On Fri, Nov 12, 2021 at 03:47:22PM -0600, Tyler Montney <montneyty...@gmail.com> wrote:
> "You seem to be explicitly setting many parameters to their defaults." > > I removed a bunch, but might have missed some. That "command_directory" > parameter I definitely didn't set. I think that's a result of building from > source. If you want to remove parameters that have been explicitly set to their default, you can identify them with this bash/zsh command: LANG=C comm -12 <(postconf -n) <(postconf -d) > "You have the address mappings happening before, which means that the > filter doesn't have access to the original addresses." > > I was unaware entirely. I'm thinking I probably want the original addresses? Probably. But it depends on what you want to see in error messages coming from the milters. Do you want to see the original addresses or the maped addresses? I delay address mapping until after the milters, but it might not matter. > "I don't know what the milter on port 11332 is doing" > > Believe that's rspamd. I don't know much about rspamd but I've heard that it handles DKIM/DMARC/ARC checking, so maybe you don't need OpenDKIM and OpenDMARC as well. Although you might need OpenDKIM you sign your outgoing mail. I don't know if rspamd does that as well. > "But I expect that you understand this much better than I do" > > I've gotten into "from scratch" mail hosting a couple months back. I've > done all I can to learn before > asking questions. I want to know the reason why I put each line of config. > > "Removing $myhostname from mydestination looks unusual to me. I assume > there's a good reason" > > That was early on in my research. Believe it had something to do with > Postfix saying my LDAP > user didn't exist. Removing it allowed delivery. That sounds like a good reason. :-) > "This can lead to your mail server transmitting email unencrypted" > > In my effort to be a little less flexible (to get more encryption), it > seems I'll do the opposite. I'll change that. Speaking of which... > > smtp_tls_mandatory_protocols > smtp_tls_protocol > > What is the difference between these two? I've read the docs but it didn't > help. Viktor has answered this. > "then you could make Postfix DANE-aware and avoid falling prey to > man-in-the-middle attack" > > Going to have to brush up on this. I have my AD PDC running DNS. Does it > have to be localhost or can it be LAN? If your LAN DNS resolver is DNSSEC-validating and you really trust that your LAN won't become compromised (probably a dangerous assumption), then it would probably be OK. It would be enough to prevent the large scale DNS hijacking that happens with public DNS resolvers like 8.8.8.8. So, as always, it depends on what threats you want to protect against. But I'd still recommend localhost unless there's a strong reason not to. > "You might want to add "silent-discard" to the above to suppress warnings > in your log files about it." > > Good call, I was noticing that a bit. I'm sure when it goes into production > that error would've annoyed me. > > "I assume port 10023 is running Postgrey." > > Correct. > > "smtpd_sasl_auth_enable shouldn't be in main.cf." > > Ah, because that would set the default across everything and we prefer it > on 587. That's right. > "That limits authentication attempts (successful or not" > > Do you have a specific recommendation on anvil or just pointing out what > that parameter does? If you set a limit, it should be higher than the maximum number of emails that could legitimately be sent in a minute (by default) from any single IP address (assuming that each mail is submitted with a new connection and authentication attempt). So, if every IP address represents a single person, it might be low (e.g., 10?) but if any IP represents multiple people, it would need to be higher. I don't know what typical values are for this. I set it to 10 but it's only for family use and each user is coming from different IP addresses. 10 is a ridiculously low value, and I don't recommend it. A more sensible way to think about it is how many authentication attempts are you willing to allow per minute (by default) if they were malicious. Perhaps 100? 250? 500? But it's probably best not to set a limit at all unless you have a problem that needs to be solved. Most of the credential stuffing attempts that I see are on dovecot's imap port anyway, not postfix's submission port. > "you eliminate the chance of a race condition when Postfix reads the new > key and chain" > > Race condition on renewal? If this happened, what would the effects look > like? An untrusted certificate until I reload? I'm not sure. The private key and the first certificate in the chain wouldn't agree with each other. I'm guessing that it would result in a TLS handshake failure, and mail being received/sent unencrypted for a while. But it would probably only be briefly until postfix next reads the files again. A postfix restart wouldn't be needed, because the processes involved don't run indefinitely. But a restart would fix the problem sooner if it were noticed. > "if you set up a renewal hook that executes a script like this" > > Thanks, saves me some work. > > "It's best not to disable_dns_lookups. The Amavis guide says to do it" > > It's tough to find much of anything on Amavis. Nowhere near as documented > as Postfix and Dovecot. Is it still a good one to go with? I think so. I use it. > "Yep." > > Does this mean "ditto" or "OK don't change"? It means "OK don't change" (and I didn't want to delete it). > "you might also want to add SPF checking" > > I did have 'postfix-policyd-spf-perl' but noticed OpenDMARC offers SPF. I > have it set > to always check even if the headers are provided. Or am I misunderstanding? I think that having postfix-policyd-spf-perl means that SPF checks are performed for domains that have an SPF record but that do not have a DMARC record. I think that OpenDMARC probably only does its own SPF checking for its own purposes when there is a DMARC record to trigger the check. I could be wrong. Perhaps OpenDMARC can perform SPF checking in the absence of a DMARC record. I haven't looked into that. But also, I've been told that rspamd does all of this checking as well, so maybe it would be doubling up. You should check exactly what rspamd provides. > Thanks for taking the time to review this. I feel confident now in putting > it online (after I make a few of your adjustments). I hope I've helped. :-) cheers, raf
