SRS (postsrsd) manuelle Installation entfernen  [GELÖST]

Für Modifikationen in und um KeyHelp.
Post Reply
User avatar
ShortSnow
Posts: 275
Joined: Thu 15. Nov 2018, 00:45

SRS (postsrsd) manuelle Installation entfernen

Post by ShortSnow »

Hallo,

ich habe damals auf meinen Debian 11 Server SRS nach dieser Anleitung installiert:

viewtopic.php?p=31630#p31630

Jetzt würde ich gerne auf das SRS von Keyhelp wechseln in Vorbereitung auf das Upgrade nach Debian 12.

Reicht vorab die 4 Zeilen zu entfernen:

Code: Select all

sender_canonical_maps = tcp:localhost:10001
sender_canonical_classes = envelope_sender
recipient_canonical_maps = tcp:localhost:10002
recipient_canonical_classes= envelope_recipient,header_recipient
und

Code: Select all

systemctl disable postsrsd
oder müssen auch alle Dateien entfernet werden? So wie ich das sehe nutzt Keyhelps SRS statt

Code: Select all

sender_canonical_maps = tcp:localhost:10001
sender_canonical_classes = envelope_sender

Code: Select all

default_transport = smtp:127.0.0.1:10027
Dafür müsste ja noch die master.cf angepasst werden...

Oder mache ich mir zuviele Gedanken und einfach aktivieren und ggf. main.cf nachbessern reicht? Meine postrsd Version ist ja nun auch was älter...

Danke

Gruß Arne

Server Debian 11 (24.2 (Build 3326)
User avatar
Alexander
Keyweb AG
Posts: 4236
Joined: Wed 20. Jan 2016, 02:23

Re: SRS (postsrsd) manuelle Installation entfernen  [GELÖST]

Post by Alexander »

Hallo Arne,

wenn ich dir hier die ursprünglichen main.cf und master.cf eines jungfräulichen Debian 11 für KeyHelp 24.2 zur Verfügung stelle, reicht dir das als Abgleich? Du kannst Sie ja durch ein diff jagen und schauen, wo du ggf. Anpassungen vornehmen musst.
Wenn du die Dateien auf dem Server dann angepasst hast, am besten nochmal bei "Konfiguration -> E-Mail-Server" und "Konfiguration -> TLS-Version & -Ciphers" auf "Speichern" klicken, so dass deine dort getroffenen Einstellungen entsprechend in die Dateien übernommen werden.


main.cf

Code: Select all

myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# Turning off the backwards-compatibility safety net
# http://www.postfix.org/COMPATIBILITY_README.html
compatibility_level = 2

# Appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# Max mail size in byte
message_size_limit = 36700160

# TLS parameters
smtpd_use_tls = yes
smtpd_tls_auth_only = yes

smtpd_tls_cert_file = /etc/ssl/keyhelp/mail.pem
smtpd_tls_key_file = /etc/ssl/keyhelp/mail.pem
smtpd_tls_CAfile = /etc/ssl/keyhelp/mail-ca.crt
smtp_tls_CApath = /etc/ssl/certs
smtpd_tls_CApath = /etc/ssl/certs

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 
smtp_tls_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 
smtpd_tls_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 

smtp_tls_security_level = may
smtpd_tls_security_level = may

# TLS cypher for PFS
smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high

# medium for now, otherwise breakes with older SMTP
smtp_tls_ciphers = medium
smtpd_tls_ciphers = medium

smtpd_tls_dh512_param_file = /etc/postfix/dh512.pem
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem

smtpd_tls_exclude_ciphers = RC4, 3DES, aNULL
smtp_tls_exclude_ciphers = RC4, 3DES, aNULL
smtpd_tls_eecdh_grade = ultra
tls_eecdh_strong_curve = prime256v1
tls_eecdh_ultra_curve = secp384r1

tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_preempt_cipherlist = no

# Dovecot Settings for deliver, SASL Auth and virtual transport
# uncomment those line to use Dovecot
mailbox_command = /usr/lib/dovecot/deliver

#dovecot_destination_recipient_limit = 1
#transport_maps = hash:/etc/postfix/transport
mailbox_transport = dovecot

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

myhostname = mein-toller-keyhelp-server-de
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = localhost, $myhostname
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4

# Handing off local delivery to Dovecot's LMTP, and telling it where to store mail
virtual_transport = lmtp:unix:private/dovecot-lmtp
#virtual_transport = dovecot

