[SOLVED] Proxmox-Mailversand mit dynamischer IP / Testmail?

Discussion in 'Proxmox VE (Deutsch)' started by r4dh4l, Jun 5, 2018.

Tags:
  1. r4dh4l

    r4dh4l New Member
    Proxmox VE Subscriber

    Joined:
    Feb 5, 2018
    Messages:
    20
    Likes Received:
    1
    Hallo,

    mein Heim-Server läuft mit Proxmox jetzt seit einigen Monaten wunderbar. Allerdings frage ich mich, warum ich noch nie irgendeine System-Benachrichtigung per Mail erhalten habe (dafür gibt man die Adresse doch beim Installieren an, oder?). Das kann nun schlicht daran liegen, dass es nichts zu melden gibt, aber verlassen möchte ich mich darauf nicht, daher:

    1. Soweit ich verstanden habe wird der Mailversand über Postfix geregelt. Ich vermute, dass ein Postfix-Server mit einer IP aus einem variablen IP-Adressbereich Probleme hat, an reguläre Mailprovider Mails zu verschicken. Falls dem so ist: Ist es ohne größere Probleme möglich, Postfix entsprechend umzukonfigurieren, bspw. als Satellite-System oder durch zu Nullmailer ersetzen, um die System-Mails über einen privaten Mail-Account zu verschicken?

    2. Kann man irgendwo einstellen, dass Proxmox an einem bestimmten Tag eine Mail verschickt, die lediglich dazu dient, zu bestätigen, dass der Mailversand funktioniert (um einer "verdächtigen Ruhe" vorzubeugen)?

    Danke im Voraus!

    Edit: Als Domain habe ich in Proxmox eine DynDNS angegeben (also "MeineAdresse.ddns.net" in "/etc/hosts" und "/etc/postfix/main.cf"), die ich auch benutze, um Dienste auf den VMs von außen anzusprechen.
     
  2. fireon

    fireon Well-Known Member
    Proxmox VE Subscriber

    Joined:
    Oct 25, 2010
    Messages:
    2,566
    Likes Received:
    137
  3. r4dh4l

    r4dh4l New Member
    Proxmox VE Subscriber

    Joined:
    Feb 5, 2018
    Messages:
    20
    Likes Received:
    1
    Danke für die Rückmeldung. Google ist für mich außen vor (wenn ich mit Google kein Problem hätte, würde ich mir den Stress eines eigenen Servers nicht geben und denen einfach alles in den Rachen werfen - nichts ist bequemer als das Google-Universum).

    Zum Problem:

    Bevor ich Nullmailer kannte hatte ich mir Postfix als Satellite-System eingerichtet und das funktionierte soweit, war nur aufwendiger einzurichten. Ist es nicht möglich, Postfix zum Satellite-System umzukonfigurieren, sodass es wie Nullmailer System-Mails über ein vorhandenes Postfach verschickt? (Ich habe Nullmailer auf einer VM zu laufen und die verschickt bspw. tadellos Logwatch-Mails.)

    Edit: Ich sehe gerade, dass die Gmail-Geschichte in https://forum.proxmox.com/threads/how-to-use-google-apps-smtp-to-email-warnings.38236/#post-188938 auf ein Relay hinausläuft... ich teste das erstmal und melde mich, danke!
     
    #3 r4dh4l, Jun 6, 2018
    Last edited: Jun 6, 2018
    fireon likes this.
  4. r4dh4l

    r4dh4l New Member
    Proxmox VE Subscriber

    Joined:
    Feb 5, 2018
    Messages:
    20
    Likes Received:
    1
    Ich habe mich jetzt so weit "durchgebissen", dass ich die meisten Fehlermeldungen beim Postfix-Testversand an eine Posteo-Adresse beseitigen konnte. Allerdings komme ich bei folgendem Fehler in /var/log/mail.log nicht weiter:

