May 1, 2025 update

2025-05-01 21:19:17 -07:00
parent a2cdf26594
commit b33d54d723
261 changed files with 2451 additions and 12859 deletions
--- a/jails/config/mail/pkg-list-details-old.txt
+++ b/jails/config/mail/pkg-list-details-old.txt
@ -1,14 +1,15 @@
-pkgp123____dcc-dccd-2.3.168
-pkgp123____dovecot-2.3.19.1_1
-pkgp123____dovecot-pigeonhole-0.5.19
-pkgp123____icu-72.1,1
-pkgp123____libunwind-20211201_1
+pkgp123____dcc-dccd-2.3.169
+pkgp123____dovecot-2.3.21.1_3
+pkgp123____dovecot-pigeonhole-0.5.21.1_1
+pkgp123____icu-76.1,1
+pkgp123____libunwind-20240221_2
 pkgp123____libyaml-0.2.5
-pkgp123____pkg-1.18.4
-pkgp123____postfix-3.7.3_1,1
-pkgp123____rspamd-3.4_1
-pkgp-freebsd-pkg____apache-solr-8.11.2,1
-pkgp-freebsd-pkg____bash-5.2.2_1
-pkgp-freebsd-pkg____bash-completion-2.11_1,2
-pkgp-freebsd-pkg____nano-6.4
-pkgp-freebsd-pkg____redis-7.0.5
+pkgp123____pkg-2.1.2
+pkgp123____postfix-3.10.1,1
+pkgp123____rspamd-3.11.1
+pkgp-freebsd-pkg____apache-solr9-9.2.0
+pkgp-freebsd-pkg____bash-5.2.37
+pkgp-freebsd-pkg____bash-completion-2.14.0,2
+pkgp-freebsd-pkg____lsof-4.99.4_2,8
+pkgp-freebsd-pkg____nano-8.4
+pkgp-freebsd-pkg____redis-7.4.2
--- a/jails/config/mail/pkg-list-details.txt
+++ b/jails/config/mail/pkg-list-details.txt
@ -1,14 +1,15 @@
-pkgp123____dcc-dccd-2.3.168
-pkgp123____dovecot-2.3.19.1_1
-pkgp123____dovecot-pigeonhole-0.5.19
-pkgp123____icu-72.1,1
-pkgp123____libunwind-20211201_1
+pkgp123____dcc-dccd-2.3.169
+pkgp123____dovecot-2.3.21.1_3
+pkgp123____dovecot-pigeonhole-0.5.21.1_1
+pkgp123____icu-76.1,1
+pkgp123____libunwind-20240221_2
 pkgp123____libyaml-0.2.5
-pkgp123____pkg-1.18.4
-pkgp123____postfix-3.7.3_1,1
-pkgp123____rspamd-3.4_1
-pkgp-freebsd-pkg____apache-solr-8.11.2,1
-pkgp-freebsd-pkg____bash-5.2.12
-pkgp-freebsd-pkg____bash-completion-2.11_2,2
-pkgp-freebsd-pkg____nano-7.0
-pkgp-freebsd-pkg____redis-7.0.5
+pkgp123____pkg-2.1.2
+pkgp123____postfix-3.10.1,1
+pkgp123____rspamd-3.11.1
+pkgp-freebsd-pkg____apache-solr9-9.2.0
+pkgp-freebsd-pkg____bash-5.2.37
+pkgp-freebsd-pkg____bash-completion-2.14.0,2
+pkgp-freebsd-pkg____lsof-4.99.4_2,8
+pkgp-freebsd-pkg____nano-8.4
+pkgp-freebsd-pkg____redis-7.4.2
--- a/jails/config/mail/pkg-list-old.txt
+++ b/jails/config/mail/pkg-list-old.txt
@ -1 +1 @@
-apache-solr bash bash-completion dcc-dccd dovecot dovecot-pigeonhole icu libunwind libyaml nano pkg postfix redis rspamd
+apache-solr9 bash bash-completion dcc-dccd dovecot dovecot-pigeonhole icu libunwind libyaml lsof nano pkg postfix redis rspamd
--- a/jails/config/mail/pkg-list.txt
+++ b/jails/config/mail/pkg-list.txt
@ -1 +1 @@
-apache-solr bash bash-completion dcc-dccd dovecot dovecot-pigeonhole icu libunwind libyaml nano pkg postfix redis rspamd
+apache-solr9 bash bash-completion dcc-dccd dovecot dovecot-pigeonhole icu libunwind libyaml lsof nano pkg postfix redis rspamd
--- a/jails/config/mail/pkgp.conf
+++ b/jails/config/mail/pkgp.conf
@ -5,14 +5,12 @@ FreeBSD: {

 pkgp-freebsd-pkg: {
    url: "http://pkgp-freebsd-pkg.ahlawat.com/${ABI}/latest",
-    mirror_type: "http",
    enabled: yes,
    priority: 10
 }

 pkgp123: {
    url: "http://pkgp.ahlawat.com/packages/pj123-default",
-    mirror_type: "http",
    signature_type: "pubkey",
    pubkey: "/mnt/certs/poudriere.cert",
    enabled: yes,
--- a/jails/config/mail/postfix/main.cf
+++ b/jails/config/mail/postfix/main.cf
@ -27,7 +27,7 @@
 #
 # The level below is what should be used with new (not upgrade) installs.
 #
-compatibility_level = 2
+compatibility_level = 3.9.0

