[crux-commits] ports/contrib (refs/remotes/origin/3.6): postfix-lmdb: new port (secure mailer)

crux at crux.nu crux at crux.nu
Sat Apr 10 19:05:53 UTC 2021


commit e9b6964e9fb191c48cf6b3716fa11eabdb020b53
Author: Steffen Nurpmeso <steffen at sdaoden.eu>
Date:   Thu Feb 11 00:43:00 2021 +0100

    postfix-lmdb: new port (secure mailer)

diff --git a/postfix-lmdb/.footprint b/postfix-lmdb/.footprint
new file mode 100644
index 000000000..cf5cb7755
--- /dev/null
+++ b/postfix-lmdb/.footprint
@@ -0,0 +1,180 @@
+drwxr-xr-x	root/root	etc/
+drwxr-xr-x	root/root	etc/postfix-lmdb/
+-rw-r--r--	root/root	etc/postfix-lmdb/CRUX-README.txt
+-rw-r--r--	root/root	etc/postfix-lmdb/LICENSE
+-rw-r--r--	root/root	etc/postfix-lmdb/TLS_LICENSE
+-rw-r--r--	root/root	etc/postfix-lmdb/access
+-rw-r--r--	root/root	etc/postfix-lmdb/aliases
+-rw-r--r--	root/root	etc/postfix-lmdb/bounce.cf.default
+-rw-r--r--	root/root	etc/postfix-lmdb/canonical
+-rw-r--r--	root/root	etc/postfix-lmdb/generic
+-rw-r--r--	root/root	etc/postfix-lmdb/header_checks
+-rw-r--r--	root/root	etc/postfix-lmdb/main.cf
+-rw-r--r--	root/root	etc/postfix-lmdb/main.cf.default
+-rw-r--r--	root/root	etc/postfix-lmdb/main.cf.proto
+-rw-r--r--	root/root	etc/postfix-lmdb/makedefs.out
+-rw-r--r--	root/root	etc/postfix-lmdb/master.cf
+-rw-r--r--	root/root	etc/postfix-lmdb/master.cf.proto
+-rw-r--r--	root/root	etc/postfix-lmdb/postfix-files
+drwxr-xr-x	root/root	etc/postfix-lmdb/postfix-files.d/
+-rw-r--r--	root/root	etc/postfix-lmdb/relay_clientcerts
+-rw-r--r--	root/root	etc/postfix-lmdb/relocated
+-rw-r--r--	root/root	etc/postfix-lmdb/sender_restrict
+-rw-r--r--	root/root	etc/postfix-lmdb/transport
+-rw-r--r--	root/root	etc/postfix-lmdb/virtual
+drwxr-xr-x	root/root	etc/rc.d/
+-rwxr-xr-x	root/root	etc/rc.d/postfix-lmdb
+drwxr-xr-x	root/root	usr/
+drwxr-xr-x	root/root	usr/bin/
+lrwxrwxrwx	root/root	usr/bin/mailq -> ../../usr/sbin/sendmail
+lrwxrwxrwx	root/root	usr/bin/newaliases -> ../../usr/sbin/sendmail
+drwxr-xr-x	root/root	usr/lib/
+drwxr-xr-x	root/root	usr/lib/postfix-lmdb/
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/anvil
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/bounce
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/cleanup
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/discard
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/dnsblog
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/error
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/flush
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/libpostfix-dns.so
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/libpostfix-global.so
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/libpostfix-master.so
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/libpostfix-tls.so
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/libpostfix-util.so
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/lmtp
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/local
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/master
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/nqmgr
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/oqmgr
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/pickup
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/pipe
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/post-install
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/postfix-script
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/postfix-tls-script
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/postfix-wrapper
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/postlogd
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/postmulti-script
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/postscreen
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/proxymap
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/qmgr
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/qmqpd
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/scache
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/showq
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/smtp
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/smtpd
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/spawn
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/tlsmgr
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/tlsproxy
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/trivial-rewrite
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/verify
+-rwxr-xr-x	root/root	usr/lib/postfix-lmdb/virtual
+drwxr-xr-x	root/root	usr/sbin/
+-rwxr-xr-x	root/root	usr/sbin/postalias
+-rwxr-xr-x	root/root	usr/sbin/postcat
+-rwxr-xr-x	root/root	usr/sbin/postconf
+-rwxr-xr-x	root/root	usr/sbin/postdrop
+-rwxr-xr-x	root/root	usr/sbin/postfix
+-rwxr-xr-x	root/root	usr/sbin/postkick
+-rwxr-xr-x	root/root	usr/sbin/postlock
+-rwxr-xr-x	root/root	usr/sbin/postlog