    Code:
    warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252:
    Ich nutze Posteo als relayhost, da ich dort auch den Account habe, an den ich später Logwatch&Co senden lassen möchte. Meine aktuelle /etc/postfix/main.cf:

    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    myhostname=MeinHostname.MeineSubdomain.ddns.net
    
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    mydestination = $myhostname, localhost.$mydomain, localhost
    mydomain = posteo.de
    #relayhost =
    # sets Posteo as relay, has to be STARTTLS via 587
    relayhost = [posteo.de]:587
    mynetworks = 127.0.0.0/8
    inet_interfaces = loopback-only
    recipient_delimiter = +
    # use tls
    smtp_use_tls=yes
    # use sasl when authenticating to foreign SMTP servers
    smtp_sasl_auth_enable = yes
    # path to password map file
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    # list of CAs to trust when verifying server certificate
    smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
    # additional settings mandatory for Posteo
    sender_canonical_maps = hash:/etc/postfix/sender_canonical
    smtp_sasl_security_options = noanonymous
    smtp_tls_security_level = encrypt
    smtp_tls_wrappermode = yes
    
    Ich vermute mal es läuft darauf hinaus, dass ich dem Postfix noch sagen muss, bestimmte SSL-Verbindungsvarianten nicht zu nutzen - hat jemand eine Idee, wie ich das anstelle?
     
    #4 r4dh4l, Jun 8, 2018
    Last edited: Jun 9, 2018
  5. r4dh4l

    r4dh4l New Member
    Proxmox VE Subscriber

    Joined:
    Feb 5, 2018
    Messages:
    20
    Likes Received:
    1
    Ich habe zwischenzeitlich den Versand meiner System-Mails auf ein Riseup-Konto umgestellt (wollte meinen Haupt-Mailaccount bei Posteo dafür nicht nutzen). Ich habe mich deswegen nicht weiter mit der Posteo-Config beschäftigt, kann aber zumindest eine funktionierende Lösung vorstellen, in der Postifx, als "Sattelite system" konfiguriert, alle Proxmox-Systemnachrichten an ein Riseup-Konto schickt:

    /etc/postfix/main.cf:
    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    # after changing sth. in this file don't forget to execute:
    # systemctl restart postfix.service && systemctl status postfix.service
    
    # --- postfix general configuration START ---
    # postfix settings in alphabetical order, comments in general taken from:
    # http://www.postfix.org/BASIC_CONFIGURATION_README.html
    # http://www.postfix.org/postconf.5.html
    
    # alias_database (default: see "postconf -d" output)
    # The alias databases for local(8) delivery that are updated with "newaliases" or with "sendmail -bi".
    alias_database = hash:/etc/aliases
    
    # alias_maps (default: see "postconf -d" output)
    # The alias databases that are used for local(8) delivery.
    alias_maps = hash:/etc/aliases
    
    # append_dot_mydomain (default: Postfix ≥ 3.0: no, Postfix < 3.0: yes)
    # With locally submitted mail, append the string ".$mydomain" to addresses that have no ".domain" information. With remotely submitted mail, append the string ".$remote_header_rewrite_domain" instead.
    # Proxmox hint: appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # biff (default: yes)
    # Whether or not to use the local biff service. This service sends "new mail" notifications to users who have requested new mail notification with the UNIX command "biff y".
    biff = no
    
    # delay_warning_time (default: 0h)
    # The time after which the sender receives a copy of the message headers of mail that is still queued. The confirm_delay_cleared parameter controls sender notification when the delay clears up.
    delay_warning_time = 4h
    
    # inet_interfaces (default: all)
    # The network interface addresses that this mail system receives mail on. Specify "all" to receive mail on all network interfaces (default), and "loopback-only" to receive mail on loopback network interfaces only (Postfix version 2.2 and later). The parameter also controls delivery of mail to user@[ip.address].
    inet_interfaces = loopback-only
    
