mydestination = localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.2.0/24
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
transport_maps = hash:/etc/postfix/transport
relay_domains = $mydestination, hash:/etc/postfix/relay
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
maillog_file = /var/log/postfix.log
mailbox_size_limit = 0
inet_interfaces = all
inet_protocols = ipv4
readme_directory = no
recipient_delimiter = +
# Disable local system accounts and delivery:
local_recipient_maps =
local_transport = error:local mail delivery is disabled
```
# Customizations relevant to this guide:
myhostname = mail.example.com
myorigin = example.com
mydestination = localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.2.0/24
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
transport_maps = hash:/etc/postfix/transport
relay_domains = $mydestination, hash:/etc/postfix/relay
Let's highlight some of the important parts:
# Disable local system accounts and delivery:
local_recipient_maps =
local_transport = error:local mail delivery is disabled
```
- Avoid including `mail.example.com` in `mydestination`, in fact you can just set `localhost` or nothing at all here as we want all mail to be relayed to our _private server_ (DMS).
- `mynetworks` should contain your VPN network (_eg: `192.168.2.0/24` subnet_).
- Important are `transport_maps = hash:/etc/postfix/transport` and `relay_domains = $mydestination, hash:/etc/postfix/relay`, with their file contents covered below.
- For good measure also disable `local_recipient_maps`.
- You should have a valid certificate configured for `mail.example.com`.
Let's highlight some of the important parts:
!!! warning "Open relay"
- Avoid including `mail.example.com` in `mydestination`, in fact you can just set `localhost` or nothing at all here as we want all mail to be relayed to our _private server_ (DMS).
- `mynetworks` should contain your VPN network (_eg: `192.168.2.0/24` subnet_).
- Important are `transport_maps = hash:/etc/postfix/transport` and `relay_domains = $mydestination, hash:/etc/postfix/relay`, with their file contents covered below.
- For good measure also disable `local_recipient_maps`.
- You should have a valid certificate configured for `mail.example.com`.
Please be aware that setting `mynetworks` to a public CIDR will leave you with an open relay. **Only** set it to the CIDR of your VPN beyond the localhost ranges.
!!! warning "Open relay"
!!! example "Route outbound mail through a separate transport"
Please be aware that setting `mynetworks` to a public CIDR will leave you with an open relay. **Only** set it to the CIDR of your VPN beyond the localhost ranges.
When mail arrives to the _public server_ for an `@example.com` address, we want to send it via the `relay` transport to our _private server_ over port 25 for delivery to DMS.
=== "Route outbound mail through a separate transport"
[`transport_maps`][postfix-docs::transport_maps] is configured with a [`transport` table][postfix-docs::transport_table] file that matches recipient addresses and assigns a non-default transport. This setting has priority over [`relay_transport`][postfix-docs::relay_transport].
When mail arrives to the _public server_ for an `@example.com` address, we want to send it via the `relay` transport to our _private server_ over port 25 for delivery to DMS.
Create `/etc/postfix/transport` with contents:
[`transport_maps`][postfix-docs::transport_maps] is configured with a [`transport` table][postfix-docs::transport_table] file that matches recipient addresses and assigns a non-default transport. This setting has priority over [`relay_transport`][postfix-docs::relay_transport].
```txt
example.com relay:[192.168.2.3]:25
```
!!! example "Create `/etc/postfix/transport`"
Other considerations:
```txt
example.com relay:[192.168.2.3]:25
```
- If you have multiple domains, you can add them there too as separate lines.
- If you use a smarthost add `* relay:[X.X.X.X]:port` to the bottom, eg `* relay:[relay1.org]:587`, which will relay everything outbound via this relay host.
Other considerations:
!!! tip
- If you have multiple domains, you can add them there too as separate lines.
- If you use a smarthost add `* relay:[X.X.X.X]:port` to the bottom, eg `* relay:[relay1.org]:587`, which will relay everything outbound via this relay host.
Instead of a file, you could alternatively configure `main.cf` with `transport_maps = inline:{ example.com=relay:[192.168.2.3]:25 }`
!!! tip
!!! example "Configure recipient domains to relay mail"
Instead of a file, you could alternatively configure `main.cf` with `transport_maps = inline:{ example.com=relay:[192.168.2.3]:25 }`
We want `example.com` to be relayed inbound and everything else relayed outbound.
=== "Configure recipient domains to relay mail"
[`relay_domains`][postfix-docs::relay_domains] is configured with a file with a list of domains that should be relayed (one per line), the 2nd value is required but can be anything.
We want `example.com` to be relayed inbound and everything else relayed outbound.
Create `/etc/postfix/relay` with contents:
[`relay_domains`][postfix-docs::relay_domains] is configured with a file with a list of domains that should be relayed (one per line), the 2nd value is required but can be anything.