 # SOFT BOUNCE
 #
@ -282,7 +282,8 @@ unknown_local_recipient_reject_code = 550
 #mynetworks = $config_directory/mynetworks
 #mynetworks = hash:$config_directory/network_table

-mynetworks = 127.0.0.1/32 192.168.0.0/24 [::1]/128 [fe80::]/10 [fd01::]/64
+# the 13.56.245.15 is sms.rockwoodestates.org - mail-relay.ahlawat.com
+mynetworks = 127.0.0.1/32 192.168.0.0/24 [::1]/128 [fe80::]/10 [fd01::]/64 13.56.245.15
 smtp_bind_address = 192.168.0.100
 smtp_bind_address6 = fd01::100

@ -713,10 +714,6 @@ mailbox_size_limit = 51200000
 allow_percent_hack = no
 swap_bangpath = no

-# path to the SSL certificate for the mail server
-smtpd_tls_cert_file = /mnt/certs/fullchain.pem
-smtpd_tls_key_file = /mnt/certs/privkeyr.pem
-
 smtpd_tls_loglevel = 2

 # These two lines define how postfix will connect to other mail servers.
@ -732,7 +729,7 @@ smtp_dns_support_level = dnssec
 # "mandatory" for authenticating users. I got these settings from Mozilla's
 # SSL reccomentations page.

-# https://ssl-config.mozilla.org/#server=postfix&version=3.4.8&config=intermediate&openssl=1.1.1k&guideline=5.6
+# https://ssl-config.mozilla.org/#server=postfix&version=3.9.0&config=intermediate&openssl=3.1&guideline=5.6

 #
 # NOTE: do not attempt to make TLS mandatory for all incoming/outgoing
@ -740,16 +737,26 @@ smtp_dns_support_level = dnssec
 # mandatory connections either. There are still a lot of mail servers out
 # there that do not use TLS, and many that do only support old ciphers.
 # Forcing TLS for everyone *will* cause you to lose mail.
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

-smtpd_tls_mandatory_ciphers = medium
-tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+smtpd_tls_auth_only = yes
+smtpd_tls_chain_files =
+  /mnt/certs/privkeyr.pem,
+  /mnt/certs/fullchain.pem
+
+smtpd_tls_security_level = may
+smtpd_tls_mandatory_protocols = >=TLSv1.2
+smtpd_tls_protocols           = >=TLSv1.2
+
+#smtp_tls_security_level = may
+smtp_tls_mandatory_protocols  = >=TLSv1.2
+smtp_tls_protocols            = >=TLSv1.2

 tls_preempt_cipherlist = no
-
-# allow other mail servers to connect using TLS, but don't require it
-smtpd_tls_security_level = may
+tls_eecdh_auto_curves = X25519 prime256v1 secp384r1
+tls_ffdhe_auto_groups =
+smtp_tls_mandatory_ciphers = medium
+smtpd_tls_mandatory_ciphers = medium
+tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

 # tickets and compression have known vulnerabilities
 tls_ssl_options = no_ticket, no_compression, NO_RENEGOTIATION
@ -757,8 +764,7 @@ tls_ssl_options = no_ticket, no_compression, NO_RENEGOTIATION
 # it's more secure to generate your own DH params but using mozilla's
 # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
 # not actually 1024 bits, this applies to all DHE >= 1024 bits
-#smtpd_tls_dh512_param_file  = /mnt/certs/dhparam512.pem
-smtpd_tls_dh1024_param_file = /mnt/certs/dhparam4096.pem
+# NOW deprecated - smtpd_tls_dh1024_param_file = /mnt/certs/dhparam4096.pem

 # cache incoming and outgoing TLS sessions
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_tlscache
@ -770,9 +776,6 @@ smtpd_sasl_auth_enable = yes
 smtpd_sasl_path = private/auth
 smtpd_sasl_type = dovecot

-# only allow authentication over TLS
-smtpd_tls_auth_only = yes
-
 # don't allow plaintext auth methods on unencrypted connections
 smtpd_sasl_security_options = noanonymous, noplaintext
 # but plaintext auth is fine when using TLS
--- a/jails/config/mail/postfix/protected_destinations
+++ b/jails/config/mail/postfix/protected_destinations
@ -1,4 +1,9 @@
 # not everyone can send to these destinations
 # we restrict some of them

-ahlawat.com     good_senders_only
+ahlawat.com good_senders_only,reject
+beyondbell.com good_senders_only,reject
+diyit.org good_senders_only,reject
+datavpc.com good_senders_only,reject
+rockwoodstates.org good_senders_only,reject
+scvcc-rental.com good_senders_only,reject