smeserver/smeserver-qpsmtpd
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* Thu Apr 25 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-8.sme

Browse Source 
- add listening deamon on submission port 587 [SME: 6510]
- move qpsmtpd daemons to full systemd supervision [SME: 12615]
- separate configuration for the 3 qpsmtpd daemons [SME: 12451]
  increase default TLS version on u/sqpsmtpd as auth is required
- increase Softlimit  to 150M [SME: 12638]
- remove old qmail templates [SME: 9492]
  template for /var/qmail/control/{badrcptto,badmailfrom,rcpthosts}
  also import template for config/badmailfrom from smeserver-wbl
TODO organize peers content for u and s qpsmtpd
TODO check if more config modules needs per service config
This commit is contained in:
Jean-Philippe Pialasse
2024-04-25 17:24:35 -04:00
parent 2f7fb945df
commit 5b40bfd4f1
114 changed files with 589 additions and 431 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
root/etc/e-smith/templates/etc/rsyslog.conf/32qpsmtpd Normal file
View File

@@ -0,0 +1,10 @@
#qpsmtpd
:programname, startswith, "qpsmtpd" /var/log/qpsmtpd/qpsmtpd.log
& stop
:programname, startswith, "sqpsmtpd" /var/log/sqpsmtpd/sqpsmtpd.log
& stop
:programname, startswith, "uqpsmtpd" /var/log/uqpsmtpd/uqpsmtpd.log
& stop

14
root/etc/e-smith/templates/usr/lib/systemd/system/qpsmtpd.service.d/50koozali.conf/40Service Normal file
View File

@@ -0,0 +1,14 @@
[Service]
LimitDATA={$qpsmtpd{Softlimit} || "150000000"}
LimitSTACK={$qpsmtpd{Softlimit} || "150000000"}
LimitMEMLOCK={$qpsmtpd{Softlimit} || "150000000"}
Environment=
Environment={
$OUT = "QPSMTPD_CONFIG=/var/service/qpsmtpd/config";
$OUT .= " PORT=". ($qpsmtpd{TCPPort} || "25");
$OUT .= " INSTANCES=" . ($qpsmtpd{Instances} || "40");
$OUT .= " INSTANCES_PER_IP=" . ($qpsmtpd{InstancesPerIP} || "5");
$OUT .= " PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin";
$OUT .= " TCPLOCALHOST=$SystemName.$DomainName";
}

14
root/etc/e-smith/templates/usr/lib/systemd/system/sqpsmtpd.service.d/50koozali.conf/40Service Normal file
View File

@@ -0,0 +1,14 @@
[Service]
LimitDATA={$sqpsmtpd{Softlimit} || $qpsmtpd{Softlimit} || "150000000"}
LimitSTACK={$sqpsmtpd{Softlimit} || $qpsmtpd{Softlimit} || "150000000"}
LimitMEMLOCK={$sqpsmtpd{Softlimit} || $qpsmtpd{Softlimit} || "150000000"}
Environment=
Environment={
$OUT = "QPSMTPD_CONFIG=/var/service/sqpsmtpd/config";
$OUT .= " PORT=". ($sqpsmtpd{TCPPort} || "465");
$OUT .= " INSTANCES=" . ($sqpsmtpd{Instances} || $qpsmtpd{Instances} || "40");
$OUT .= " INSTANCES_PER_IP=" . ($sqpsmtpd{InstancesPerIP} || $qpsmtpd{InstancesPerIP} ||"5");
$OUT .= " PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin";
$OUT .= " TCPLOCALHOST=$SystemName.$DomainName";
}

14
root/etc/e-smith/templates/usr/lib/systemd/system/uqpsmtpd.service.d/50koozali.conf/40Service Normal file
View File

@@ -0,0 +1,14 @@
[Service]
LimitDATA={$uqpsmtpd{Softlimit} || $qpsmtpd{Softlimit} || "150000000"}
LimitSTACK={$uqpsmtpd{Softlimit} || $qpsmtpd{Softlimit} || "150000000"}
LimitMEMLOCK={$uqpsmtpd{Softlimit} || $qpsmtpd{Softlimit} || "150000000"}
Environment=
Environment={
$OUT = "QPSMTPD_CONFIG=/var/service/uqpsmtpd/config";
$OUT .= " PORT=". ($uqpsmtpd{TCPPort} || "587");
$OUT .= " INSTANCES=" . ($uqpsmtpd{Instances} || $qpsmtpd{Instances} || "40");
$OUT .= " INSTANCES_PER_IP=" . ($uqpsmtpd{InstancesPerIP} || $qpsmtpd{InstancesPerIP} ||"5");
$OUT .= " PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin";
$OUT .= " TCPLOCALHOST=$SystemName.$DomainName";
}

