From 0cee5a426805797e87d133ad2e2a523dbb9ecddc Mon Sep 17 00:00:00 2001 From: Steven Thomas Smith Date: Sat, 2 Nov 2019 20:50:34 -0400 Subject: [PATCH] mail-server: Portfile and launch daemon improvements and bugfixes * Ensure that launch daemons run at load (necessary) * Apply review comments from PR https://github.com/macports/macports-ports/pull/4978 --- mail/dovecot2/Portfile | 4 +- mail/mail-server/Portfile | 105 ++++++++++++------ .../prefix/etc/dovecot/conf.d/10-auth.conf | 2 +- .../prefix/etc/dovecot/conf.d/10-mail.conf | 6 +- .../prefix/etc/dovecot/conf.d/10-master.conf | 14 +-- .../prefix/etc/dovecot/conf.d/10-ssl.conf | 4 +- .../etc/dovecot/conf.d/15-mailboxes.conf | 2 +- .../etc/dovecot/conf.d/auth-od.conf.ext | 6 +- .../files/prefix/etc/postfix/main.cf | 88 +++++++-------- .../prefix/etc/postfix/smtp.keytab.README.sh | 2 +- 10 files changed, 135 insertions(+), 98 deletions(-) diff --git a/mail/dovecot2/Portfile b/mail/dovecot2/Portfile index ca47fc9a75cd3..5a36d112b69a8 100644 --- a/mail/dovecot2/Portfile +++ b/mail/dovecot2/Portfile @@ -150,10 +150,10 @@ variant apns \ plugin. APNS use requires these steps: 1. Acquire APNS Mail certificates from a (virtual) macOS\ - High Sierra 10.13 and Server.app version 5.7. Export\ + High Sierra 10.13 and Server.app version 5.6. Export\ the certificates from the Keychain into the file\ com.apple.servermgrd.apns.mail.p12 . *Note*: APNS Mail\ - certificate creation is deprecated on Server.app version 5.8+. + certificate creation is deprecated on Server.app version 5.7+. 2. Convert the APNS Mail certificates to PEM files: diff --git a/mail/mail-server/Portfile b/mail/mail-server/Portfile index 83122a9bc9a56..a3719ff12ee09 100644 --- a/mail/mail-server/Portfile +++ b/mail/mail-server/Portfile @@ -5,7 +5,7 @@ PortGroup active_variants 1.1 name mail-server version 1.0 -revision 2 +revision 3 categories mail net platforms darwin supported_archs noarch @@ -15,11 +15,11 @@ distfiles description Mail server configuration long_description ${description} \ - Mail server working configuration that provides a basic, working, \ - easily modifiable mail server. The configuration is built using \ - postfix for the MTA, dovecot for the MDA, solr for fast search, \ - rspamd for a milter, and clamav for email virus scans. The \ - configuration includes a surrogate TLS certificate, DKIM, and \ + Mail server working configuration that provides a basic, working,\ + easily modifiable mail server. The configuration is built using\ + postfix for the MTA, dovecot for the MDA, solr for fast search,\ + rspamd for a milter, and clamav for email virus scans. The\ + configuration includes a surrogate TLS certificate, DKIM, and\ Apple Push Notification Service (APNS) capability for iOS devices. homepage https://www.postfix.org/ @@ -47,9 +47,19 @@ depends_lib-append port:apache-solr8 \ depends_run-append port:clamav-server -variant initialize \ - description {Initialize all configuration files. Existing - configurations files are not overwritten by default.} {} +variant initialize_always \ + description {Always initialize all configuration files. Intended\ + for development and troubleshooting only. Working deployments\ + must disable this variant to prevent configuration files\ + being overwritten at the next upgrade. Existing configuration\ + files are not overwritten by default.} { + ui_warn \ + " +\tAll configuration files will be initialized because +\tthe variant +initialize_always is set. Please disable +\tthis variant for working deployments. +" +} use_configure no @@ -64,7 +74,7 @@ pre-build { if { [catch {set result [registry_active postfix]}] || [lindex [lindex ${result} 0] 3] \ - != "+[join ${postfix_required_variants} +]" } { + ne "+[join ${postfix_required_variants} +]" } { append required_variants_message "\ Postfix not installed with required variants. Please install: @@ -75,7 +85,7 @@ Postfix not installed with required variants. Please install: } if { [catch {set result [registry_active dovecot2]}] || [lindex [lindex ${result} 0] 3] \ - != "+[join ${dovecot2_required_variants} +]" } { + ne "+[join ${dovecot2_required_variants} +]" } { append required_variants_message "\ Dovecot not installed with required variants. Please install: @@ -84,7 +94,7 @@ Dovecot not installed with required variants. Please install: " set required_variants_flag false } - if {${required_variants_flag} != true} { + if {${required_variants_flag} ne true} { ui_error ${required_variants_message} # one of these will exit with error if the ports are not installed at all registry_active postfix @@ -298,7 +308,7 @@ destroot { xinstall -m 0644 \ ${filespath}/prefix/etc/certificates/ca/intermediate/openssl_intermediate.cnf \ ${destroot}${tls_ca_dir}/intermediate - if { [variant_isset "initialize"] + if { [variant_isset "initialize_always"] && [file exists ${tls_ca_dir}] } { delete ${tls_ca_dir}.previous @@ -328,7 +338,7 @@ post-activate { # use network settings for installed example configuration set fullhost [exec /bin/hostname -f] set host [lindex [split ${fullhost} .] 