# Virtual domains, users, and aliases
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf

# Spam filter
content_filter = amavis:127.0.0.1:10024

# Concerning the peer
smtpd_soft_error_limit = 5
smtpd_error_sleep_time = 10s

smtpd_helo_required = yes

smtpd_client_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_multi_recipient_bounce,
    reject_unauth_destination

smtpd_helo_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    # check_helo_access regexp:/etc/postfix/helo_access,
    reject_invalid_hostname,
    reject_non_fqdn_hostname

# Concerning the envelope
smtpd_sender_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_non_fqdn_sender,
    reject_unauth_destination,
    reject_unknown_sender_domain,
    reject_unknown_client,
    reject_non_fqdn_hostname

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_unauth_pipelining,
    reject_non_fqdn_recipient,
    check_policy_service unix:private/policy

smtpd_recipient_limit = 50
smtpd_recipient_overshoot_limit = 50

# Header checks
header_checks = regexp:/etc/postfix/header_checks

# Mail filters (OpenDKIM)
milter_protocol = 6
milter_default_action = accept
smtpd_milters = inet:127.0.0.1:12345
non_smtpd_milters = inet:127.0.0.1:12345

# SNI support
tls_server_sni_maps = hash:/etc/postfix/postfix-sni.conf

# Fix SMTP smuggling (until postfix 3.9, fixed because Debian 11 is running >= 3.5.23)
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks

# Senders rewriting scheme (SRS)
default_transport = smtp:127.0.0.1:10027
recipient_canonical_maps = tcp:127.0.0.1:10002
recipient_canonical_classes = envelope_recipient,header_recipient

master.cf

Code: Select all

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)   (never) (100)
# ==========================================================================
smtp       inet  n       -       -       -       -       smtpd
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
smtps      inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
submission inet n      -       -       -       -       smtpd
  -o smtpd_etrn_restrictions=reject
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_enforce_tls=yes
#628       inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

# Dovecot LDA
dovecot   unix  -   n   n   -   -   pipe
    flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient}

# Python SPF Policy
policy  unix  -       n       n       -       -       spawn
        user=nobody argv=/usr/bin/policyd-spf /etc/postfix-policyd-spf-python/policyd-spf.conf

# Amavisd spam and virus filter
amavis     unix    -       -       -       -       2       smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
        -o disable_dns_lookups=yes
        -o max_use=20

127.0.0.1:10025 inet    n       -       -       -       -       smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=reject_unauth_pipelining
        -o smtpd_end_of_data_restrictions=
        -o mynetworks=127.0.0.0/8
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000
        -o smtpd_client_connection_count_limit=0
        -o smtpd_client_connection_rate_limit=0
        -o receive_override_options=no_address_mappings,no_milters

# Senders rewriting scheme (SRS)
cleanup-srs unix n       -       -       -       0       cleanup
    -o sender_canonical_maps=mysql:/etc/postfix/mysql-virtual-srs-local-domains.cf,tcp:127.0.0.1:10001
    -o sender_canonical_classes=envelope_sender
127.0.0.1:10027 inet n   -       -       -       -       smtpd
    -o cleanup_service_name=cleanup-srs
    -o smtpd_tls_security_level=none
    -o content_filter=smtp:
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
Mit freundlichen Grüßen / Best regards
Alexander Mahr

**************************************************************
Keyweb AG - Die Hosting Marke
Neuwerkstr. 45/46, 99084 Erfurt / Germany
http://www.keyweb.de - http://www.keyhelp.de
**************************************************************
User avatar
ShortSnow
Posts: 275
Joined: Thu 15. Nov 2018, 00:45

Re: SRS (postsrsd) manuelle Installation entfernen

Post by ShortSnow »

Hallo Alexander,

danke. Hat geklappt. An der main.cf hatte ich bislang keine Änderungen vorgenommen. Meine Zeilen aus der main.cf rausgenommen und nur den Haken SRS aktiviert. Die Postsrsd Version habe ich noch verglichen, aber das ist die gleiche die ich schon selber installiert hatte.

Alle Anpassungen wurden durch die Aktivierung von SRS Keyhelp perfekt durchgeführt und hat sich auch nicht daran gestört, das Postsrsd schon aktiv war.

Und noch ein Lob für Deine SRS Implementierung, endlich wird nur noch bei Weiterleitung umgeschrieben. Eine schwäche die das SRS von Anfang an hatte. Wirklich, total super umgesetzt. :D

Gruß Arne
Post Reply