<pre style='margin:0'>
Frank Schima (mf2k) pushed a commit to branch master
in repository macports-ports.
</pre>
<p><a href="https://github.com/macports/macports-ports/commit/0cee5a426805797e87d133ad2e2a523dbb9ecddc">https://github.com/macports/macports-ports/commit/0cee5a426805797e87d133ad2e2a523dbb9ecddc</a></p>
<pre style="white-space: pre; background: #F8F8F8">The following commit(s) were added to refs/heads/master by this push:
<span style='display:block; white-space:pre;color:#404040;'> new 0cee5a4 mail-server: Portfile and launch daemon improvements and bugfixes
</span>0cee5a4 is described below
<span style='display:block; white-space:pre;color:#808000;'>commit 0cee5a426805797e87d133ad2e2a523dbb9ecddc
</span>Author: Steven Thomas Smith <s.t.smith@ieee.org>
AuthorDate: Sat Nov 2 20:50:34 2019 -0400
<span style='display:block; white-space:pre;color:#404040;'> mail-server: Portfile and launch daemon improvements and bugfixes
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> * Ensure that launch daemons run at load (necessary)
</span><span style='display:block; white-space:pre;color:#404040;'> * Apply review comments from PR https://github.com/macports/macports-ports/pull/4978
</span>---
mail/dovecot2/Portfile | 4 +-
mail/mail-server/Portfile | 105 ++++++++++++++-------
.../files/prefix/etc/dovecot/conf.d/10-auth.conf | 2 +-
.../files/prefix/etc/dovecot/conf.d/10-mail.conf | 6 +-
.../files/prefix/etc/dovecot/conf.d/10-master.conf | 14 +--
.../files/prefix/etc/dovecot/conf.d/10-ssl.conf | 4 +-
.../prefix/etc/dovecot/conf.d/15-mailboxes.conf | 2 +-
.../prefix/etc/dovecot/conf.d/auth-od.conf.ext | 6 +-
mail/mail-server/files/prefix/etc/postfix/main.cf | 88 ++++++++---------
.../files/prefix/etc/postfix/smtp.keytab.README.sh | 2 +-
10 files changed, 135 insertions(+), 98 deletions(-)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/dovecot2/Portfile b/mail/dovecot2/Portfile
</span><span style='display:block; white-space:pre;color:#808080;'>index ca47fc9..5a36d11 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/mail/dovecot2/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/dovecot2/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -150,10 +150,10 @@ variant apns \
</span> plugin. APNS use requires these steps:
1. Acquire APNS Mail certificates from a (virtual) macOS\
<span style='display:block; white-space:pre;background:#ffe0e0;'>- High Sierra 10.13 and Server.app version 5.7. Export\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ High Sierra 10.13 and Server.app version 5.6. Export\
</span> the certificates from the Keychain into the file\
com.apple.servermgrd.apns.mail.p12 . *Note*: APNS Mail\
<span style='display:block; white-space:pre;background:#ffe0e0;'>- certificate creation is deprecated on Server.app version 5.8+.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ certificate creation is deprecated on Server.app version 5.7+.
</span>
2. Convert the APNS Mail certificates to PEM files:
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/Portfile b/mail/mail-server/Portfile
</span><span style='display:block; white-space:pre;color:#808080;'>index 83122a9..a3719ff 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/mail/mail-server/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -5,7 +5,7 @@ PortGroup active_variants 1.1
</span>
name mail-server
version 1.0
<span style='display:block; white-space:pre;background:#ffe0e0;'>-revision 2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+revision 3
</span> categories mail net
platforms darwin
supported_archs noarch
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -15,11 +15,11 @@ distfiles
</span>
description Mail server configuration
long_description ${description} \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- Mail server working configuration that provides a basic, working, \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- easily modifiable mail server. The configuration is built using \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- postfix for the MTA, dovecot for the MDA, solr for fast search, \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- rspamd for a milter, and clamav for email virus scans. The \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- configuration includes a surrogate TLS certificate, DKIM, and \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Mail server working configuration that provides a basic, working,\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ easily modifiable mail server. The configuration is built using\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ postfix for the MTA, dovecot for the MDA, solr for fast search,\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ rspamd for a milter, and clamav for email virus scans. The\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ configuration includes a surrogate TLS certificate, DKIM, and\
</span> Apple Push Notification Service (APNS) capability for iOS devices.