0] - set domaintld [join [lrange [split ${fullhost} .] end-1 end] .] + set domaintld [join [lrange [split ${fullhost} .] 1 end] .] set domain [lindex [split ${domaintld} .] 0] set tld [lindex [split ${domaintld} .] end] set HOST [string toupper ${host}] @@ -349,7 +359,7 @@ post-activate { " proc install_initial_configuration {f_or_d} { - if { [variant_isset "initialize"] + if { [variant_isset "initialize_always"] && [file exists ${f_or_d}] } { delete ${f_or_d}.previous @@ -357,7 +367,7 @@ post-activate { ${f_or_d} \ ${f_or_d}.previous } - if { [variant_isset "initialize"] + if { [variant_isset "initialize_always"] || ![file exists ${f_or_d}] } { if { [file isfile ${f_or_d}.macports] } { @@ -400,7 +410,7 @@ post-activate { xinstall -m 0777 -g mail -d /private/var/mail/${tld}.${domain}.mail/attachments/ # solr configuration - if { [variant_isset "initialize"] } { + if { [variant_isset "initialize_always"] } { system "sudo -u solr -g solr sh </dev/null || true solr8 start -p 8983 2>/dev/null || true @@ -738,18 +748,18 @@ in ${prefix}/etc/dovecot/sieve*/*.sieve are compiled with sievec. } # PAM authentication - if ![file exists /etc/pam.d/smtp] { + if { ![file exists /etc/pam.d/smtp] } { xinstall -m 0644 ${prefix}/etc/postfix/etc/pam.d/smtp /etc/pam.d/ } - if ![file exists /etc/pam.d/imap] { + if { ![file exists /etc/pam.d/imap] } { xinstall -m 0644 ${prefix}/etc/dovecot/etc/pam.d/imap /etc/pam.d/ } # TLS PFS - if ![file exists ${prefix}/var/lib/postfix/dh2048.pem] { + if { ![file exists ${prefix}/var/lib/postfix/dh2048.pem] } { system -W ${prefix}/var/lib/postfix "sudo -u _postfix openssl dhparam -out dh2048.pem 2048" } - if ![file exists ${prefix}/etc/dovecot/dh2048.pem] { + if { ![file exists ${prefix}/etc/dovecot/dh2048.pem] } { # create a shorter, faster DH parameter file for the default installation system -W ${prefix}/etc/dovecot "openssl dhparam -out dh2048.pem 2048" } @@ -793,18 +803,35 @@ startupitem.restart "port reload apache-solr8 \tport load dovecot2 \tport reload rspamd" -notes "A mail server is a complex, interdependent set of tools that must +proc plutil_startup {plcmds label} { + global prefix startupitem.location + foreach cmd ${plcmds} { + system -W ${prefix}/etc/${startupitem.location}/${label} \ + "/usr/bin/plutil ${cmd} ${label}.plist" + } +} + +post-activate { + # modify the launch daemons + plutil_startup [list \ + "-remove KeepAlive" \ + "-insert RunAtLoad -bool YES" \ + ] \ + org.macports.${startupitem.name} +} + +notes "A mail server is a complex, interdependent set of tools that must\ all be configured correctly to provide secure, reliable email. -Users must reconfigure this installation for their own system, network, -and security model specifics by editing all necessary files and checking +Users must reconfigure this installation for their own system, network,\ +and security model specifics by editing all necessary files and checking\ file permissions. A subset of these settings are visible in the files: port contents mail-server port file mail-server -Full deployment also requires a working DNS configuration on both the LAN -and the internet, including SPF and DKIM records, trusted TLS certificates, +Full deployment also requires a working DNS configuration on both the LAN\ +and the internet, including SPF and DKIM records, trusted TLS certificates,\ port forwarding, possibly a mail replay, and more. Postfix and dovecot must be installed with these variants: @@ -841,7 +868,7 @@ These are the locations and network settings for the default configuration: Spam/Ham training (default behavior): Move/Copy email to the folders Spam_train or Notspam_train. -The configuration also includes a surrogate TLS certificate and DKIM settings +The configuration also includes a surrogate TLS certificate and DKIM settings\ that must be changed before deployment. TLS: @@ -850,15 +877,15 @@ that must be changed before deployment. DKIM: ${prefix}/var/lib/rspamd/dkim -The ports dns-server and logrotate provide necessary DNS service on the LAN +The ports dns-server and logrotate provide necessary DNS