From 2ae981eeb853a1381ef1b4605e63103f1309857d Mon Sep 17 00:00:00 2001
From: Mario Alegre <mario@git.alemor.org>
Date: Wed, 25 Nov 2020 15:38:01 -0500
Subject: [PATCH] changes to mail server

---
 .../assets/dovecot/conf.d/10-mail.conf        |  2 +-
 .../assets/dovecot/conf.d/30-stats.conf       | 13 +++++
 src/mailsrv/assets/postfix/main.cf            | 54 +++++++++++--------
 src/mailsrv/assets/postfix/master.cf          |  5 --
 4 files changed, 45 insertions(+), 29 deletions(-)
 create mode 100644 src/mailsrv/assets/dovecot/conf.d/30-stats.conf

diff --git a/src/mailsrv/assets/dovecot/conf.d/10-mail.conf b/src/mailsrv/assets/dovecot/conf.d/10-mail.conf
index 4df36e8..6b69e02 100644
--- a/src/mailsrv/assets/dovecot/conf.d/10-mail.conf
+++ b/src/mailsrv/assets/dovecot/conf.d/10-mail.conf
@@ -111,7 +111,7 @@ namespace inbox {
 # Group to enable temporarily for privileged operations. Currently this is
 # used only with INBOX when either its initial creation or dotlocking fails.
 # Typically this is set to "mail" to give access to /var/mail.
-mail_privileged_group = mail
+#mail_privileged_group = mail
 
 # Grant access to these supplementary groups for mail processes. Typically
 # these are used to set up access to shared mailboxes. Note that it may be
diff --git a/src/mailsrv/assets/dovecot/conf.d/30-stats.conf b/src/mailsrv/assets/dovecot/conf.d/30-stats.conf
new file mode 100644
index 0000000..dc45c4f
--- /dev/null
+++ b/src/mailsrv/assets/dovecot/conf.d/30-stats.conf
@@ -0,0 +1,13 @@
+service stats {
+    unix_listener stats-reader {
+        user = vmail
+        group = vmail
+        mode = 0660
+    }
+
+    unix_listener stats-writer {
+        user = vmail
+        group = vmail
+        mode = 0660
+    }
+}
diff --git a/src/mailsrv/assets/postfix/main.cf b/src/mailsrv/assets/postfix/main.cf
index f3b3e43..e9c4f82 100644
--- a/src/mailsrv/assets/postfix/main.cf
+++ b/src/mailsrv/assets/postfix/main.cf
@@ -1,28 +1,20 @@
-### General ###
-# network segments to consider internal
-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+### Network ###
 # interfaces & protocols to listen on
 inet_interfaces = all
 inet_protocols = all
-# what backend to use to deliver local & virtual mail
-local_transport = dovecot
-# hosts to relay for
-relayhost =
-# whether to send "new mail" notifications to users
-# on by default, but we turn off because we're not using system users
-biff = no
-# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
-# fresh installs.
-compatibility_level = 2
-
-### Domains ###
 # primary name of server
 myhostname = mail.alemor.org
 myorigin = $mydomain
+# what host to use as a relay
+relayhost =
+# hosts to forward mail to
+relay_domains =
+# only forward mail from local host
+mynetworks_style = host
 # domains to consider primary (local) endpoints
 mydestination = $myhostname, $mydomain, localhost.localdomain, localhost
 # domains to consider secondary (virtual) endpoints
-virtual_alias_domains = epic.alemor.org, home.alemor.org, alegre.alemor.org, daniel.alemor.org, fernando.alemor.org, juana.alemor.org, mario.alemor.org, moreno.alemor.org
+virtual_alias_domains = epic.alemor.org, home.alemor.org, alegre.alemor.org, daniel.alemor.org, fernando.alemor.org, juana.alemor.org, mario.alemor.org, moreno.alemor.org, mar.alemor.org
 
 ### Users ###
 # get list of valid users from here instead of /etc/passwd
@@ -33,22 +25,30 @@ virtual_alias_maps = hash:/etc/postfix/aliases
 # the email is sent to ${user} if that address is not already explicitly defined.
 recipient_delimiter = -
 
-### TLS ###
+### Delivery ###
+# what backend to use to deliver local & virtual mail
+local_transport = dovecot
+# set recipient limit to 1 so X-Original-To header addition will work
+dovecot_destination_recipient_limit = 1
+
+### SMTP ###
 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
 # information on enabling SSL in the smtp client.
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 # whether to allow or enforce TLS. Acceptable values are 'none', 'may', or 'encrypt'.
-smtpd_tls_security_level=may
+smtpd_tls_security_level=encrypt
 # where to find certs
 smtpd_tls_cert_file=/vol/ssl/fullchain.pem
 smtpd_tls_key_file=/vol/ssl/privkey.pem
-
-### Anti-spam ###
-#smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client sbl.spamhaus.org, permit
+# domain to consider local
+smtpd_sasl_local_domain = $myhostname
+# security settings
+smtpd_client_restrictions = permit_sasl_authenticated, reject
+smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_destination, permit_sasl_authenticated, reject
 #smtpd_helo_restrictions = reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
-
-### SASL ###
+smtpd_sasl_security_options = noanonymous
+# what to use for sasl
 smtpd_sasl_type = dovecot
 # Can be an absolute path, or relative to $queue_directory
 # Debian/Ubuntu users: Postfix is setup by default to run chrooted, so it is best to leave it as-is below
@@ -57,3 +57,11 @@ smtpd_sasl_path = private/auth
 smtpd_sasl_auth_enable = yes
 # With Postfix version before 2.10, use smtpd_recipient_restrictions
 smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
+
+### Misc ###
+# whether to send "new mail" notifications to users
+# on by default, but we turn off because we're not using system users
+biff = no
+# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
+# fresh installs.
+compatibility_level = 2
diff --git a/src/mailsrv/assets/postfix/master.cf b/src/mailsrv/assets/postfix/master.cf
index 80cc80d..b8927f7 100644
--- a/src/mailsrv/assets/postfix/master.cf
+++ b/src/mailsrv/assets/postfix/master.cf
@@ -11,11 +11,6 @@
 # ==========================================================================
 smtp      inet  n       -       y       -       -       smtpd
 submission inet n       -       y       -       -       smtpd
-  -o smtpd_sasl_local_domain=$myhostname
-  -o smtpd_tls_security_level=encrypt
-  -o smtpd_sasl_security_options=noanonymous
-  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
-  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
 
 # Local services
 # ==========================================================================