homepage https://www.postfix.org/
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -47,9 +47,19 @@ depends_lib-append port:apache-solr8 \
</span>
depends_run-append port:clamav-server
<span style='display:block; white-space:pre;background:#ffe0e0;'>-variant initialize \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- description {Initialize all configuration files. Existing
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- configurations files are not overwritten by default.} {}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+variant initialize_always \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ description {Always initialize all configuration files. Intended\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for development and troubleshooting only. Working deployments\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ must disable this variant to prevent configuration files\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ being overwritten at the next upgrade. Existing configuration\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ files are not overwritten by default.} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ui_warn \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+\tAll configuration files will be initialized because
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+\tthe variant +initialize_always is set. Please disable
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+\tthis variant for working deployments.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span>
use_configure no
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -64,7 +74,7 @@ pre-build {
</span>
if { [catch {set result [registry_active postfix]}]
|| [lindex [lindex ${result} 0] 3] \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- != "+[join ${postfix_required_variants} +]" } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ne "+[join ${postfix_required_variants} +]" } {
</span> append required_variants_message "\
Postfix not installed with required variants. Please install:
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -75,7 +85,7 @@ Postfix not installed with required variants. Please install:
</span> }
if { [catch {set result [registry_active dovecot2]}]
|| [lindex [lindex ${result} 0] 3] \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- != "+[join ${dovecot2_required_variants} +]" } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ne "+[join ${dovecot2_required_variants} +]" } {
</span> append required_variants_message "\
Dovecot not installed with required variants. Please install:
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -84,7 +94,7 @@ Dovecot not installed with required variants. Please install:
</span> "
set required_variants_flag false
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>- if {${required_variants_flag} != true} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {${required_variants_flag} ne true} {
</span> ui_error ${required_variants_message}
# one of these will exit with error if the ports are not installed at all
registry_active postfix
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -298,7 +308,7 @@ destroot {
</span> xinstall -m 0644 \
${filespath}/prefix/etc/certificates/ca/intermediate/openssl_intermediate.cnf \
${destroot}${tls_ca_dir}/intermediate
<span style='display:block; white-space:pre;background:#ffe0e0;'>- if { [variant_isset "initialize"]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if { [variant_isset "initialize_always"]
</span> && [file exists ${tls_ca_dir}]
} {
delete ${tls_ca_dir}.previous
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -328,7 +338,7 @@ post-activate {
</span> # use network settings for installed example configuration
set fullhost [exec /bin/hostname -f]
set host [lindex [split ${fullhost} .] 0]
<span style='display:block; white-space:pre;background:#ffe0e0;'>- set domaintld [join [lrange [split ${fullhost} .] end-1 end] .]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set domaintld [join [lrange [split ${fullhost} .] 1 end] .]
</span> set domain [lindex [split ${domaintld} .] 0]
set tld [lindex [split ${domaintld} .] end]
set HOST [string toupper ${host}]
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -349,7 +359,7 @@ post-activate {
</span> "
proc install_initial_configuration {f_or_d} {
<span style='display:block; white-space:pre;background:#ffe0e0;'>- if { [variant_isset "initialize"]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if { [variant_isset "initialize_always"]
</span> && [file exists ${f_or_d}]
} {
delete ${f_or_d}.previous
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -357,7 +367,7 @@ post-activate {
</span> ${f_or_d} \
${f_or_d}.previous
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>- if { [variant_isset "initialize"]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if { [variant_isset "initialize_always"]
</span> || ![file exists ${f_or_d}]
} {
if { [file isfile ${f_or_d}.macports] } {
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -400,7 +410,7 @@ post-activate {
</span> xinstall -m 0777 -g mail -d /private/var/mail/${tld}.${domain}.mail/attachments/
# solr configuration
<span style='display:block; white-space:pre;background:#ffe0e0;'>- if { [variant_isset "initialize"] } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if { [variant_isset "initialize_always"] } {
</span> system "sudo -u solr -g solr sh <<SOLR_DELETE_DOVECOT
solr8 stop -p 8983 2>/dev/null || true
solr8 start -p 8983 2>/dev/null || true
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -738,18 +748,18 @@ in ${prefix}/etc/dovecot/sieve*/*.sieve are compiled with sievec.