    # inet_protocols (default: all)
    # The Internet protocols Postfix will attempt to use when making or accepting connections. Specify one or more of "ipv4" or "ipv6", separated by whitespace or commas. The form "all" is equivalent to "ipv4, ipv6" or "ipv4", depending on whether the operating system implements IPv6.
    inet_protocols = all
    
    # mailbox_size_limit (default: 51200000)
    # The maximal size of any local(8) individual mailbox or maildir file, or zero (no limit). In fact, this limits the size of any file that is written to upon local delivery, including files written by external commands that are executed by the local(8) delivery agent.
    # for no limit:
    mailbox_size_limit = 0
    # for 20 MB:
    #message_size_limit = 20971520
    # for 100 MB:
    #message_size_limit = 104857600
    
    # mydestination (default: $myhostname, localhost.$mydomain, localhost)
    # The list of domains that are delivered via the $local_transport mail delivery transport. By default this is the Postfix local(8) delivery agent which looks up all recipients in /etc/passwd and /etc/aliases. The SMTP server validates recipient addresses with $local_recipient_maps and rejects non-existent recipients. See also the local domain class in the ADDRESS_CLASS_README file.
    #mydestination = $myhostname, localhost.$mydomain, localhost
    mydestination = hostname.your.ddns.net, $myhostname, localhost.your.ddns.net, localhost
    
    # mydomain (default: see "postconf -d" output)
    # The internet domain name of this mail system. The default is to use $myhostname minus the first component, or "localdomain" (Postfix 2.3 and later). $mydomain is used as a default value for many other configuration parameters.
    # Example: mydomain = domain.tld
    mydomain = your.ddns.net
    
    # myhostname (default: see "postconf -d" output)
    # The internet hostname of this mail system. The default is to use the fully-qualified domain name (FQDN) from gethostname(), or to use the non-FQDN result from gethostname() and append ".$mydomain". $myhostname is used as a default value for many other configuration parameters.
    # Example: myhostname = host.example.com
    myhostname = hostname.your.ddns.net
    
    # mynetworks (default: see "postconf -d" output)
    # The list of "trusted" remote SMTP clients that have more privileges than "strangers".
    #mynetworks = 127.0.0.0/8
    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    
    # myorigin (default: $myhostname)
    # The myorigin parameter specifies the domain that appears in mail that is posted on this machine.
    myorigin = /etc/mailname
    
    # relayhost (default: empty)
    # The domain name that locally-posted mail appears to come from, and that locally posted mail is delivered to. The default, $myhostname, is adequate for small sites. If you run a domain with multiple machines, you should (1) change this to $mydomain and (2) set up a domain-wide alias database that aliases each user to user@that.users.mailhost.
    # Example: myorigin = $mydomain
    #relayhost =
    relayhost = [mail.riseup.net]:587
    
    # recipient_delimiter (default: empty)
    # The address extension delimiter that was found in the recipient address (Postfix 2.11 and later), or the system-wide recipient address extension delimiter (Postfix 2.10 and earlier).
    # Examples:
    # Handle Postfix-style extensions:
    # recipient_delimiter = +
    recipient_delimiter = +
    
    # sender_canonical_classes (default: envelope_sender, header_sender)
    # What addresses are subject to sender_canonical_maps address mapping. By default, sender_canonical_maps address mapping is applied to envelope sender addresses, and to header sender addresses.
    sender_canonical_classes = envelope_sender
    
    # sender_canonical_maps (default: empty)
    # Optional address mapping lookup tables for envelope and header sender addresses. The table format and lookups are documented in canonical(5).
    # Example: you want to rewrite the SENDER address "user@ugly.domain" to "user@pretty.domain", while still being able to send mail to the RECIPIENT address "user@ugly.domain".
    sender_canonical_maps = hash:/etc/postfix/sender_canonical
    
    # smtp_header_checks (default: empty)
    # Restricted header_checks(5) tables for the Postfix SMTP client. These tables are searched while mail is being delivered. Actions that change the delivery time or destination are not available.
    # Personal note: ensures that "MAIL FROM" is not empty
    smtp_header_checks = regexp:/etc/postfix/header_check
    