9
root/etc/e-smith/templates/var/qmail/control/badrcptto/00setup
View File

@@ -1,9 +0,0 @@
{
require esmith::AccountsDB;
require esmith::DomainsDB;
%Accounts = esmith::AccountsDB->as_hash;
%Domains = esmith::DomainsDB->as_hash;
"";
}

16
root/etc/e-smith/templates/var/qmail/control/badrcptto/10blockVisibleInternal
View File

@@ -1,16 +0,0 @@
{
foreach my $account ( keys %Accounts )
{
next unless ( exists $Accounts{$account}{Visible}
and $Accounts{$account}{Visible} eq "internal" );
$OUT .= "$account\n";
$OUT .= "$account\@$DomainName\n";
foreach my $domain ( keys %Domains )
{
next unless $Domains{$domain}{type} eq "domain";
$OUT .= "$account\@$domain\n";
}
}
}

14
root/etc/e-smith/templates/var/qmail/control/rcpthosts/10standard
View File

@@ -1,14 +0,0 @@
{
use esmith::DomainsDB;
my $ddb = esmith::DomainsDB->open_ro or die "Couldn't open DomainsDB\n";
my @rcpt_hosts = ( "$SystemName.$DomainName" );
foreach my $domain ( $ddb->get_all_by_prop( type => "domain" ) )
{
push @rcpt_hosts, $domain->key;
}
$OUT = join "\n", @rcpt_hosts;
}

5
root/etc/e-smith/templates/var/qmail/control/rcpthosts/12LiteralIP
View File

@@ -1,5 +0,0 @@
{
return "" unless (defined $ExternalIP);
return "[$ExternalIP]";
}

0
root/etc/e-smith/templates/var/qmail/control/badmailfrom/10sample → root/etc/e-smith/templates/var/service/qpsmtpd/config/badmailfrom/10sample
View File

2
root/etc/e-smith/templates/var/service/qpsmtpd/config/badrcptto_ext/10InternalPeudonymes
View File

@@ -1,6 +1,6 @@
{
$OUT .= '';
foreach my $alias ( $a->users, $a->groups, $a->pseudonyms ){
foreach my $alias ( $a->users, $a->groups, $a->pseudonyms, $a->get_all_by_prop(type =>"system") ){
next unless ( $alias->prop('Visible') || '') =~ m/^(internal|none)$/i;
$OUT .= $alias->key . "\n" and next if $alias->key =~ m/@/;

1
root/etc/e-smith/templates/var/service/qpsmtpd/config/tls_protocols/10protocols
View File

@@ -5,4 +5,5 @@ $OUT .= ':!SSLv3' unless ($qpsmtpd{SSLv3} || 'disabled') eq 'enabled';
$OUT .= ':!TLSv1' unless ($qpsmtpd{TLSv1} || 'enabled') eq 'enabled';
$OUT .= ':!TLSv1.1' unless ($qpsmtpd{TLSv1.1} || 'enabled') eq 'enabled';
$OUT .= ':!TLSv1.2' unless ($qpsmtpd{TLSv1.2} || 'enabled') eq 'enabled';
$OUT .= ':!TLSv1.3' unless ($qpsmtpd{TLSv1.3} || 'enabled') eq 'enabled';
}

2
root/etc/e-smith/templates/var/service/sqpsmtpd/config/tls_before_auth/10Auth Normal file
View File

@@ -0,0 +1,2 @@
# The next line should be set to 0 if you want to offer AUTH without TLS
1

5
root/etc/e-smith/templates/var/service/sqpsmtpd/config/tls_ciphers/10ciphers Normal file
View File

@@ -0,0 +1,5 @@
{
# When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated.
return $sqpsmtpd{tlsCipher} || $uqpsmtpd{tlsCipher} ||$modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
}