</span> }
# PAM authentication
<span style='display:block; white-space:pre;background:#ffe0e0;'>- if ![file exists /etc/pam.d/smtp] {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if { ![file exists /etc/pam.d/smtp] } {
</span> xinstall -m 0644 ${prefix}/etc/postfix/etc/pam.d/smtp /etc/pam.d/
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>- if ![file exists /etc/pam.d/imap] {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if { ![file exists /etc/pam.d/imap] } {
</span> xinstall -m 0644 ${prefix}/etc/dovecot/etc/pam.d/imap /etc/pam.d/
}
# TLS PFS
<span style='display:block; white-space:pre;background:#ffe0e0;'>- if ![file exists ${prefix}/var/lib/postfix/dh2048.pem] {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if { ![file exists ${prefix}/var/lib/postfix/dh2048.pem] } {
</span> system -W ${prefix}/var/lib/postfix "sudo -u _postfix openssl dhparam -out dh2048.pem 2048"
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>- if ![file exists ${prefix}/etc/dovecot/dh2048.pem] {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if { ![file exists ${prefix}/etc/dovecot/dh2048.pem] } {
</span> # create a shorter, faster DH parameter file for the default installation
system -W ${prefix}/etc/dovecot "openssl dhparam -out dh2048.pem 2048"
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -793,18 +803,35 @@ startupitem.restart "port reload apache-solr8
</span> \tport load dovecot2
\tport reload rspamd"
<span style='display:block; white-space:pre;background:#ffe0e0;'>-notes "A mail server is a complex, interdependent set of tools that must
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+proc plutil_startup {plcmds label} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ global prefix startupitem.location
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach cmd ${plcmds} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ system -W ${prefix}/etc/${startupitem.location}/${label} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "/usr/bin/plutil ${cmd} ${label}.plist"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+post-activate {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # modify the launch daemons
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ plutil_startup [list \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "-remove KeepAlive" \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "-insert RunAtLoad -bool YES" \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ] \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ org.macports.${startupitem.name}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+notes "A mail server is a complex, interdependent set of tools that must\
</span> all be configured correctly to provide secure, reliable email.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-Users must reconfigure this installation for their own system, network,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-and security model specifics by editing all necessary files and checking
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Users must reconfigure this installation for their own system, network,\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+and security model specifics by editing all necessary files and checking\
</span> file permissions. A subset of these settings are visible in the files:
port contents mail-server
port file mail-server
<span style='display:block; white-space:pre;background:#ffe0e0;'>-Full deployment also requires a working DNS configuration on both the LAN
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-and the internet, including SPF and DKIM records, trusted TLS certificates,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Full deployment also requires a working DNS configuration on both the LAN\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+and the internet, including SPF and DKIM records, trusted TLS certificates,\
</span> port forwarding, possibly a mail replay, and more.
Postfix and dovecot must be installed with these variants:
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -841,7 +868,7 @@ These are the locations and network settings for the default configuration:
</span> Spam/Ham training (default behavior):
Move/Copy email to the folders Spam_train or Notspam_train.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-The configuration also includes a surrogate TLS certificate and DKIM settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+The configuration also includes a surrogate TLS certificate and DKIM settings\
</span> that must be changed before deployment.
TLS:
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -850,15 +877,15 @@ that must be changed before deployment.