    # smtp_use_tls (default: no)
    # Opportunistic mode: use TLS when a remote SMTP server announces STARTTLS support, otherwise send the mail in the clear. Beware: some SMTP servers offer STARTTLS even if it is not configured. With Postfix < 2.3, if the TLS handshake fails, and no other server is available, delivery is deferred and mail stays in the queue. If this is a concern for you, use the smtp_tls_per_site feature instead.
    # Proxmox hint: use tls
    smtp_use_tls = yes
    
    # ---- Simple Authentication and Security Layer settings START ----
    
    # smtp_sasl_auth_enable (default: no)
    # Enable SASL authentication in the Postfix SMTP client. By default, the Postfix SMTP client uses no authentication.
    smtp_sasl_auth_enable = yes
    
    # smtp_sasl_password_maps (default: empty)
    # Optional Postfix SMTP client lookup tables with one username:password entry per sender, remote hostname or next-hop domain. Per-sender lookup is done only when sender-dependent authentication is enabled. If no username:password entry is found, then the Postfix SMTP client will not attempt to authenticate to the remote host.
    # Proxmox hint: use sasl when authenticating to foreign SMTP servers
    smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth
    
    # smtp_sasl_security_options (default: noplaintext, noanonymous)
    # Postfix SMTP client SASL security options; as of Postfix 2.3 the list of available features depends on the SASL client implementation that is selected with smtp_sasl_type.
    smtp_sasl_security_options = noanonymous
    
    # TODO smtp_sasl_type
    
    # ---- Simple Authentication and Security Layer settings END ----
    
    # smtpd_banner (default: $myhostname ESMTP $mail_name)
    # The text that follows the 220 status code in the SMTP greeting banner. Some people like to see the mail version advertised. By default, Postfix shows no version.
    # You MUST specify $myhostname at the start of the text. This is required by the SMTP protocol.
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    
    # smtpd_recipient_restrictions (default: see "postconf -d" output)
    # Optional restrictions that the Postfix SMTP server applies in the context of a client RCPT TO command, after smtpd_relay_restrictions. See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access restriction lists" for a discussion of evaluation context and time.
    smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
    
    # --- postfix general configuration END ---
    
    # --- TLS configuration START ---
    # - x509 certificates and Co.
    
    # smtp_tls_CAfile (default: empty)
    # A file containing CA certificates of root CAs trusted to sign either remote SMTP server certificates or intermediate CA certificates.
    # Proxmox hint: list of CAs to trust when verifying server certificate
    smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
    
    # smtp_tls_ciphers (default: medium)
    # The minimum TLS cipher grade that the Postfix SMTP client will use with opportunistic TLS encryption. Cipher types listed in smtp_tls_exclude_ciphers are excluded from the base definition of the selected cipher grade. The default value is "medium" for Postfix releases after the middle of 2015, "export" for older releases.
    smtp_tls_ciphers = high
    
    # smtp_tls_exclude_ciphers (default: empty)
    # List of ciphers or cipher types to exclude from the Postfix SMTP client cipher list at all TLS security levels. This is not an OpenSSL cipherlist, it is a simple list separated by whitespace and/or commas. The elements are a single cipher, or one or more "+" separated cipher properties, in which case only ciphers matching all the properties are excluded.
    smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
    
    # smtp_tls_loglevel (default: 0)
    # Enable additional Postfix SMTP client logging of TLS activity. Each logging level also includes the information that is logged at a lower logging level.
    # 0 Disable logging of TLS activity:
    smtp_tls_loglevel = 0
    # 1 Log only a summary message on TLS handshake completion — no logging of remote SMTP server certificate trust-chain verification errors if server certificate verification is not required. With Postfix 2.8 and earlier, log the summary message and unconditionally log trust-chain verification errors:
    #smtp_tls_loglevel = 1
    # 2 Also log levels during TLS negotiation:
    #smtp_tls_loglevel = 2
    # 3 Also log hexadecimal and ASCII dump of TLS negotiation process:
    #smtp_tls_loglevel = 3
    # 4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS:
    #smtp_tls_loglevel = 4
    