+-rwxr-xr-x	root/root	usr/sbin/postmap
+-rwxr-xr-x	root/root	usr/sbin/postmulti
+-rwxr-xr-x	root/root	usr/sbin/postqueue
+-rwxr-xr-x	root/root	usr/sbin/postsuper
+-rwxr-xr-x	root/root	usr/sbin/sendmail
+drwxr-xr-x	root/root	usr/share/
+drwxr-xr-x	root/root	usr/share/man/
+drwxr-xr-x	root/root	usr/share/man/man1/
+-rw-r--r--	root/root	usr/share/man/man1/mailq.1.gz
+-rw-r--r--	root/root	usr/share/man/man1/newaliases.1.gz
+-rw-r--r--	root/root	usr/share/man/man1/postalias.1.gz
+-rw-r--r--	root/root	usr/share/man/man1/postcat.1.gz
+-rw-r--r--	root/root	usr/share/man/man1/postconf.1.gz
+-rw-r--r--	root/root	usr/share/man/man1/postdrop.1.gz
+-rw-r--r--	root/root	usr/share/man/man1/postfix-tls.1.gz
+-rw-r--r--	root/root	usr/share/man/man1/postfix.1.gz
+-rw-r--r--	root/root	usr/share/man/man1/postkick.1.gz
+-rw-r--r--	root/root	usr/share/man/man1/postlock.1.gz
+-rw-r--r--	root/root	usr/share/man/man1/postlog.1.gz
+-rw-r--r--	root/root	usr/share/man/man1/postmap.1.gz
+-rw-r--r--	root/root	usr/share/man/man1/postmulti.1.gz
+-rw-r--r--	root/root	usr/share/man/man1/postqueue.1.gz
+-rw-r--r--	root/root	usr/share/man/man1/postsuper.1.gz
+-rw-r--r--	root/root	usr/share/man/man1/sendmail.1.gz
+drwxr-xr-x	root/root	usr/share/man/man5/
+-rw-r--r--	root/root	usr/share/man/man5/access.5.gz
+-rw-r--r--	root/root	usr/share/man/man5/aliases.5.gz
+-rw-r--r--	root/root	usr/share/man/man5/body_checks.5.gz
+-rw-r--r--	root/root	usr/share/man/man5/bounce.5.gz
+-rw-r--r--	root/root	usr/share/man/man5/canonical.5.gz
+-rw-r--r--	root/root	usr/share/man/man5/cidr_table.5.gz
+-rw-r--r--	root/root	usr/share/man/man5/generic.5.gz
+-rw-r--r--	root/root	usr/share/man/man5/header_checks.5.gz
+-rw-r--r--	root/root	usr/share/man/man5/ldap_table.5.gz
+-rw-r--r--	root/root	usr/share/man/man5/lmdb_table.5.gz
+-rw-r--r--	root/root	usr/share/man/man5/master.5.gz
+-rw-r--r--	root/root	usr/share/man/man5/memcache_table.5.gz
+-rw-r--r--	root/root	usr/share/man/man5/mysql_table.5.gz
+-rw-r--r--	root/root	usr/share/man/man5/nisplus_table.5.gz
+-rw-r--r--	root/root	usr/share/man/man5/pcre_table.5.gz
+-rw-r--r--	root/root	usr/share/man/man5/pgsql_table.5.gz
+-rw-r--r--	root/root	usr/share/man/man5/postconf.5.gz
+-rw-r--r--	root/root	usr/share/man/man5/postfix-wrapper.5.gz
+-rw-r--r--	root/root	usr/share/man/man5/regexp_table.5.gz
+-rw-r--r--	root/root	usr/share/man/man5/relocated.5.gz
+-rw-r--r--	root/root	usr/share/man/man5/socketmap_table.5.gz
+-rw-r--r--	root/root	usr/share/man/man5/sqlite_table.5.gz
+-rw-r--r--	root/root	usr/share/man/man5/tcp_table.5.gz
+-rw-r--r--	root/root	usr/share/man/man5/transport.5.gz
+-rw-r--r--	root/root	usr/share/man/man5/virtual.5.gz
+drwxr-xr-x	root/root	usr/share/man/man8/
+-rw-r--r--	root/root	usr/share/man/man8/anvil.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/bounce.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/cleanup.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/defer.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/discard.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/dnsblog.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/error.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/flush.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/lmtp.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/local.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/master.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/oqmgr.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/pickup.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/pipe.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/postlogd.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/postscreen.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/proxymap.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/qmgr.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/qmqpd.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/scache.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/showq.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/smtp.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/smtpd.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/spawn.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/tlsmgr.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/tlsproxy.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/trace.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/trivial-rewrite.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/verify.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/virtual.8.gz
+drwxr-xr-x	root/root	var/
+drwxr-xr-x	root/root	var/lib/
+drwx------	root/root	var/lib/postfix-lmdb/
+drwxr-xr-x	root/root	var/spool/
+drwxr-xr-x	root/root	var/spool/postfix-lmdb/
+drwx------	root/root	var/spool/postfix-lmdb/active/
+drwx------	root/root	var/spool/postfix-lmdb/bounce/
+drwx------	root/root	var/spool/postfix-lmdb/corrupt/
+drwx------	root/root	var/spool/postfix-lmdb/defer/
