forked from pool/postfix
113e4ff966
- update to 3.9.0 * As described in DEPRECATION_README, the SMTP server features "permit_naked_ip_address", "check_relay_domains", and "reject_maps_rbl" have been removed, after they have been logging a warning for some 20 years. These features now log a warning and return a "server configuration error" response. * The MySQL client no longer supports MySQL versions < 4.0. MySQL version 4.0 was released in 2003. * As covered in DEPRECATION_README, the configuration parameter "disable_dns_lookup" and about a dozen TLS-related parameters are now officially obsolete. These parameters still work, but the postconf command logs warnings that they will be removed from Postfix. * As covered in DEPRECATION_README, "permit_mx_backup" logs a warning that it will be removed from Postfix. * In message headers, Postfix now formats numerical days as two-digit days, i.e. days 1-9 have a leading zero instead of a leading space. This change was made because the RFC 5322 date and time specification recommends (i.e. SHOULD) that a single space be used in each place that folding white space appears. This change avoids a breaking change in the length of a date string. * The MySQL client default characterset is now configurable with the "charset" configuration file attribute. The default is "utf8mb4", consistent with the MySQL 8.0 built-in default, but different from earlier MySQL versions where the built-in default was "latin1". * Support to query MongoDB databases, contributed by Hamid Maadani, based on earlier code by Stephan Ferraro. See MONGODB_README and mongodb_table(5) * The RFC 3461 envelope ID is now exported in the local(8) delivery agent with the ENVID environment variable, and in the pipe(8) delivery agent with the ${envid} command-line attribute. * Configurable idle and retry timer settings in the mysql: and pgsql: clients. A shorter than default retry timer can sped up the recovery after error, when Postfix is configured with only one server in the "hosts" attribute. After the code was frozen for release, we have learned that Postfix can recover faster from some errors when the single server is specified multiple times in the "hosts" attribute. * Optional Postfix TLS support to request an RFC7250 raw public key instead of an X.509 public-key certificate. The configuration settings for raw key public support will be ignored when there is no raw public key support in the local TLS implementation (i.e. Postfix with OpenSSL versions before 3.2). See RELEASE_NOTES for more information. * Preliminary support for OpenSSL configuration files, primarily OpenSSL 1.1.1b and later. This introduces two new parameters "tls_config_file" and "tls_config_name", which can be used to limit collateral damage from OS distributions that crank up security to 11, increasing the number of plaintext email deliveries. Details are in the postconf(5) manpage under "tls_config_file" and "tls_config_name". * With "smtpd_forbid_unauth_pipelining = yes" (the default), Postfix defends against multiple "blind" SMTP attacks. This feature was back-ported to older stable releases but disabled by default. * With "smtpd_forbid_bare_newline = normalize" (the default) Postfix defends against SMTP smuggling attacks. See RELEASE_NOTES for details. This feature was back-ported to older stable releases but disabled by default. * Prevent outbound SMTP smuggling, where an attacker uses Postfix to send email containing a non-standard End-of-DATA sequence, to exploit inbound SMTP smuggling at a vulnerable remote SMTP server. With "cleanup_replace_stray_cr_lf = yes" (the default), the cleanup daemon replaces each stray <CR> or <LF> character in message content with a space character. This feature was back-ported to older stable releases with identical functionality. * The Postfix DNS client now limits the total size of DNS lookup results to 100 records; it drops the excess records, and logs a warning. This limit is 20x larger than the number of server addresses that the Postfix SMTP client is willing to consider when delivering mail, and is far below the number of records that could cause a tail recursion crash in dns_rr_append() as reported by Toshifumi Sakaguchi. This also introduces a similar limit on the number of DNS requests that a check_*_*_access restriction can make. All this was back-ported to older stable releases with identical functionality. - refreshed patch: % postfix-no-md5.patch - change obsoleted "disable_dns_lookups" to "smtp_dns_support_level" % postfix-SUSE.tar.gz % postfix-main.cf.patch % postfix-master.cf.patch OBS-URL: https://build.opensuse.org/request/show/1156371 OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=481