    # smtp_tls_mandatory_ciphers (default: medium)
    # The minimum TLS cipher grade that the Postfix SMTP client will use with mandatory TLS encryption. The default value "medium" is suitable for most destinations with which you may want to enforce TLS, and is beyond the reach of today's cryptanalytic methods. See smtp_tls_policy_maps for information on how to configure ciphers on a per-destination basis.
    smtp_tls_mandatory_ciphers = high
    
    # smtp_tls_mandatory_exclude_ciphers (default: empty)
    # Additional list of ciphers or cipher types to exclude from the Postfix SMTP client cipher list at mandatory TLS security levels. This list works in addition to the exclusions listed with smtp_tls_exclude_ciphers (see there for syntax details).
    smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
    
    # smtp_tls_mandatory_protocols (default: !SSLv2, !SSLv3)
    # List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. In main.cf the values are separated by whitespace, commas or colons.
    smtp_tls_mandatory_protocols = TLSv1.2,!TLSv1.1,!SSLv2,!SSLv3
    
    # smtp_tls_protocols (default: !SSLv2, !SSLv3)
    # List of TLS protocols that the Postfix SMTP client will exclude or include with opportunistic TLS encryption.
    smtp_tls_protocols = TLSv1.2,!TLSv1.1,!SSLv2,!SSLv3
    
    # smtp_tls_security_level (default: empty)
    # The default SMTP TLS security level for the Postfix SMTP client; when a non-empty value is specified, this overrides the obsolete parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
    smtp_tls_security_level = encrypt
    
    # smtp_tls_session_cache_database (default: empty)
    # Name of the file containing the optional Postfix SMTP client TLS session cache.
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    
    # smtpd_tls_cert_file (default: empty)
    # File with the Postfix SMTP server RSA certificate in PEM format. This file may also contain the Postfix SMTP server private RSA key.
    smtpd_tls_cert_file = /etc/letsencrypt/live/your.ddns.net/fullchain.pem
    
    # smtpd_tls_ciphers (default: medium)
    # The minimum TLS cipher grade that the Postfix SMTP server will use with opportunistic TLS encryption. Cipher types listed in smtpd_tls_exclude_ciphers are excluded from the base definition of the selected cipher grade.
    smtpd_tls_ciphers = high
    
    # smtpd_tls_dh1024_param_file (default: empty)
    # File with DH parameters that the Postfix SMTP server should use with non-export EDH ciphers.
    # openssl dhparam -out /etc/postfix/dh4096.param 4096
    smtpd_tls_dh1024_param_file = /etc/postfix/dh4096.param
    
    # smtpd_tls_eecdh_grade (default: see "postconf -d" output)
    # The Postfix SMTP server security grade for ephemeral elliptic-curve Diffie-Hellman (EECDH) key exchange.  The available choices are:
    # none - Don't use EECDH. Ciphers based on EECDH key exchange will be disabled. This is the default in Postfix versions 2.6 and 2.7:
    #smtpd_tls_eecdh_grade = none
    # strong - Use EECDH with approximately 128 bits of security at a reasonable computational cost. This is the current best-practice trade-off between security and computational efficiency. This is the default in Postfix version 2.8 and later:
    smtpd_tls_eecdh_grade = strong
    # ultra - Use EECDH with approximately 192 bits of security at computational cost that is approximately twice as high as 128 bit strength ECC. Barring significant progress in attacks on elliptic curve crypto-systems, the "strong" curve is sufficient for most users:
    #smtpd_tls_eecdh_grade = ultra
    # auto - Use the most preferred curve that is supported by both the client and the server. This setting requires Postfix ≥ 3.2 compiled and linked with OpenSSL ≥ 1.0.2. This is the default setting under the above conditions:
    #smtpd_tls_eecdh_grade = auto
    