+drwx------	root/root	var/spool/postfix-lmdb/deferred/
+drwx------	root/root	var/spool/postfix-lmdb/flush/
+drwx------	root/root	var/spool/postfix-lmdb/hold/
+drwx------	root/root	var/spool/postfix-lmdb/incoming/
+drwx-wx---	root/root	var/spool/postfix-lmdb/maildrop/
+drwxr-xr-x	root/root	var/spool/postfix-lmdb/pid/
+drwx------	root/root	var/spool/postfix-lmdb/private/
+drwx--x---	root/root	var/spool/postfix-lmdb/public/
+drwx------	root/root	var/spool/postfix-lmdb/saved/
+drwx------	root/root	var/spool/postfix-lmdb/trace/
diff --git a/postfix-lmdb/.md5sum b/postfix-lmdb/.md5sum
new file mode 100644
index 000000000..27ced0acf
--- /dev/null
+++ b/postfix-lmdb/.md5sum
@@ -0,0 +1,11 @@
+24bfa6cc02af20ff1306dbdc9e9ccd72  README
+991eec1333efecf3e5c5785a35f63f93  aliases
+356deb2ed0a246dc67417d501384b29d  lmdb-default.patch
+6b5b42413a938f5e1c036a29919fc6ba  main-addon.cf
+349f82d9bce5df2e820edde59f0df385  master.patch
+3a0783dfe97cd85620ec63dc3155c138  post-install
+a4d1b2df03a500cf8f9759d5fca1c1f6  postfix-3.5.9.tar.gz
+3c58426d21611dd4eb1f93e924b349a1  postfix-install.patch
+74ca32d588624b357889e6d783c3aa11  postfix.rc
+9e5990ceca5cd7969fe1297e02fd966d  relay_clientcerts
+e701ec7f1075d63c1b0cf930cce8ff9e  sender_restrict
diff --git a/postfix-lmdb/Pkgfile b/postfix-lmdb/Pkgfile
new file mode 100644
index 000000000..d34df6eb1
--- /dev/null
+++ b/postfix-lmdb/Pkgfile
@@ -0,0 +1,97 @@
+# Description: Secure and fast drop-in replacement for Sendmail (MTA)
+# URL:         https://www.postfix.org/
+# Maintainer:  Steffen Nurpmeso, steffen at sdaoden dot eu
+# Depends on:  libpcre lmdb   openssl
+
+rname=postfix
+name=postfix-lmdb
+version=3.5.9
+release=1
+source=(
+   https://de.${rname}.org/ftpmirror/official/${rname}-${version}.tar.gz
+   lmdb-default.patch postfix-install.patch post-install
+   ${rname}.rc
+   aliases README relay_clientcerts sender_restrict
+   main-addon.cf master.patch
+)
+
+isinst() { pkginfo -i | grep -qE "^${1}[[:space:]]"; }
+
+build() {
+   cd ${rname}-${version}
+
+   patch -p1 < "${SRC}"/lmdb-default.patch
+   patch -p1 < "${SRC}"/postfix-install.patch
+
+   cca='-DNO_DB -DNO_EAI -DNO_NIS -DNO_NISPLUS '
+   cca=${cca}' -DHAS_LMDB -DDEF_DB_TYPE=\"lmdb\" -DHAS_PCRE -DUSE_TLS'
+   aux=
+
+   if isinst dovecot; then # TODO UNTESTED!
+      cca=${cca}' -DUSE_SASL_AUTH -DDEF_SASL_SERVER=dovecot'
+   fi
+
+   if isinst cyrus-sasl; then # TODO UNTESTED!
+      cca=${cca}' -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl'
+      aux=${aux}' -lsasl2'
+   fi
+
+   make tidy
+   make pie=yes shared=yes \
+      DEBUG= \
+      CCARGS="${cca}" \
+      OPT="${CFLAGS}" \
+      AUXLIBS_LMDB=-llmdb \
+      AUXLIBS_PCRE=-lpcre \
+      AUXLIBS="-lssl -lcrypto" \
+      ${aux} \
+         install_root="${PKG}" \
+         command_directory=/usr/sbin \
+         config_directory=/etc/${name} \
+         daemon_directory=/usr/lib/${name} \
+         data_directory=/var/lib/${name} \
+         html_directory=no \
+         mail_spool_directory=/var/spool/mail \
+         manpage_directory=/usr/share/man \
+         meta_directory=/etc/${name} \
+         queue_directory=/var/spool/${name} \
+         readme_directory=no \
+         shlib_directory=/usr/lib/${name} \
+      makefiles
+
+   make OPT="$CFLAGS"
+
+   make \
+         install_root="${PKG}" \
+         command_directory=/usr/sbin \
+         config_directory=/etc/${name} \
+         daemon_directory=/usr/lib/${name} \
+         data_directory=/var/lib/${name} \
+         html_directory=no \
+         mail_spool_directory=/var/spool/mail \
+         manpage_directory=/usr/share/man \
+         meta_directory=/etc/${name} \
+         queue_directory=/var/spool/${name} \
+         readme_directory=no \
+         shlib_directory=/usr/lib/${name} \
+   non-interactive-package
+
+   install -D -m 0755 "${SRC}"/${rname}.rc "${PKG}"/etc/rc.d/${name}
+   install -m 0644 "${SRC}"/aliases "${PKG}"/etc/${name}/aliases
+   install -m 0644 "${SRC}"/README "${PKG}"/etc/${name}/CRUX-README.txt
+   install -m 0644 "${SRC}"/relay_clientcerts \
+      "${PKG}"/etc/${name}/relay_clientcerts
+   install -m 0644 "${SRC}"/sender_restrict \
+      "${PKG}"/etc/${name}/sender_restrict
+   sed -E -i'' \
+         -e 's/^(setgid_group.+)$/#\1/' \
+         -e 's/^(inet_protocols.+)$/#\1/' \
+      "${PKG}"/etc/${name}/main.cf
+   cat "${SRC}"/main-addon.cf >> "${PKG}"/etc/${name}/main.cf
+   (
+      cd "${PKG}"/etc/${name}
+      patch -p0 < "${SRC}"/master.patch
+   )
+}
+
+# s-sh-mode
diff --git a/postfix-lmdb/README b/postfix-lmdb/README
new file mode 100644
index 000000000..5557cb244
--- /dev/null
+++ b/postfix-lmdb/README
@@ -0,0 +1,104 @@
+
+The CRUX postfix package
+========================
+
+* Abstract
+* TLS
+* SmartHost
+* Relay
+* DNS black lists
+
+Abstract
+--------
+
+- Fully configured for "sailing in the wind".
