Task #2256
closedSetup a smarthost to relay service and automatic system emails
0%
Description
All our boxes need to be able to send out email (such as system mails to hostmaster@tdf). Currently each smtp(8) client establishes TCP/25 connections directly to the remote MTAs. That doesn't scale well, because for each new host we need to take the public part of the generated DKIM key and add a TXT record to the zone. Moreover amavis and clamav are rather greedy in terms of resources, and having an instance of both on each of our hosts seems unnecessary.
This issue is about deploying a (possibly more?) smarthost to relay outgoing email from all our boxes, except
- documentfoundation.org (TDF's mail server, private mailing lists)
- vm192.documentfoundation.org (redmine instance)
- vm194.documentfoundation.org (public mailing lists)
- intranet.documentfoundation.org
- monitoring.documentfoundation.orgOther boxes would use said smarthost as a relayhost, and delegate DKIM signing & virus detection to it. To secure links to the smarthost, each smtp(8) would use a client certificate and public keys should be pinned on both ends, as per the following snippets:
vmXYZ.tdf:/etc/postfix/main.cf smtp_tls_security_level = may smtp_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtp_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtp_tls_policy_maps = hash:$config_directory/tls_policy smtp_tls_fingerprint_digest = sha256
vmXYZ.tdf:/etc/postfix/main.cf [smarthost.tdf]:25 fingerprint ciphers=high protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1 match=$$SHA-256 disgest of the smptd(8)'s SPKI$$
smarthost.tdf:/etc/postfix/main.cf relay_clientcerts = hash:$config_directory/relay_clientcerts smtpd_client_restrictions = permit_mynetworks, permit_tls_clientcerts smtpd_relay_restrictions = …, permit_tls_clientcerts, … smtpd_recipient_restrictions = …, permit_tls_clientcerts, … smtpd_tls_ask_ccert = yes
smarthost.tdf:/etc/postfix/relay_clientcerts $$SHA-256 disgest of the smtp(8)'s SPKI$$ vmXYZ.tdf $$SHA-256 disgest of the smtp(8)'s SPKI$$ vmUVW.tdf …
The SPF policy for vmXYZ.tdf would be
vmXYZ IN TXT "v=spf1 a:smarthost.tdf ?all"(we could even pre-fill the zone like we do for A records)
The smarthost would also act an MX for nullmailers clients (with either a DISCARD rule for all valid senders, or alias them to hostmaster). This is because some MTAs phone back to verify that the envelope sender address exists. However machines that need to be able to receive email would keep an INADDR_ANY-listening smtpd, and use themselves as MX.