service on the LAN\ and log rotation capabilities: sudo port install dns-server logrotate -This port assume indepedent installation and management of DNS and +This port assume indepedent installation and management of DNS and\ log rotation; mail-server includes example logrotate configuration files. -The port's launch daemon controls launching for each of the dependendent +The port's launch daemon controls launching for each of the dependendent\ services. These may be controlled independently, e.g. sudo port load clamav-server @@ -882,11 +909,21 @@ and if installed independently, * _The Book of Postfix_, by Patrick Koetter and Ralf Hildebrandt Known issues: - * The Postfix service does not reliably start after reboot, - presumably due to an issue with launchd. A workaround + * The Postfix service does not reliably start after reboot,\ + presumably due to an issue with launchd. A workaround\ after rebooting is to issue the commands: - sudo port unload postfix ; sleep 5 ; sudo port load postfix -" + sudo port unload postfix ; sleep 5 ; sudo port load postfix" + +if { [variant_isset "initialize_always"] } { + if {[exists notes]} { + # leave a blank line after the existing notes + notes-append "" + } + notes-append \ + "The variant +initialize_always is set, which initializes\ + all configuration files. Please disable this variant for\ + working deployments." +} livecheck.type none diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-auth.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-auth.conf index 72cedf28d75ac..65ce66c2e6e8e 100644 --- a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-auth.conf +++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-auth.conf @@ -114,7 +114,7 @@ auth_gssapi_hostname = "$ALL" # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey # gss-spnego # NOTE: See also disable_plaintext_auth setting. -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: # auth_mechanisms = cram-md5 plain login apop digest-md5 gssapi # plain username/password auth - OK since everything is over TLS auth_mechanisms = plain gssapi diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-mail.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-mail.conf index 2185affb6088e..f17457cb9d26f 100644 --- a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-mail.conf +++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-mail.conf @@ -49,7 +49,7 @@ # default home directory location for all users mail_home = /private/var/mail/@tld@.@domain@.mail -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: #mail_location = # Note: This key is managed by Server Admin. See above before making changes # mail_location = maildir:/Library/Server/Mail/Data/mail/%u @@ -111,7 +111,7 @@ inbox = yes #subscriptions = yes } -# macOS v.5.7 configuration: +# macOS v.5.6 configuration: # # shared namespace configuration # namespace acl-mailboxes { # type = shared @@ -272,7 +272,7 @@ auth_socket_path = @PREFIX@/var/run/dovecot/auth-userdb # Space separated list of plugins to load for all services. Plugins specific to # IMAP, LDA, etc. are added to this list in their own .conf files. # (APPLE) added fts_sk -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: # mail_plugins = quota zlib acl fts fts_sk mail_plugins = quota zlib acl diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-master.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-master.conf index e1b8f75a497e1..cc71c67e6060d 100644 --- a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-master.conf +++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-master.conf @@ -58,7 +58,7 @@ service imap-login { } -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: # service pop3-login { # inet_listener pop3 { # port = 110 @@ -100,7 +100,7 @@ service imap { # Results in imap userdb Fatal setuid errors # See: https://dovecot.org/pipermail/dovecot/2019-May/116014.html -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: # service pop3 { # # Max. number of POP3 processes (connections) # process_limit = 200 @@ -111,7 +111,7 @@ service imap { # expose an auth socket for postfix to authenticate users service auth { - # macOS Server v.5.7 configuration: + # macOS Server v.5.6 configuration: # auth_socket_path points to this userdb socket by default. It's typically # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have # full permissions to this socket are able to get a list of all usernames and @@ -159,7 +159,7 @@ service auth-worker { group = mail } -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: # service auth-worker { # # Auth worker process is run as root by default, so that it can access # # /etc/shadow. If this isn't necessary, the user should be changed to @@ -167,7 +167,7 @@ service auth-worker { # #user = root # } -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: # service dict { # # If dict proxy is used, mail processes should have access to its socket. # # For example: mode=0660, group=vmail and global mail_access_groups=vmail @@ -178,14 +178,14 @@ service auth-worker { # } # } -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: service dns_client { unix_listener dns-client { mode = 0600 } } -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: # # for stats plugin, if enabled # service stats { # fifo_listener stats-mail { diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-ssl.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-ssl.conf index 12c46b423e869..10922700b524e 100644 --- a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-ssl.conf +++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-ssl.conf @@ -89,11 +89,11 @@ ssl_ca = <@PREFIX@/etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.cha ssl_dh = <@PREFIX@/etc/dovecot/dh2048.pem # SSL protocols to use -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: # ssl_protocols = !SSLv2 !SSLv3 # SSL ciphers to use -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: # ssl_cipher_list=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA # SSL crypto device to use, for valid values run "openssl engine" diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/15-mailboxes.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/15-mailboxes.conf index 243158ee01435..1d21d14014164 100644 --- a/mail/mail-server/files/prefix/etc/dovecot/conf.d/15-mailboxes.conf +++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/15-mailboxes.conf @@ -49,7 +49,7 @@ namespace inbox { auto = subscribe special_use = \Sent } - # macOS Server v.5.7 configuration; used by iOS: + # macOS Server v.5.6 configuration; used by iOS: mailbox "Sent Messages" { special_use = \Sent } diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/auth-od.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/conf.d/auth-od.conf.ext index 9887c0f00e24c..bcd4a0db78079 100644 --- a/mail/mail-server/files/prefix/etc/dovecot/conf.d/auth-od.conf.ext +++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/auth-od.conf.ext @@ -183,7 +183,7 @@ userdb passwd { ## driver = passwd ## } -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: # passdb { # # OD cache refresh intervals. The positive cache TTL applies to # # enabled accounts. The negative cache TTL applies to disabled @@ -193,7 +193,7 @@ userdb passwd { # # driver = od # } -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: # userdb { # # OD cache refresh intervals. The positive cache TTL applies to # # enabled accounts. The negative cache TTL applies to disabled @@ -205,7 +205,7 @@ userdb passwd { # # additional args: pos_cache_ttl=3600 neg_cache_ttl=60 # # luser_relay= enforce_quotas=no # # use_getpwnam_ext=yes blocking=no -# # macOS Server v.5.7 configuration +# # macOS Server v.5.6 configuration # # driver = od # driver = ldap # args = partition=@PREFIX@/etc/dovecot/partition_map.conf global_quota=8192 enforce_quotas=yes diff --git a/mail/mail-server/files/prefix/etc/postfix/main.cf b/mail/mail-server/files/prefix/etc/postfix/main.cf index ef31d8808a199..adf252fe11dcf 100644 --- a/mail/mail-server/files/prefix/etc/postfix/main.cf +++ b/mail/mail-server/files/prefix/etc/postfix/main.cf @@ -675,7 +675,7 @@ sample_directory = @PREFIX@/share/postfix/sample # readme_directory = @PREFIX@/share/postfix/readme # inet_protocols = ipv4 -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: inet_protocols = all meta_directory = @PREFIX@/etc/postfix shlib_directory = @PREFIX@/libexec/postfix @@ -686,7 +686,7 @@ shlib_directory = @PREFIX@/libexec/postfix ############################ # macOS Open Source Server # ############################ -# Based on /Library/Server_v57/Mail/Config/postfix/main.cf, +# Based on /Library/Server_v56/Mail/Config/postfix/main.cf, # https://www.c0ffee.net/blog/mail-server-guide/ ## Create these directories, files @@ -694,7 +694,7 @@ shlib_directory = @PREFIX@/libexec/postfix # sudo chmod go-rwx @PREFIX@/var/log/mail ## Create @PREFIX@/etc/postfix/sasl/passwd, passwd.db with secure permissions -# sudo rsync -a /Library/Server_v57/Mail/Config/postfix/sasl @PREFIX@/etc/postfix +# sudo rsync -a /Library/Server_v56/Mail/Config/postfix/sasl @PREFIX@/etc/postfix # sudo newaliases # sudo -u _postfix openssl dhparam -out @PREFIX@/var/lib/postfix/dh2048.pem 2048 @@ -736,9 +736,9 @@ shlib_directory = @PREFIX@/libexec/postfix # sudo postmap @PREFIX@/etc/postfix/sasl/passwd ## NOTE: Do *not* copy over HUGE Berkeley .db files from High Sierra APNS file systems; -## this APNS/Berkeley DB bug was fixed in Mojave, which doesn't run Server.app v.5.7. +## this APNS/Berkeley DB bug was fixed in Mojave, which doesn't run Server.app v.5.6. ## Rather, -# sudo find /Library/Server_v57/Mail/Config -type f -name '*.db' -exec sudo du -sm {} ';' | sort -rn +# sudo find /Library/Server_v56/Mail/Config -type f -name '*.db' -exec sudo du -sm {} ';' | sort -rn ## to find affected files, then use postmap to recreate them on the new server. ## The only way to fix these on an old server is to create the .db files on ## an attached HDFS drive, then create symbolic links on the High Sierra APNS drive. @@ -765,18 +765,18 @@ maillog_file_compressor = bzip2 maillog_file_prefixes = @PREFIX@/var/log/mail # maillog_file_rotate_suffix = -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: smtp_tls_loglevel = 1 # use 0 for Postfix >= 2.9, and 1 for earlier versions -# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf) +# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) smtpd_tls_loglevel = 0 -# macOS Server v.5.7 configuration settings that do not appear elsewhere +# macOS Server v.5.6 configuration settings that do not appear elsewhere # Commented-out settings are often specific to macOS Server.app's postfix build # dovecot -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: # dovecot_destination_recipient_limit = 1 # Alias maps, database if mailman is used @@ -801,20 +801,20 @@ tls_random_source = dev:/dev/urandom # larger than this number of bytes. 0, the default, means no limit. # mime_max_body_size = 0 #====================================================================== -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: # mydomain_fallback = localhost mynetworks = 127.0.0.0/8, [::1]/128 inet_interfaces = all -# macOS Server v.5.7 configuration; site-specific, pre-defined +# macOS Server v.5.6 configuration; site-specific, pre-defined # config_directory = /Library/Server/Mail/Config/postfix # smtpd_require_virtual_map = yes # virtual_alias_domains = $virtual_alias_maps, hash:@PREFIX@/etc/postfix/virtual_domains # virtual_alias_maps = $virtual_maps, hash:@PREFIX@/etc/postfix/virtual_users -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: # enable_server_options = yes # smtpd_pw_server_security_options = cram-md5,digest-md5,gssapi,login,plain # content_filter = smtp-amavis:[127.0.0.1]:10024 -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: # smtpd_use_pw_server = yes header_checks = pcre:@PREFIX@/etc/postfix/custom_header_checks recipient_canonical_maps = hash:@PREFIX@/etc/postfix/system_user_maps @@ -843,24 +843,24 @@ mydomain = @domain@.@tld@ # virtual domains, which are configured below. Make sure to specify the FQDN # of your sever, as well as localhost. # Note: NEVER specify any virtual domains here!!! Those come later. -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain # Domain appended to mail sent locally from this machine - such as mail sent # via the `sendmail` command. -# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf) +# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) myorigin = $mydomain # prevent spammers from searching for valid users -# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf) +# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) disable_vrfy_command = yes # require properly formatted email addresses - prevents a lot of spam -# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf) +# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) strict_rfc821_envelopes = yes # don't give any helpful info when a mailbox doesn't exist -# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf) +# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) show_user_unknown_table_name = no # limit maximum e-mail size to 25MB. mailbox size must be at least as big as @@ -871,13 +871,13 @@ message_size_limit = 25165824 mailbox_size_limit = 0 # require addresses of the form "user@domain.tld" -# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf) +# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) allow_percent_hack = no swap_bangpath = no # allow plus-aliasing: "user+tag@domain.tld" delivers to "user" mailbox # Handle both Postfix and qmail extensions (Postfix 2.11 and