    # smtpd_tls_exclude_ciphers (default: empty)
    # List of ciphers or cipher types to exclude from the SMTP server cipher list at all TLS security levels. Excluding valid ciphers can create interoperability problems. DO NOT exclude ciphers unless it is essential to do so.
    smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
    
    # smtpd_tls_key_file (default: $smtpd_tls_cert_file)
    # File with the Postfix SMTP server RSA private key in PEM format. This file may be combined with the Postfix SMTP server RSA certificate file specified with $smtpd_tls_cert_file.
    smtpd_tls_key_file = /etc/letsencrypt/live/your.ddns.net/privkey.pem
    
    # smtpd_tls_loglevel (default: 0)
    # Enable additional Postfix SMTP server logging of TLS activity. Each logging level also includes the information that is logged at a lower logging level.
    # 0 Disable logging of TLS activity:
    smtpd_tls_loglevel = 0
    # 1 Log only a summary message on TLS handshake completion — no logging of client certificate trust-chain verification errors if client certificate verification is not required. With Postfix 2.8 and earlier, log the summary message, peer certificate summary information and unconditionally log trust-chain verification errors:
    #smtpd_tls_loglevel = 1
    # 2 Also log levels during TLS negotiation:
    #smtpd_tls_loglevel = 2
    # 3 Also log hexadecimal and ASCII dump of TLS negotiation process:
    #smtpd_tls_loglevel = 3
    # 4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS:
    #smtpd_tls_loglevel = 4
    
    # smtpd_tls_mandatory_ciphers (default: medium)
    # The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory TLS encryption. The default grade ("medium") is sufficiently strong that any benefit from globally restricting TLS sessions to a more stringent grade is likely negligible, especially given the fact that many implementations still do not offer any stronger ("high" grade) ciphers, while those that do, will always use "high" grade ciphers. So insisting on "high" grade ciphers is generally counter-productive. Allowing "export" or "low" ciphers is typically not a good idea, as systems limited to just these are limited to obsolete browsers. No known SMTP clients fail to support at least one "medium" or "high" grade cipher.
    smtpd_tls_mandatory_ciphers = high
    
    # smtpd_tls_mandatory_exclude_ciphers (default: empty)
    # Additional list of ciphers or cipher types to exclude from the Postfix SMTP server cipher list at mandatory TLS security levels. This list works in addition to the exclusions listed with smtpd_tls_exclude_ciphers (see there for syntax details).
    smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
    
    # smtpd_tls_mandatory_protocols (default: !SSLv2, !SSLv3)
    # The SSL/TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption. If the list is empty, the server supports all available SSL/TLS protocol versions.
    smtpd_tls_mandatory_protocols = TLSv1.2,TLSv1.1,!SSLv2,!SSLv3,!TLSv1
    
    # smtpd_tls_protocols (default: !SSLv2, !SSLv3)
    # List of TLS protocols that the Postfix SMTP server will exclude or include with opportunistic TLS encryption.
    smtpd_tls_protocols = TLSv1.2,TLSv1.1,!SSLv2,!SSLv3,!TLSv1
    
    # smtpd_tls_security_level (default: empty)
    # The SMTP TLS security level for the Postfix SMTP server; when a non-empty value is specified, this overrides the obsolete parameters smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with "smtpd_tls_wrappermode = yes". Specify one of the following security levels:
    # none - TLS will not be used.
    #none - TLS will not be used.
    # may - Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do not require that clients use TLS encryption.
    #smtpd_tls_security_level = may
    # encrypt - Mandatory TLS encryption: announce STARTTLS support to remote SMTP clients, and require that clients use TLS encryption. According to RFC 2487 this MUST NOT be applied in case of a publicly-referenced SMTP server. Instead, this option should be used only on dedicated servers.
    smtpd_tls_security_level = encrypt
    