+- Only listens to SMTP by default, but.
+- A few knobs can be turned here and there for more, see below.
+
+Remember to run "postmap FILE" after you have updated table files,
+and "newaliases" or "postalias FILE" after changing alias files.
+
+TLS
+---
+
+tlsproxy(8) for connection tracking is running by default.
+To be identifieable generate a private key with certificate, either via
+
+  openssl genpkey -algorithm ed25519 -out prv.pem
+  #openssl pkey -in prv.pem -pubout -out pub.pem
+  openssl req -x509 -key prv.pem -out crt.pem
+
+or
+
+  openssl req -x509 -nodes -newkey ed25519 -keyout prv.pem -out crt.pem
+
+Also create DH parameters
+
+  openssl dhparam -out dh2048.pem 2048
+
+Move all these to a save place.  Do
+
+  cat prv.pem crt.pem > /etc/postfix-lmdb/key_and_cert.pem
+  cp dh2048.pem /etc/postfix-lmdb/dh2048.pem
+
+Make them root:root and 0600.
+Edit main.cf: uncomment all lines marked #TLS.
+Edit master.cf and ditto.
+Run "/etc/rc.d/postfix-lmdb reload" (or restart).
+
+SmartHost
+---------
+
+For laptops or hosts without their own hostname using a smart host which
+does the real delivery is usually the thing.
+Edit main.cf and uncomment and edit lines marked #SMART.
+Run "/etc/rc.d/postfix-lmdb reload" (or restart).
+
+Authentication to the smart host is not covered by the default
+configuration, with TLS as above however it may be possible to go
+via client certificates shall the relayhost allow this, see below.
+I.e., just reuse key_and_cert.pem "also" for this.
+
+Note it seems wise to go the $smtp_tls_fingerprint_cert_match approach to
+verify $relayhost, because the $smtp_tls_CAfile way requires a full chain, to
+the best of my knowledge.
+
+You need to have cyrus-sasl installed otherwise (usually), and also
+dovecot that drive the SASL authentication.  The default configuration
+contains the necessary entries, you should only need to adjust and
+uncomment it.  Just search #SMART.
+
+Relay
+-----
+
+The default configuration only allows mails that address $mydestination
+aka the local host, or shall be relayed to $mynetworks (set to the
+IPv4 private address range).
+
+Not covering SASL authentification of clients, the default configuration
+ships support for client certificate fingerprint matching, in order to
+allow clients which authenticate themselves to relay mail to anywhere.
+Edit main.cf and uncomment and edit lines marked #RELAY.
+Run "/etc/rc.d/postfix-lmdb reload" (or restart).
+
+Put the fingerprints in /etc/postfix-lmdb/relay_clientcerts as shown.
+Calculate them via
+
+  openssl x509 -noout -sha256 -fingerprint < CERT.pem
+or
+  openssl x509 -outform DER -in CERT.pem | openssl dgst -sha256 -c
+
+It seems to support public-key-only fingerprinting also.
+
+You need to have cyrus-sasl installed otherwise (usually), and also
+dovecot that drive the SASL authentication.  The default configuration
+contains the necessary entries, you should only need to adjust and
+uncomment it.  See above for SmartHost.
+
+DNS black lists
+---------------
+
+Edit main.cf and uncomment and edit lines marked #DNSBL.
+Run "/etc/rc.d/postfix-lmdb reload" (or restart).
+
+# s-ts-mode
diff --git a/postfix-lmdb/aliases b/postfix-lmdb/aliases
new file mode 100644
index 000000000..9828d6977
--- /dev/null
+++ b/postfix-lmdb/aliases
@@ -0,0 +1,96 @@
+#
+# Sample aliases file. Install in the location as specified by the
+# output from the command "postconf alias_maps". Typical path names
+# are /etc/aliases or /etc/mail/aliases.
+#
+#	>>>>>>>>>>      The program "newaliases" must be run after
+#	>> NOTE >>      this file is updated for any changes to
+#	>>>>>>>>>>      show through to Postfix.
+#
+
+# Person who should get root's mail. Don't receive mail as root!