later). -# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf) +# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) # `recipient_delimiter = +` used by CalendarServer # Do *not* use `smtpd_recipient_restrictions = reject_unverified_recipient …` @@ -913,7 +913,7 @@ smtp_dns_support_level = dnssec # Implement DNSSEC if named is ever put outside the firewall, and DNSSEC infrastructure uses ED25519 # smtp_tls_security_level = may -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_protocols = !SSLv2, !SSLv3 @@ -924,7 +924,7 @@ smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_exclude_ciphers = EXPORT, LOW, MD5, aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2 # SMTP Relay and SASL Authentication Configuration -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: # `relayhost` is the host:port of the SMTP relay e.g. smtp.comcast.net:587 relayhost = [@RELAYHOST@]:submission # `smtp_sasl_password_maps` has SMTP server authentication credentials of the form: @@ -980,11 +980,11 @@ smtp_tls_CApath = @PREFIX@/etc/postfix/etc/certificates # IP address used by postfix to send outgoing mail. You only need this if # your machine has multiple IP addresses - set it to your MX address to # satisfy your SPF record. -# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf) +# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) # smtp_bind_address = my IP == `host $mydomain` # smtp_bind_address6 = my IPv6 == `host -6 $mydomain` -# macOS Server v.5.7 configuration that doesn't appear elewhere +# macOS Server v.5.6 configuration that doesn't appear elewhere # smtpd (postfix server) configuration @@ -993,10 +993,10 @@ smtp_tls_CApath = @PREFIX@/etc/postfix/etc/certificates # https://serverfault.com/questions/693179/postfix-mandatory-smtp-smtpd-vs-not-mandatory-difference-and-configuration # allow other mail servers to connect using TLS, but don't require it -# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf) +# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) smtpd_tls_security_level = may -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: smtpd_enforce_tls = no smtpd_use_tls = yes @@ -1014,20 +1014,20 @@ smtpd_use_tls = yes # therefore, do *not* set smtpd_tls_mandatory_protocols or smtpd_tls_protocols to be too restrictive smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2, !SSLv3 -# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf) +# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) smtpd_tls_mandatory_ciphers = high -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: smtpd_tls_ciphers = medium # man 5 postconf /tls_high_cipherlist: "You are strongly encouraged to not change this setting." # tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: # smtpd_tls_protocols = !SSLv2, !SSLv3 # smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 # List of ciphers or cipher types to exclude from the SMTP server cipher # list at all TLS security levels. -# # macOS Server v.5.7 configuration: +# # macOS Server v.5.6 configuration: # smtpd_tls_exclude_ciphers = SSLv2, 3DES, aNULL, ADH, eNULL, EXPORT smtpd_tls_exclude_ciphers = SSLv2, 3DES, aNULL, ADH, eNULL, EXPORT, LOW, MD5, SEED, IDEA, RC2 @@ -1042,12 +1042,12 @@ smtpd_tls_exclude_ciphers = SSLv2, 3DES, aNULL, ADH, eNULL, EXPORT, LOW, MD5, SE # sudo -u _postfix openssl dhparam -out @PREFIX@/var/lib/postfix/dh512.pem 512 # sudo -u _postfix openssl dhparam -out @PREFIX@/var/lib/postfix/dh2048.pem 1024 # sudo -u _postfix openssl dhparam -out @PREFIX@/var/lib/postfix/dh2048.pem 2048 -# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf) +# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) smtpd_tls_dh1024_param_file=${data_directory}/dh2048.pem smtpd_tls_eecdh_grade = ultra # cache incoming and outgoing TLS sessions -# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf) +# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) # man 5 postconf : "for Postfix >= 2.11 this parameter should generally be left empty" # smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_tlscache # smtp_tls_session_cache_database = btree:${data_directory}/smtp_tlscache @@ -1060,7 +1060,7 @@ import_environment="KRB5_KTNAME=@PREFIX@/etc/postfix/smtp.keytab" # Kerberos REALM smtpd_sasl_local_domain = @HOST@.@DOMAIN@.