```txt
example.com OK
* OK
```
!!! example "Create `/etc/postfix/relay`"
!!! tip
```txt
example.com OK
* OK
```
Instead of a file, you could alternatively configure `main.cf` with `relay_domains = example.com`.
!!! tip
Run `postmap /etc/postfix/transport` and `postmap /etc/postfix/relay` after creating or updating those files to make them compatible for Postfix to use.
Instead of a file, you could alternatively configure `main.cf` with `relay_domains = example.com`.
Run `postmap /etc/postfix/transport` and `postmap /etc/postfix/relay` after creating or updating those files to make them compatible for Postfix to use.
## Private Server (Running DMS)
@ -168,49 +171,52 @@ You can setup your DMS instance as you normally would.
Next we need to configure our _private server_ to relay all outbound mail through the _public server_ (or a separate smarthost service). The setup is [similar to the default relay setup][docs::relay-host-details].
!!! example "Configure the relay host"
<!-- This empty quote block is purely for a visual border -->
!!! quote ""
Create `postfix-relaymap.cf` with contents:
=== "Configure the relay host"
```txt
@example.com [192.168.2.2]:25
```
!!! example "Create `postfix-relaymap.cf`"
Meaning all mail sent outbound from `@example.com` addresses will be relayed through the _public server_ at the VPN IP.
```txt
@example.com [192.168.2.2]:25
```
The _public server_ `mynetworks` setting from earlier trusts any mail received on port 25 from the VPN network, which is what allows the mail to be sent outbound when it'd otherwise be denied.
Meaning all mail sent outbound from `@example.com` addresses will be relayed through the _public server_ at that VPN IP.
!!! example "Trust the _public server_"
The _public server_ `mynetworks` setting from earlier trusts any mail received on port 25 from the VPN network, which is what allows the mail to be sent outbound when it'd otherwise be denied.
Create `postfix-main.cf` with contents:
=== "Trust the _public server_"
```txt
mynetworks = 192.168.2.0/24
```
!!! example "Create `postfix-main.cf`"
This will trust any connection from the VPN network to DMS, such as from the _public server_ when relaying mail over to DMS at the _private server_.
```txt
mynetworks = 192.168.2.0/24
```
This step is necessary to skip some security measures that DMS normally checks for, like verifying DNS records like SPF are valid. As the mail is being relayed, those checks would fail otherwise as the IP of your _public server_ would not be authorized to send mail on behalf of the sender address in mail being relayed.
This will trust any connection from the VPN network to DMS, such as from the _public server_ when relaying mail over to DMS at the _private server_.
!!! tip "Alternative to `mynetworks`"
This step is necessary to skip some security measures that DMS normally checks for, like verifying DNS records like SPF are valid. As the mail is being relayed, those checks would fail otherwise as the IP of your _public server_ would not be authorized to send mail on behalf of the sender address in mail being relayed.
Instead of trusting connections by their IP with the `mynetworks` setting, those same security measures can be skipped for any authenticated deliveries to DMS over port 587 instead.
??? tip "Alternative to `mynetworks` setting"
This is a bit more work. `mynetworks` on the _public server_ config is for trusting DMS to send mail from the _private server_, thus you'll need to have that public Postfix service configured with a login account that DMS can use.
Instead of trusting connections by their IP with the `mynetworks` setting, those same security measures can be skipped for any authenticated deliveries to DMS over port 587 instead.
On the DMS side, `postfix-sasl-password.cf` configures which credentials should be used for a SASL login address:
This is a bit more work. `mynetworks` on the _public server_ `main.cf` Postfix config is for trusting DMS when it sends mail from the _private server_, thus you'll need to have that public Postfix service configured with a login account that DMS can use.
```txt
@example.com user:secret
```
On the _private server_ DMS needs to know the credentials for that login account, that is handled with `postfix-sasl-password.cf`:
You could also relay mail through SendGrid, AWS SES or similar instead of the _public server_ you're running, providing login credentials through the same `postfix-sasl-password.cf` file.
```txt
@example.com user:secret
```
---
You could also relay mail through SendGrid, AWS SES or similar instead of the _public server_ you're running to receive mail from. Login credentials for those relay services are provided via the same `postfix-sasl-password.cf` file.
Likewise for the _public server_ to send mail to DMS, it would need to be configured to relay mail with credentials too, removing the need for `mynetworks` on the DMS `postfix-main.cf` config.
---
The extra effort to require authentication instead of blind trust of your private subnet can be beneficial at reducing the impact of a compromised system or service on that network that wasn't expected to be permitted to send mail.
Likewise for the _public server_ to send mail to DMS, it would need to be configured to relay mail with credentials too, removing the need for `mynetworks` on the DMS `postfix-main.cf` config.
The extra effort to require authentication instead of blind trust of your private subnet can be beneficial at reducing the impact of a compromised system or service on that network that wasn't expected to be permitted to send mail.
## IMAP / POP3