    # smtpd_tls_session_cache_database (default: empty)
    # Name of the file containing the optional Postfix SMTP server TLS session cache.
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    
    # tls_preempt_cipherlist (default: no)
    # With SSLv3 and later, use the Postfix SMTP server's cipher preference order instead of the remote client's cipher preference order.
    tls_preempt_cipherlist = yes
    
    # tlsproxy_tls_mandatory_protocols (default: $smtpd_tls_mandatory_protocols)
    # The SSL/TLS protocols accepted by the Postfix tlsproxy(8) server with mandatory TLS encryption. If the list is empty, the server supports all available SSL/TLS protocol versions.
    tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
    
    # --- TLS configuration END ---
    /etc/postfix/smtp_auth:
    Code:
    # changes via:
    # 1. touch /etc/postfix/smtp_auth && echo "mail.riseup.net RiseupLoginName@riseup.net:RiseupLoginPassword" > /etc/postfix/smtp_auth
    # 2. postmap /etc/postfix/smtp_auth && rm /etc/postfix/smtp_auth && cat /etc/postfix/smtp_auth
    
    /etc/postfix/sender_canonical:
    Code:
    
    # after changing sth. in this file don't forget to execute:
    # postmap /etc/postfix/sender_canonical
    StandardSystemUser AddressOrAddressAlias@riseup.net
    root AddressOrAddressAlias@riseup.net
    www-data AddressOrAddressAlias@riseup.net
    
    /etc/postfix/smtp_auth:
    Code:
    /From:.*/ REPLACE From: "hostname.your.ddns.net" <AddressOrAddressAlias@riseup.net>
    
    Die Werte für "RiseupLoginName@riseup.net", "RiseupLoginPassword", "hostname", "hostname.your.ddns.net", "AddressOrAddressAlias@riseup.net" etc. müssen natürlich entsprechend personalisiert und auch die dh4096.param generiert werden.

    Für Verbesserungsvorschläge danke ich im Voraus.
     
    #5 r4dh4l, Aug 18, 2018 at 12:52
    Last edited: Aug 18, 2018 at 12:58
  6. hackmann

    hackmann Member
    Proxmox VE Subscriber

    Joined:
    Jan 6, 2013
    Messages:
    47
    Likes Received:
    3
    Hallo,

    ich habe ein Postfach bei einem Provider und Installiere meinen ganzen Server nach diesem Prinzip.

    "dass geht unter Ubuntu von 14 LTS bis 18 LTS" und auch Debian.

    ich teste alle Einstellungen über Wochen. Meine Anleitungen bezüglich Proxmox Installtion umfassen MITTLERWEILE
    DIN A4 Seiten.

    Vieles muss man sich zusammensuchen.

    #-------------------------------------------------------------------------------------------.

    Schritt 1

    dpkg-reconfigure postfix

    #-----------------------------------------------------------------------------------------

    vi /etc/postfix/main.cf

    relayhost = smtp.strato.de:587

    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_security_options = noanonymous


    vi /etc/postfix/sasl_passwd
    smtp.strato.de mailadresse:passwort

    chmod 400 /etc/postfix/sasl_passwd && postmap /etc/postfix/sasl_passwd
    /etc/init.d/postfix reload && echo "test" | mail -s "meinserver" mailadresse
    vi /etc/default/saslauthd
    #START=no

    START=yes
    /etc/init.d/saslauthd restart
    #-----------------------------------------------------------------------------------------

    Den SMTP anpassen.

    Dass mit der Mailadresse bei der Installation von Proxmox hatte ich schon eine fake Adresse angegeben, ging auch!.

    #-------------------------------------------------------------------------------------------

    Dann die /etc/aliases anpassen.

    Hast du einen Bacula Server unter Proxmox oder einen Seafile Server eingerichtet, dann sind weitere Einstellungen nötig.

    liebe grüsse
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice