SMTP and DNS edits

src/acknowledgements.tex

@@ -13,6 +13,7 @@ \section*{Acknowledgements}
 Grigg, Ian  \\
 Horenbeck, Maarten \\
 Huebl, Axel \\
+Koetter, Patrick Ben \\
 Kovacic, Daniel \\
 Lenzhofer, Stefan \\
 Lorünser, Thomas \\
@@ -28,6 +29,7 @@ \section*{Acknowledgements}
 Roeckx, Kurt \\
 Rublik, Martin \\
 Seidl, Eva (PDF layout) \\
+Strotmann, Carsten \\
 Wagner, Sebastian («sebix») \\
 Zangerl, Alexander \\
 }\end{multicols}

src/common/names.tex

@@ -22,6 +22,8 @@
 \newacronym{EDH}{edh}{Ephemeral Diffie-Hellman}
 \newacronym{EECDH}{eecdh\alsoidx{Diffie--Hellman}\alsoidx{elliptic curve}}{%
   elliptic curve ephemeral Diffie--Hellman}
+\newacronym{MSA}{msa}{%
+  A message submission host from which messages sent by MUAs originates and will be transported towards its final destination}
 \newacronym{PFS}{pfs}{%
   perfect forward secrecy}
 \newacronym{RSA}{rsa}{Rivest Shamir Adleman}

src/configuration/DNS/resolv.conf/resolv.conf

@@ -0,0 +1,6 @@
+search example.com
+# Local resolver
+nameserver 127.0.1.1
+# Trustworthy fallbacks
+nameserver 192.0.2.1
+nameserver 203.0.113.254

src/configuration/MailServers/Postfix/main.cf

@@ -17,25 +17,55 @@ append_dot_mydomain = no
 
 readme_directory = no
 
-readme_directory = no
+## General TLS options
+tls_ssl_options = NO_COMPRESSION
 
-# TLS parameters
-smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
-smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
-# use 0 for Postfix >= 2.9, and 1 for earlier versions
+## Server-side TLS
+# Server certificate
+smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+# Server key
+smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+# TLS Logging
+# Use 0 for Postfix >= 2.9, and 1 for earlier versions
 smtpd_tls_loglevel = 0
-# enable opportunistic TLS support in the SMTP server and client
+# Enable opportunistic TLS support in the SMTP server
 smtpd_tls_security_level = may
+# Optional: If you have SMTP AUTH enabled, offer it after STARTTLS only
+# in order to protect SASL's unencrypted PLAIN and LOGIN mechanisms
+smtpd_tls_auth_only = yes
+
+## Submission server TLS
+# Disable unwanted protocols
+mua_tls_mandatory_protocols = !SSLv2, !SSLv3
+# Demand high ciphers
+mua_tls_mandatory_ciphers=high
+# Limit the cipher list
+mua_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
+# TODO
+mua_tls_eecdh_grade=ultra
+
+## Client-side TLS
+# Enable opportunistic TLS support in the SMTP client
 smtp_tls_security_level = may
+# Client certificate
+smtp_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+# Client key
+smtp_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+# Log when remote server offers STARTTLS (useful to identify partners for
+# policies)
+smtp_tls_note_starttls_offer = yes
+# TODO
 smtp_tls_loglevel = 1
-# if you have authentication enabled, only offer it after STARTTLS
-smtpd_tls_auth_only = yes
-tls_ssl_options = NO_COMPRESSION
 
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
-smtpd_tls_mandatory_ciphers=high
-tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
-smtpd_tls_eecdh_grade=ultra
+
+## Client-side DANE TLS
+# Enable opportunistic and identified TLS support in the SMTP client
+smtp_tls_security_level = dane
+# Require DNSSEC DNS lookups
+smtp_dns_support_level = dnssec
+
+
+
 
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

src/configuration/MailServers/Postfix/master.cf

@@ -10,8 +10,12 @@
 # ==========================================================================
 smtp      inet  n       -       -       -       -       smtpd
 submission inet n       -       -       -       -       smtpd
-  -o smtpd_tls_security_level=encrypt
-  -o tls_preempt_cipherlist=yes
+    -o smtpd_tls_security_level=encrypt
+    -o tls_preempt_cipherlist=yes
+    -o smtpd_tls_mandatory_protocols=$mua_tls_mandatory_protocols
+    -o smtpd_tls_mandatory_ciphers=$mua_tls_mandatory_ciphers
+    -o tls_high_cipher_list=$mua_high_cipherlist
+    -o smtpd_tls_eecdh_grade=$mua_tls_eecdh_grade
 #  -o smtpd_sasl_auth_enable=yes
 #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 #  -o milter_macro_daemon_name=ORIGINATING
@@ -37,7 +41,7 @@ proxywrite unix -       -       n       -       1       proxymap
 smtp      unix  -       -       -       -       -       smtp
 # When relaying mail as backup MX, disable fallback_relay to avoid MX loops
 relay     unix  -       -       -       -       -       smtp
-	-o smtp_fallback_relay=
+    -o smtp_fallback_relay=
 #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
 showq     unix  n       -       -       -       -       showq
 error     unix  -       -       -       -       -       error
@@ -102,7 +106,7 @@ ifmail    unix  -       n       n       -       -       pipe
   flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
 bsmtp     unix  -       n       n       -       -       pipe
   flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
-scalemail-backend unix	-	n	n	-	2	pipe
+scalemail-backend unix  -   n   n   -   2   pipe
   flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
 mailman   unix  -       n       n       -       -       pipe
   flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py

src/practical_settings.tex

@@ -1,3 +1,6 @@
+\section{DNS}
+\label{sec:dns}
+\input{practical_settings/dns}
 \section{Webservers}
 \label{sec:webservers}
 \input{practical_settings/webserver}