219 lines
7.3 KiB
Diff
219 lines
7.3 KiB
Diff
Index: conf/main.cf
|
|
===================================================================
|
|
--- conf/main.cf.orig
|
|
+++ conf/main.cf
|
|
@@ -285,7 +285,7 @@ unknown_local_recipient_reject_code = 55
|
|
#
|
|
#mynetworks = 168.100.3.0/28, 127.0.0.0/8
|
|
#mynetworks = $config_directory/mynetworks
|
|
-#mynetworks = hash:/etc/postfix/network_table
|
|
+#mynetworks = lmdb:/etc/postfix/network_table
|
|
|
|
# The relay_domains parameter restricts what destinations this system will
|
|
# relay mail to. See the smtpd_relay_restrictions and
|
|
@@ -352,7 +352,7 @@ unknown_local_recipient_reject_code = 55
|
|
# In the left-hand side, specify an @domain.tld wild-card, or specify
|
|
# a user@domain.tld address.
|
|
#
|
|
-#relay_recipient_maps = hash:/etc/postfix/relay_recipients
|
|
+#relay_recipient_maps = lmdb:/etc/postfix/relay_recipients
|
|
|
|
# INPUT RATE CONTROL
|
|
#
|
|
@@ -407,8 +407,8 @@ unknown_local_recipient_reject_code = 55
|
|
# "postfix reload" to eliminate the delay.
|
|
#
|
|
#alias_maps = dbm:/etc/aliases
|
|
-#alias_maps = hash:/etc/aliases
|
|
-#alias_maps = hash:/etc/aliases, nis:mail.aliases
|
|
+#alias_maps = lmdb:/etc/aliases
|
|
+#alias_maps = lmdb:/etc/aliases, nis:mail.aliases
|
|
#alias_maps = netinfo:/aliases
|
|
|
|
# The alias_database parameter specifies the alias database(s) that
|
|
@@ -418,8 +418,8 @@ unknown_local_recipient_reject_code = 55
|
|
#
|
|
#alias_database = dbm:/etc/aliases
|
|
#alias_database = dbm:/etc/mail/aliases
|
|
-#alias_database = hash:/etc/aliases
|
|
-#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
|
|
+#alias_database = lmdb:/etc/aliases
|
|
+#alias_database = lmdb:/etc/aliases, lmdb:/opt/majordomo/aliases
|
|
|
|
# ADDRESS EXTENSIONS (e.g., user+foo)
|
|
#
|
|
@@ -576,6 +576,7 @@ unknown_local_recipient_reject_code = 55
|
|
#
|
|
#smtpd_banner = $myhostname ESMTP $mail_name
|
|
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
|
|
+smtpd_banner = $myhostname ESMTP
|
|
|
|
# PARALLEL DELIVERY TO THE SAME DESTINATION
|
|
#
|
|
@@ -682,4 +683,165 @@ sample_directory =
|
|
# readme_directory: The location of the Postfix README files.
|
|
#
|
|
readme_directory =
|
|
+
|
|
+############################################################
|
|
+#
|
|
+# before changing values manually consider editing
|
|
+# /etc/sysconfig/postfix
|
|
+# and run
|
|
+# config.postfix
|
|
+#
|
|
+# if you miss a feature of config.postfix then just send a
|
|
+# mail to chris@computersalat.de
|
|
+# patches for new feature(s) are also welcome :)
|
|
+#
|
|
+############################################################
|
|
+
|
|
+biff = no
|
|
+content_filter =
|
|
+delay_warning_time = 0h
|
|
+smtp_dns_support_level = enabled
|
|
+disable_mime_output_conversion = no
|
|
+disable_vrfy_command = yes
|
|
+inet_interfaces = all
|
|
inet_protocols = ipv4
|
|
+masquerade_classes = envelope_sender, header_sender, header_recipient
|
|
+masquerade_domains =
|
|
+masquerade_exceptions =
|
|
+mydestination = $myhostname, localhost.$mydomain, localhost
|
|
+myhostname =
|
|
+mynetworks_style = subnet
|
|
+relayhost =
|
|
+
|
|
+alias_maps =
|
|
+canonical_maps =
|
|
+relocated_maps =
|
|
+sender_canonical_maps =
|
|
+transport_maps =
|
|
+mail_spool_directory = /var/mail
|
|
+message_strip_characters =
|
|
+defer_transports =
|
|
+mailbox_command =
|
|
+mailbox_transport =
|
|
+mailbox_size_limit = 0
|
|
+message_size_limit = 0
|
|
+strict_8bitmime = no
|
|
+strict_rfc821_envelopes = no
|
|
+smtpd_delay_reject = yes
|
|
+smtpd_helo_required = no
|
|
+
|
|
+smtpd_client_restrictions =
|
|
+
|
|
+smtpd_helo_restrictions =
|
|
+
|
|
+smtpd_sender_restrictions =
|
|
+
|
|
+smtpd_recipient_restrictions =
|
|
+
|
|
+
|
|
+######################################################################
|
|
+# SMTP Smuggling (CVE-2023-51764)
|
|
+# no: allows SMTP smuggling
|
|
+# yes / normalize :
|
|
+# but allow local clients with non-standard SMTP implementations
|
|
+# such as netcat, fax machines, or load balancer health checks.