9
root/etc/e-smith/templates/var/service/sqpsmtpd/config/tls_protocols/10protocols Normal file
View File

@@ -0,0 +1,9 @@
{
$OUT .= 'SSLv23';
$OUT .= ':!SSLv2' unless ($sqpsmtpd{SSLv2} || 'disabled') eq 'enabled';
$OUT .= ':!SSLv3' unless ($sqpsmtpd{SSLv3} || 'disabled') eq 'enabled';
$OUT .= ':!TLSv1' unless ($sqpsmtpd{TLSv1} || 'disabled') eq 'enabled';
$OUT .= ':!TLSv1.1' unless ($sqpsmtpd{TLSv1.1} || 'disabled') eq 'enabled';
$OUT .= ':!TLSv1.2' unless ($sqpsmtpd{TLSv1.2} || 'enabled') eq 'enabled';
$OUT .= ':!TLSv1.3' unless ($sqpsmtpd{TLSv1.3} || 'enabled') eq 'enabled';
}

4
root/etc/e-smith/templates/var/service/sqpsmtpd/runenv/00preamble
View File

@@ -1,4 +0,0 @@
# This templated file is sourced by the sqpsmtpd run
# file. Shell variables can be set here for use by the run
# script, or environment variables can be exported for use
# by sqpsmtpd.

3
root/etc/e-smith/templates/var/service/sqpsmtpd/runenv/INSTANCES
View File

@@ -1,3 +0,0 @@
{
return "INSTANCES=" . ($sqpsmtpd{Instances} || $qpsmtpd{Instances} || "10");
}

4
root/etc/e-smith/templates/var/service/sqpsmtpd/runenv/INSTANCES_PER_IP
View File

@@ -1,4 +0,0 @@
{
return "INSTANCES_PER_IP=" .
($sqpsmtpd{InstancesPerIP} || $qpsmtpd{InstancesPerIP} || "5");
}

1
root/etc/e-smith/templates/var/service/sqpsmtpd/runenv/PATH
View File

@@ -1 +0,0 @@
export PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin

3
root/etc/e-smith/templates/var/service/sqpsmtpd/runenv/PORT
View File

@@ -1,3 +0,0 @@
{
return "export PORT=" . (${sqpsmtpd}{TCPPort} || "465");
}

3
root/etc/e-smith/templates/var/service/sqpsmtpd/runenv/SOFTLIMIT
View File

@@ -1,3 +0,0 @@
{
return "SOFTLIMIT=" . ($sqpsmtpd{Softlimit} || $qpsmtpd{Softlimit} || "50000000");
}

3
root/etc/e-smith/templates/var/service/sqpsmtpd/runenv/TCPLOCALHOST
View File

@@ -1,3 +0,0 @@
{
return "export TCPLOCALHOST=$SystemName.$DomainName";
}

2
root/etc/e-smith/templates/var/service/uqpsmtpd/config/tls_before_auth/10Auth Normal file
View File

@@ -0,0 +1,2 @@
# The next line should be set to 0 if you want to offer AUTH without TLS
1

5
root/etc/e-smith/templates/var/service/uqpsmtpd/config/tls_ciphers/10ciphers Normal file
View File

@@ -0,0 +1,5 @@
{
# When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated.
return $uqpsmtpd{tlsCipher} || $modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
}

9
root/etc/e-smith/templates/var/service/uqpsmtpd/config/tls_protocols/10protocols Normal file
View File

@@ -0,0 +1,9 @@
{
$OUT .= 'SSLv23';
$OUT .= ':!SSLv2' unless ($uqpsmtpd{SSLv2} || 'disabled') eq 'enabled';
$OUT .= ':!SSLv3' unless ($uqpsmtpd{SSLv3} || 'disabled') eq 'enabled';
$OUT .= ':!TLSv1' unless ($uqpsmtpd{TLSv1} || 'disabled') eq 'enabled';
$OUT .= ':!TLSv1.1' unless ($uqpsmtpd{TLSv1.1} || 'disabled') eq 'enabled';
$OUT .= ':!TLSv1.2' unless ($uqpsmtpd{TLSv1.2} || 'enabled') eq 'enabled';
$OUT .= ':!TLSv1.3' unless ($uqpsmtpd{TLSv1.3} || 'enabled') eq 'enabled';
}