@TLD@ # Dovecot SASL -# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf) +# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot @@ -1069,19 +1069,19 @@ smtpd_sasl_type = dovecot ## smtpd_sasl_type = cyrus # only allow authentication over TLS -# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf) +# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) smtpd_tls_auth_only = yes # don't allow plaintext auth methods on unencrypted connections -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: # smtpd_sasl_security_options = noanonymous # smtpd_sasl_security_options = noanonymous, noplaintext # but plaintext auth is fine when using TLS -# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf) +# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) smtpd_sasl_tls_security_options = noanonymous # add a message header when email was recieved over TLS -# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf) +# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) smtpd_tls_received_header = yes # require that connecting mail servers identify themselves - this greatly @@ -1095,7 +1095,7 @@ smtpd_helo_required = yes # entry and present a valid, FQDN HELO hostname. In addition, they can only # send mail to valid mailboxes on the server, and the sender's domain must # actually exist. -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: # smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_rbl_client zen.spamhaus.org permit smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client, zen.spamhaus.org, permit # The settings `reject_unknown_reverse_client_hostname, reject_unauth_pipelining` here cause "451 4.3.5 Server configuration error" @@ -1105,7 +1105,7 @@ smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject # here. This will reject all incoming connections without a reverse DNS # entry that resolves back to the client's IP address. This is a very # restrictive check and may reject legitimate mail. -# macOS Server v.5.7 configuration: +# macOS Server v.5.6 configuration: # smtpd_helo_restrictions = reject_non_fqdn_helo_hostname reject_invalid_helo_hostname smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname # you might want to consider: @@ -1113,15 +1113,15 @@ smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_n # here. This will reject all incoming mail without a HELO hostname that # properly resolves in DNS. This is a somewhat restrictive check and may # reject legitimate mail -# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf) +# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain -# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf); but commented out +# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf); but commented out # #smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, # !!! THIS SETTING PREVENTS YOU FROM BEING AN OPEN RELAY !!! reject_unauth_destination # !!! DO NOT REMOVE IT UNDER ANY CIRCUMSTANCES !!! -# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf); but commented out +# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf); but commented out # # Added by Server.app>Mail>Filtering Settings... > Enable greylist filtering # # smtpd_recipient_restrictions = permit_sasl_authenticated reject_unauth_destination check_policy_service unix:private/policy permit # # SMTP Recipient and Relay Restrictions @@ -1134,7 +1134,7 @@ smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, # if `recipient_delimiter = yes` *and* dovecot-lmtp is used; also see # dovecot/conf.d/15-lda.conf and dovecot/conf.d/20-lmtp.conf smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain -# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf) +# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) smtpd_data_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_multi_recipient_bounce, reject_unauth_pipelining # Check: @@ -1160,7 +1160,7 @@ smtpd_data_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_m # Virtual users. Uncomment these after LDAP authentication set up # deliver mail for virtual users to Dovecot's LMTP socket -# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf) +# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) virtual_transport = lmtp:unix:private/dovecot-lmtp # LDAP query to find which domains we accept mail for diff --git a/mail/mail-server/files/prefix/etc/postfix/smtp.keytab.README.sh b/mail/mail-server/files/prefix/etc/postfix/smtp.keytab.README.sh index 4c7e17e267c58..dfdf3e42d821b 100644 --- a/mail/mail-server/files/prefix/etc/postfix/smtp.keytab.README.sh +++ b/mail/mail-server/files/prefix/etc/postfix/smtp.keytab.README.sh @@ -144,7 +144,7 @@ sudo killall saslauthd ## ## smtpd_sasl_type = cyrus ## ## # only allow authentication over TLS -## # (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf) +## # (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) ## # smtpd_tls_auth_only = yes ## smtpd_tls_auth_only = no ## smtpd_recipient_restrictions = permit_mynetworks,