|
|
+# reject:
|
|
+# rejects a command or message that contains a bare newline
|
|
+######################################################################
|
|
+smtpd_forbid_bare_newline = normalize
|
|
+smtpd_forbid_bare_newline_exclusions = $mynetworks
|
|
+#smtpd_forbid_bare_newline_reject_code = 521
|
|
+
|
|
+############################################################
|
|
+# SASL stuff
|
|
+############################################################
|
|
+smtp_sasl_auth_enable = no
|
|
+smtp_sasl_security_options =
|
|
+smtp_sasl_password_maps =
|
|
+smtpd_sasl_auth_enable = no
|
|
+# cyrus : smtpd_sasl_type = cyrus
|
|
+# smtpd_sasl_path = smtpd
|
|
+# dovecot : smtpd_sasl_type = dovecot
|
|
+# smtpd_sasl_path = private/auth
|
|
+smtpd_sasl_type = cyrus
|
|
+smtpd_sasl_path = smtpd
|
|
+############################################################
|
|
+# TLS stuff
|
|
+############################################################
|
|
+#tls_append_default_CA = no
|
|
+relay_clientcerts =
|
|
+#tls_random_source = dev:/dev/urandom
|
|
+
|
|
+smtp_use_tls = no
|
|
+#smtp_tls_loglevel = 0
|
|
+smtp_enforce_tls = no
|
|
+smtp_tls_security_level =
|
|
+smtp_tls_CAfile =
|
|
+smtp_tls_CApath =
|
|
+smtp_tls_cert_file =
|
|
+smtp_tls_key_file =
|
|
+#smtp_tls_policy_maps = lmdb:/etc/postfix/tls_policy
|
|
+#smtp_tls_session_cache_timeout = 3600s
|
|
+smtp_tls_session_cache_database =
|
|
+
|
|
+smtpd_use_tls = no
|
|
+#smtpd_tls_loglevel = 0
|
|
+smtpd_enforce_tls = no
|
|
+smtpd_tls_security_level =
|
|
+smtpd_tls_CAfile =
|
|
+smtpd_tls_CApath =
|
|
+smtpd_tls_cert_file =
|
|
+smtpd_tls_key_file =
|
|
+smtpd_tls_ask_ccert = no
|
|
+smtpd_tls_exclude_ciphers = RC4
|
|
+smtpd_tls_received_header = no
|
|
+############################################################
|
|
+# OpenDKIM
|
|
+############################################################
|
|
+#smtpd_milters = unix:/run/opendkim/opendkim.sock
|
|
+#non_smtpd_milters = $smtpd_milters
|
|
+#milter_default_action = accept
|
|
+#milter_protocol = 2
|
|
+############################################################
|
|
+# Start MySQL from postfixwiki.org
|
|
+############################################################
|
|
+relay_domains = $mydestination, lmdb:/etc/postfix/relay
|
|
+#relay_recipient_maps = lmdb:/etc/postfix/relay_recipients
|
|
+#virtual_alias_domains =
|
|
+#virtual_alias_maps = lmdb:/etc/postfix/virtual
|
|
+#virtual_uid_maps = static:303
|
|
+#virtual_gid_maps = static:303
|
|
+#virtual_minimum_uid = 303
|
|
+#virtual_mailbox_base = /srv/maildirs
|
|
+#virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
|
|
+#virtual_mailbox_limit = 0
|
|
+#virtual_mailbox_limit_inbox = no
|
|
+#virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
|
|
+## For dovecot LMTP replace 'virtual' with 'lmtp:unix:private/dovecot-lmtp'
|
|
+#virtual_transport = virtual
|
|
+## Additional for quota support
|
|
+#virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
|
|
+#virtual_mailbox_limit_override = yes
|
|
+### Needs Maildir++ compatible IMAP servers, like Courier-IMAP
|
|
+#virtual_maildir_filter = yes
|
|
+#virtual_maildir_filter_maps = lmdb:/etc/postfix/vfilter
|
|
+#virtual_maildir_limit_message = Sorry, the user's maildir has overdrawn his diskspace quota, please try again later.
|
|
+#virtual_maildir_limit_message_maps = lmdb:/etc/postfix/vmsg
|
|
+#virtual_overquota_bounce = yes
|
|
+#virtual_trash_count = yes
|
|
+#virtual_trash_name = ".Trash"
|
|
+############################################################
|
|
+# End MySQL from postfixwiki.org
|
|
+############################################################
|
|
+# Rewrite reject codes
|
|
+############################################################
|
|
+#unknown_address_reject_code = 550
|
|
+#unknown_client_reject_code = 550
|
|
+#unknown_hostname_reject_code = 550
|
|
+#unverified_recipient_reject_code = 550
|
|
+#unverified_sender_reject_code = 550
|
|
+#soft_bounce = yes
|
|
+############################################################
|
|
+#debug_peer_list = example.com
|
|
+#debug_peer_level = 3
|
|
+
|