+#root:		you
+
+# Basic system aliases -- these MUST be present
+MAILER-DAEMON:	postmaster
+postmaster:	root
+
+# General redirections for pseudo accounts
+bin:		root
+daemon:		root
+named:		root
+nobody:		root
+uucp:		root
+www:		root
+ftp-bugs:	root
+postfix:	root
+
+# Put your local aliases here.
+
+# Well-known aliases
+manager:	root
+dumper:		root
+operator:	root
+abuse:		postmaster
+
+# trap decode to catch security attacks
+decode:		root
+
+# ALIASES(5)                                                          ALIASES(5)
+#        o      An alias definition has the form
+# 
+#                    name: value1, value2, ...
+# 
+#        o      Empty lines and whitespace-only lines are  ignored,
+#               as  are  lines whose first non-whitespace character
+#               is a `#'.
+# 
+#        o      A logical line starts with non-whitespace  text.  A
+#               line  that starts with whitespace continues a logi-
+#               cal line.
+# 
+#        The name is a local address (no domain part).  Use  double
+#        quotes  when the name contains any special characters such
+#        as whitespace, `#', `:', or `@'. The  name  is  folded  to
+#        lowercase, in order to make database lookups case insensi-
+#        tive.
+#        The value contains one or more of the following:
+# 
+#        address
+#               Mail is forwarded to address, which  is  compatible
+#               with the RFC 822 standard.
+# 
+#        /file/name
+#               Mail  is  appended  to /file/name. See local(8) for
+#               details of delivery to file.  Delivery is not  lim-
+#               ited  to regular files.  For example, to dispose of
+#               unwanted mail, deflect it to /dev/null.
+# 
+#        |command
+#               Mail is piped into command. Commands  that  contain
+#               special  characters,  such as whitespace, should be
+#               enclosed between double quotes.  See  local(8)  for
+#               details of delivery to command.
+# 
+#               When the command fails, a limited amount of command
+#               output is mailed back  to  the  sender.   The  file
+#               /usr/include/sysexits.h  defines  the expected exit
+#               status codes. For example, use "|exit 67" to  simu-
+#               late  a  "user  unknown"  error,  and  "|exit 0" to
+#               implement an expensive black hole.
+# 
+#        :include:/file/name
+#               Mail is sent to  the  destinations  listed  in  the
+#               named file.  Lines in :include: files have the same
+#               syntax as the right-hand side of alias entries.
+# 
+#               A  destination  can  be  any  destination  that  is
+#               described in this manual page. However, delivery to
+#               "|command" and /file/name is disallowed by default.
+#               To  enable,  edit  the  allow_mail_to_commands  and
+#               allow_mail_to_files configuration parameters.
+# SEE ALSO
+#        local(8), local delivery agent
+#        newaliases(1), create/update alias database
+#        postalias(1), create/update alias database
+#        postconf(5), configuration parameters
diff --git a/postfix-lmdb/lmdb-default.patch b/postfix-lmdb/lmdb-default.patch
new file mode 100644
index 000000000..949b2a840
--- /dev/null
+++ b/postfix-lmdb/lmdb-default.patch
@@ -0,0 +1,27 @@
+Upstream: Not applicable
+Reason: Make LMDB the default configuration
+
+Author: Duncan Bellamy <dunk at denkimushi.com>
+
+diff --git a/src/global/mail_params.h b/src/global/mail_params.h
+index a6119f1..9639c60 100644
+--- a/src/global/mail_params.h
++++ b/src/global/mail_params.h
+@@ -2826,7 +2826,7 @@ extern int var_vrfy_pend_limit;
+ extern char *var_verify_service;
+ 
+ #define VAR_VERIFY_MAP			"address_verify_map"
+-#define DEF_VERIFY_MAP			"btree:$data_directory/verify_cache"
++#define DEF_VERIFY_MAP			"lmdb:$data_directory/verify_cache"
+ extern char *var_verify_map;
+ 
+ #define VAR_VERIFY_POS_EXP		"address_verify_positive_expire_time"
+@@ -3594,7 +3594,7 @@ extern char *var_multi_cntrl_cmds;
+   * postscreen(8)
+   */
+ #define VAR_PSC_CACHE_MAP	"postscreen_cache_map"
+-#define DEF_PSC_CACHE_MAP	"btree:$data_directory/postscreen_cache"
++#define DEF_PSC_CACHE_MAP "lmdb:$data_directory/postscreen_cache"
+ extern char *var_psc_cache_map;
+ 
+ #define VAR_SMTPD_SERVICE	"smtpd_service_name"
diff --git a/postfix-lmdb/main-addon.cf b/postfix-lmdb/main-addon.cf
new file mode 100644
index 000000000..92565861b
--- /dev/null
+++ b/postfix-lmdb/main-addon.cf
@@ -0,0 +1,224 @@
+
+### CRUX-ADDON
+
+default_privs = _postfix_xlocal
+setgid_group = _postfix_queue
+mail_spool_directory = /var/spool/mail
+alias_database = lmdb:/etc/postfix-lmdb/aliases
+alias_maps = $alias_database
+# all # or ipv4, ipv6 or ipv4 or ipv6
+inet_protocols = all
+
+#myhostname = arch-2020 # default: gethostname
+#mydomain = localdomain # default: $myhostname less one component
+#myorigin = $mydomain
+# , lists.$myhostname
+mydestination = $myhostname, localhost.$mydomain, localhost
+mynetworks_style = host
+# One class A, 16 class B, 256 class C networks; loopback
+# Dunno how to specify IPv6 link-local and site-local
+mynetworks = 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16  127.0.0.0/8
+#inet_interfaces = localhost
+#inet_interfaces = $myhostname, localhost
+inet_interfaces = all
+#debug_peer_list = 10.0.0.1
+
+smtputf8_enable = no
+disable_vrfy_command = yes
+default_verp_delimiters = -=
+verp_delimiter_filter = -=
+recipient_delimiter = +
+# Only localhost for mailing-lists etc.; maybe $mynetworks?
