Tweak some restrictions and support DANE

2025-01-27 13:11:18 +00:00 · 2025-01-27 13:11:18 +00:00 · 461cd221b7
commit 461cd221b7
parent 2065576a0a
2 changed files with 18 additions and 8 deletions
--- a/config/postfix/APKBUILD
+++ b/config/postfix/APKBUILD
@ -3,7 +3,7 @@

 . ../APKBUILD-config.template

-pkgrel=0
+pkgrel=3
 depends="postfix-pgsql redxen-secret-letsencrypt-chain redxen-secret-letsencrypt-private"

 _rx_postfix_pgsql_source="
@ -41,7 +41,7 @@ package() {

 sha512sums="
 1cb4072b03f3e9d79b15a082ccad99fc005129b56fc42c467713520f89feef298082637fbfaa01a04c2a1b6e69a254d9018adccaf9d98a4532f067214a4035f4  master.cf
-2db1a8123dd05326b8fa36e32fee1db974a811565df621002e48a1bc9a08e2995cf126933345d38c9f158c7855f8e82a2b09b9e1992046ab7c7bc7de0d077f6b  main.cf
+d962d8989397b8615142c878908f9b5cbdb8c56308cef8c05a91f4ab674a3697fb62342f00c4c025041cfd223efd2a6f5dc15487268f3374e27b28651cbe544c  main.cf
 e2e2073b064a921a9eeed028e17617bcd2d1235517d908b4daadef45eb4cbb8686023c532d7938a779021cdd9548afe97f59d4c3232e7e01dca229e37e8c63ff  secret
 51595b478be5cb66c9cb92963ba82f3851a5e912a1c427330ebd1a5abedd3e763467448e83f5c58f08dc51e70d420d0db6026eccc9955e3bb58f52f3773a4c85  pgsql-aliases.cf
 df25ccb7d6d27fba0cf4c75b440b81fc80e006583ff56f7a78fb8ddc361a4e63a0d80e92ccaf34d72e59a7b3babf8ca893c7b055ae0f9d75c04fc9b40dd00608  pgsql-users.cf
--- a/config/postfix/main.cf
+++ b/config/postfix/main.cf
@ -35,7 +35,7 @@ smtpd_delay_reject = yes

 # SMTP behaviour
 smtp_tls_CApath = /etc/ssl/certs
-smtp_tls_security_level = may
+smtp_tls_security_level = dane
 smtp_tls_note_starttls_offer = yes

 smtpd_use_tls = yes
@ -44,20 +44,30 @@ smtpd_tls_key_file = /etc/redxen/letsencrypt/private.key
 smtpd_tls_security_level = may
 smtpd_tls_protocols = !SSLv2, !SSLv3

+smtp_dns_support_level = dnssec
+smtp_host_lookup = dns
+smtp_tls_loglevel = 1
+
+# Wait up to 30 seconds before delivering a reply regarding address verification
+# This helps with DANE verification
+address_verify_poll_count = ${stress?1}${stress:6}
+address_verify_poll_delay = 5s
+
 # Restrictions
+smtpd_helo_restrictions      = reject_invalid_helo_hostname
 smtpd_sender_restrictions    = reject_known_sender_login_mismatch,
                               permit_sasl_authenticated,
-                               check_sender_access inline:{{$myorigin=553 not logged in}},
+                               reject_unknown_sender_domain,
                               reject_invalid_helo_hostname,
-                               reject_unknown_sender_domain
+                               reject_non_fqdn_sender
 smtpd_relay_restrictions     = permit_sasl_authenticated,
                               reject_unauth_destination
-smtpd_recipient_restrictions = permit_sasl_authenticated,
+smtpd_recipient_restrictions = reject_unauth_pipelining,
                               reject_non_fqdn_recipient,
                               reject_unknown_recipient_domain,
-                               reject_unverified_recipient
+                               reject_unverified_recipient,
+                               permit_sasl_authenticated
 smtpd_data_restrictions      = reject_unauth_pipelining
-smtpd_helo_restrictions      = reject_invalid_helo_hostname

 # Dovecot auth
 smtpd_sasl_auth_enable = yes