+smtpd_authorized_verp_clients = 127.0.0.1
+
+default_process_limit = 8
+anvil_rate_time_unit = 60s
+anvil_status_update_time = 3600s
+#n_flow_delay = 1s
+body_checks_size_limit = 102400
+bounce_size_limit = 50000
+#header_size_limit = 102400
+mailbox_size_limit = 100000000
+message_size_limit = 442000
+
+# Calculate:
+# openssl x509 -noout -sha256 -fingerprint < CERT.pem
+# OR
+# openssl x509 -outform DER -in CERT.pem | openssl dgst -sha256 -c
+# Put the hash only in relay_clientcerts, right hand value is not inspected:
+#   FINGERPRINT-HERE  whatever value
+# Search #RELAY for this, uncomment
+#RELAY relay_clientcerts = lmdb:/etc/postfix-lmdb/relay_clientcerts
+# relay_domains <-> reject_unauth_destination,permit_auth_destination
+ # eg lmdb:/etc/postfix-lmdb/transport
+transport_maps =
+relay_domains = $mynetworks,$transport_maps
+
+# Clients which are allowed to invoke commands
+smtpd_client_restrictions =
+#  permit_tls_clientcerts,
+#  permit_sasl_authenticated,
+   permit_mynetworks,
+   # in case you want reject DNS blacklists rather than greylist them
+   # with gross, exchange sleep (maybe) and uncomment the lines below
+   sleep 1,
+    #reject_rbl_client cbl.abuseat.org,
+    #reject_rbl_client sbl.spamhaus.org,
+#DNSBL   reject_rbl_client zen.spamhaus.org,
+#DNSBL   reject_rbl_client dnsbl.sorbs.net,
+    #reject_rbl_client bl.spamcop.net,
+    #reject_rbl_client list.dsbl.org,
+   reject_unauth_pipelining,
+   #reject
+   permit
+
+smtpd_data_restrictions =
+   reject_unauth_pipelining,
+   permit
+
+smtpd_helo_restrictions =
+#RELAY   permit_tls_clientcerts,
+#  permit_sasl_authenticated,
+   permit_mynetworks,
+   reject_invalid_helo_hostname,
+   reject_non_fqdn_helo_hostname,
+   reject_unknown_helo_hostname
+
+# RCPT TO checks, spam blocking policy
+# Match fast for $mynetworks and authenticated clients.
+smtpd_recipient_restrictions =
+#RELAY   permit_tls_clientcerts,
+#  permit_sasl_authenticated,
+   permit_mynetworks,
+   reject_unknown_sender_domain,
+   reject_unknown_reverse_client_hostname,
+   reject_unknown_recipient_domain,
+   reject_unauth_destination,
+   # better not reject_unverified_sender,
+   #check_policy_service inet:127.0.0.1:5525,
+   permit
+
+# RCPT TO checks, relay policy
+# Local clients and authenticated clients may specify any destination domain
+smtpd_relay_restrictions =
+#RELAY   permit_tls_clientcerts,
+#  permit_sasl_authenticated,
+   permit_mynetworks,
+   reject_non_fqdn_sender,
+   reject_non_fqdn_recipient,
+   #permit_auth_destination,
+   #reject
+   reject_unauth_destination,
+   permit
+
+# MAIL FROM Checks
+smtpd_sender_restrictions =
+#RELAY   permit_tls_clientcerts,
+#  permit_sasl_authenticated,
+   permit_mynetworks,
+    # Eg: qq.com reject
+   lmdb:/etc/postfix-lmdb/sender_restrict,
+   reject_unknown_sender_domain,
+   permit
+
+# i would turn that on..
+#smtpd_delay_reject = no
+smtpd_helo_required = yes
+smtpd_hard_error_limit = 1
+smtpd_soft_error_limit = 1
+smtpd_per_record_deadline = yes
+smtpd_timeout = 15s
+smtpd_starttls_timeout = 15s
+smtpd_junk_command_limit = 5
+smtpd_log_access_permit_actions = 1
+smtpd_client_connection_rate_limit = 20
+smtpd_client_connection_count_limit = 2
+
+# TLS see CRUX-README.txt for this
+tls_append_default_CA = no
+# That one is for client certificates!
+#smtpd_tls_CAfile = /etc/dovecot/cert.pem
+#TLS smtpd_tls_chain_files = /etc/postfix-lmdb/key_and_cert.pem
+#TLS smtpd_tls_dh1024_param_file = /etc/postfix-lmdb/dh2048.pem
+#TLS smtpd_tls_security_level = may
+#TLS comment out next; see master.cf, too!
+smtpd_tls_security_level = none
+#RELAY smtpd_tls_ask_ccert = yes
+smtpd_tls_ask_ccert = no
+smtpd_tls_auth_only = yes
+smtpd_tls_loglevel = 1
+smtpd_tls_received_header = yes
+smtpd_tls_fingerprint_digest = sha256
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
+smtpd_tls_mandatory_ciphers = medium
+smtpd_tls_mandatory_exclude_ciphers =
+   aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
+   EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
+smtpd_tls_ciphers = $smtpd_tls_mandatory_ciphers
+smtpd_tls_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
+smtpd_tls_connection_reuse = yes
+
+#TLS smtp_tls_security_level = $smtpd_tls_security_level
+#TLS comment out next
+smtp_tls_security_level = may
+#smtp_tls_wrappermode = yes
+smtp_tls_fingerprint_digest = $smtpd_tls_fingerprint_digest
+smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
+smtp_tls_protocols = $smtpd_tls_protocols
+smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
+smtp_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
+smtp_tls_ciphers = $smtpd_tls_ciphers
+smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
+smtp_tls_connection_reuse = $smtpd_tls_connection_reuse
+smtp_tls_session_cache_database = lmdb:/var/lib/postfix-lmdb/smtp_scache
+smtp_tls_session_cache_timeout = 3600s
+
+#smtpd_sasl_auth_enable = yes
+smtpd_sasl_auth_enable = no
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
+smtpd_sasl_local_domain = $myhostname
+smtpd_sasl_security_options = noanonymous, noplaintext
+smtpd_sasl_tls_security_options = noanonymous
+
+#smtp_sasl_auth_enable = $smtpd_sasl_auth_enable
+#smtp_sasl_type = $smtpd_sasl_type
+#smtp_sasl_path = $smtpd_sasl_path
+#smtp_sasl_mechanism_filter = !external
+#smtp_sasl_security_options = $smtpd_sasl_security_options
+#smtp_sasl_tls_security_options = $smtpd_sasl_tls_security_options
+#smtp_sasl_mechanism_filter = plain, login
+
+# For laptops etc, rely on smarthost to do real delivery.
+#   One or more destinations in the form of a domain name, hostname,
+#   hostname:port, [hostname]:port, [hostaddress]  or [hostaddress]:port,
+#   separated by comma or whitespace.  The form [hostname] turns off MX lookups
+#SMART relayhost = [HOST]:submissions
+#SMART smtp_tls_wrappermode = yes
+#SMART smtp_tls_chain_files = $smtpd_tls_chain_files
+#SMART smtp_tls_security_level = verify
+# This requires a full chain, otherwise look around verify_depth
+#SMART smtp_tls_CAfile = /etc/ssl/cert.pem
+#SMART therefore OR (better, maybe)
+#SMART smtp_tls_security_level = fingerprint
+#SMART smtp_tls_fingerprint_cert_match = FINGERPRINT
+# The following is not tested, really, and may not work with default config
+#SMART disable_dns_lookups = yes
+#SMART Authentication like that not tried, this from postfix SASL_README:
+#smtp_sasl_auth_enable = yes
+#smtp_sasl_tls_security_options = noanonymous
+#smtp_sasl_password_maps = lmdb:/etc/postfix-lmdb/sasl_passwd
+# /etc/postfix-lmdb/sasl_passwd:
+#   # destination        credentials
+#   #user1 at example.com   username1:password1
+#   #user2 at example.net   username2:password2
+#   [mail.isp.example]   username:password
+#   # Alternative form:
+#   # [mail.isp.example]:submission username:password
+#SMART Even sender-specific, uncomment the user1 user2 entries above then
+# sender_dependent_relayhost_maps = lmdb:/etc/postfix/sender_relay
+# /etc/postfix/sender_relay:
+#   # Per-sender provider; see also /etc/postfix/sasl_passwd.
+#   user1 at example.com  [mail.example.com]:submission
+#   user2 at example.net  [mail.example.net]
diff --git a/postfix-lmdb/master.patch b/postfix-lmdb/master.patch
new file mode 100644
index 000000000..a2d6b32f5
--- /dev/null
+++ b/postfix-lmdb/master.patch
@@ -0,0 +1,16 @@
+--- master.cf	2021-02-10 01:28:29.091526626 +0100
++++ master.cf.new	2021-02-10 01:30:19.998198603 +0100
+@@ -10,6 +10,13 @@
+ #               (yes)   (yes)   (no)    (never) (100)
+ # ==========================================================================
+ smtp      inet  n       -       n       -       -       smtpd
++#TLS   -o smtpd_tls_security_level=none
++#TLS   -o smtpd_sasl_auth_enable=no
++#TLS submission inet n       -       n       -       -       smtpd
++#TLS  -o smtpd_tls_security_level=encrypt
++#TLS submissions     inet  n       -       n       -       -       smtpd
++#TLS  -o smtpd_tls_wrappermode=yes
++tlsproxy  unix  -       -       n       -       0       tlsproxy
+ #smtp      inet  n       -       n       -       1       postscreen
+ #smtpd     pass  -       -       n       -       -       smtpd
+ #dnsblog   unix  -       -       n       -       0       dnsblog
diff --git a/postfix-lmdb/post-install b/postfix-lmdb/post-install
new file mode 100644
index 000000000..fa2e5bce7
--- /dev/null
+++ b/postfix-lmdb/post-install
@@ -0,0 +1,55 @@
+#!/bin/sh -
+
+name=postfix-lmdb
+
+# owner
+usr=postfix
+usrgrp=${usr}
+# group for mail submission and queue
+queuegrp=_postfix_queue
+# Default rights used by the local delivery agent for delivery
+# to external file, used in absence of a recipient user context.
+# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
+defusr=_postfix_xlocal
+defgrp=${defusr}
+
+getent group mail >/dev/null || groupadd -r mail
+
+getent group ${usrgrp} >/dev/null || groupadd -r ${usrgrp}
+getent passwd ${usr} >/dev/null 2>&1 || {
+	useradd -r -g ${usrgrp} -d /var/spool/${usr} -s /bin/false ${usr}
+	passwd -l ${usr}
+} 
+
+getent group ${queuegrp} >/dev/null || groupadd -r ${queuegrp}
+
+getent group ${defgrp} >/dev/null || groupadd -r ${defgrp}
+getent passwd ${defusr} >/dev/null 2>&1 || {
+	useradd -r -g ${defgrp} -d /var/spool/mail -s /sbin/nologin ${defusr}
+	passwd -l ${defusr}
+}
+
+p_i() {
+	/usr/lib/${name}/post-install \
+			install_root= \
+			command_directory=/usr/sbin \
+			config_directory=/etc/${name} \
+			daemon_directory=/usr/lib/${name} \
+			data_directory=/var/lib/${name} \
+			html_directory=no \
+			mail_spool_directory=/var/spool/mail \
+			manpage_directory=/usr/share/man \
+			meta_directory=/etc/${name} \
+			queue_directory=/var/spool/${name} \
+			readme_directory=no \
+			shlib_directory=/usr/lib/${name} \
+		"${@}"
+}
+
+p_i create-missing
+p_i upgrade-permissions
+
+/usr/sbin/postalias /etc/${name}/aliases
+
+/usr/sbin/postmap lmdb:/etc/${name}/sender_restrict
+/usr/sbin/postmap lmdb:/etc/${name}/relay_clientcerts
diff --git a/postfix-lmdb/postfix-install.patch b/postfix-lmdb/postfix-install.patch
new file mode 100644
index 000000000..90d878c48
--- /dev/null
+++ b/postfix-lmdb/postfix-install.patch
@@ -0,0 +1,11 @@
+--- a/postfix-install
++++ b/postfix-install
+@@ -832,7 +832,7 @@
+ # the wrong place when Postfix is being upgraded.
+ 
+ case "$mail_version" in
+-"") mail_version="`bin/postconf -dhx mail_version`" || exit 1
++"") mail_version="`bin/postconf -c $CONFIG_DIRECTORY -dhx mail_version`" || exit 1
+ esac
+ 
+ # Undo MAIL_VERSION expansion at the end of a parameter value. If
diff --git a/postfix-lmdb/postfix.rc b/postfix-lmdb/postfix.rc
new file mode 100755
index 000000000..887d12403
--- /dev/null
+++ b/postfix-lmdb/postfix.rc
@@ -0,0 +1,38 @@
+#!/bin/sh
+#@ /etc/rc.d/postfix: start/stop postfix daemon
+
+PROG=/usr/sbin/postfix
+OPTS=
+
+case "${1}" in
+check)
+   exec ${PROG} ${OPTS} check
+   ;;
+start)
+   exec ${PROG} ${OPTS} start
+   ;;
+stop)
+   exec ${PROG} ${OPTS} stop
+   ;;
+restart)
+   "${0}" stop
+   exec "${0}" start
+   ;;
+reload)
+   exec ${PROG} ${OPTS} reload
+   ;;
+abort)
+   exec ${PROG} ${OPTS} abort
+   ;;
+flush)
+   exec ${PROG} ${OPTS} flush
+   ;;
+status)
+   exec ${PROG} ${OPTS} status
+   ;;
+*)
+   echo "usage: ${0} check|start|stop|restart|reload|abort|flush|status"
+   ;;
+esac
+
+# s-sh-mode
diff --git a/postfix-lmdb/relay_clientcerts b/postfix-lmdb/relay_clientcerts
new file mode 100644
index 000000000..1d3fbb31c
--- /dev/null
+++ b/postfix-lmdb/relay_clientcerts
@@ -0,0 +1 @@
+# FINGERPRINT any value
diff --git a/postfix-lmdb/sender_restrict b/postfix-lmdb/sender_restrict
new file mode 100644
index 000000000..13969bf13
--- /dev/null
+++ b/postfix-lmdb/sender_restrict
@@ -0,0 +1,3 @@
+# See access(5) for format
+
+qq.com reject


More information about the crux-commits mailing list