</span> DKIM:
${prefix}/var/lib/rspamd/dkim
<span style='display:block; white-space:pre;background:#ffe0e0;'>-The ports dns-server and logrotate provide necessary DNS service on the LAN
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+The ports dns-server and logrotate provide necessary DNS service on the LAN\
</span> and log rotation capabilities:
sudo port install dns-server logrotate
<span style='display:block; white-space:pre;background:#ffe0e0;'>-This port assume indepedent installation and management of DNS and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+This port assume indepedent installation and management of DNS and\
</span> log rotation; mail-server includes example logrotate configuration files.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-The port's launch daemon controls launching for each of the dependendent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+The port's launch daemon controls launching for each of the dependendent\
</span> services. These may be controlled independently, e.g.
sudo port load clamav-server
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -882,11 +909,21 @@ and if installed independently,
</span> * _The Book of Postfix_, by Patrick Koetter and Ralf Hildebrandt
Known issues:
<span style='display:block; white-space:pre;background:#ffe0e0;'>- * The Postfix service does not reliably start after reboot,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- presumably due to an issue with launchd. A workaround
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * The Postfix service does not reliably start after reboot,\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ presumably due to an issue with launchd. A workaround\
</span> after rebooting is to issue the commands:
<span style='display:block; white-space:pre;background:#ffe0e0;'>- sudo port unload postfix ; sleep 5 ; sudo port load postfix
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sudo port unload postfix ; sleep 5 ; sudo port load postfix"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+if { [variant_isset "initialize_always"] } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {[exists notes]} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # leave a blank line after the existing notes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ notes-append ""
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ notes-append \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "The variant +initialize_always is set, which initializes\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ all configuration files. Please disable this variant for\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ working deployments."
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span>
livecheck.type none
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-auth.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-auth.conf
</span><span style='display:block; white-space:pre;color:#808080;'>index 72cedf2..65ce66c 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-auth.conf
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-auth.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -114,7 +114,7 @@ auth_gssapi_hostname = "$ALL"
</span> # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
# gss-spnego
# NOTE: See also disable_plaintext_auth setting.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> # auth_mechanisms = cram-md5 plain login apop digest-md5 gssapi
# plain username/password auth - OK since everything is over TLS
auth_mechanisms = plain gssapi
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-mail.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-mail.conf
</span><span style='display:block; white-space:pre;color:#808080;'>index 2185aff..f17457c 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-mail.conf
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-mail.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -49,7 +49,7 @@
</span> # default home directory location for all users
mail_home = /private/var/mail/@tld@.@domain@.mail
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> #mail_location =
# Note: This key is managed by Server Admin. See above before making changes
# mail_location = maildir:/Library/Server/Mail/Data/mail/%u
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -111,7 +111,7 @@ inbox = yes
</span> #subscriptions = yes
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS v.5.6 configuration:
</span> # # shared namespace configuration
# namespace acl-mailboxes {
# type = shared
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -272,7 +272,7 @@ auth_socket_path = @PREFIX@/var/run/dovecot/auth-userdb
</span> # Space separated list of plugins to load for all services. Plugins specific to
# IMAP, LDA, etc. are added to this list in their own .conf files.
# (APPLE) added fts_sk
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> # mail_plugins = quota zlib acl fts fts_sk
mail_plugins = quota zlib acl
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-master.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-master.conf
</span><span style='display:block; white-space:pre;color:#808080;'>index e1b8f75..cc71c67 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-master.conf
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-master.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -58,7 +58,7 @@ service imap-login {
</span>
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> # service pop3-login {
# inet_listener pop3 {
# port = 110
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -100,7 +100,7 @@ service imap {
</span> # Results in imap userdb Fatal setuid errors
# See: https://dovecot.org/pipermail/dovecot/2019-May/116014.html
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> # service pop3 {
# # Max. number of POP3 processes (connections)
# process_limit = 200
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -111,7 +111,7 @@ service imap {
</span>
# expose an auth socket for postfix to authenticate users
service auth {
<span style='display:block; white-space:pre;background:#ffe0e0;'>- # macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # macOS Server v.5.6 configuration:
</span> # auth_socket_path points to this userdb socket by default. It's typically
# used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
# full permissions to this socket are able to get a list of all usernames and
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -159,7 +159,7 @@ service auth-worker {
</span> group = mail
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> # service auth-worker {
# # Auth worker process is run as root by default, so that it can access
# # /etc/shadow. If this isn't necessary, the user should be changed to
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -167,7 +167,7 @@ service auth-worker {
</span> # #user = root
# }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> # service dict {
# # If dict proxy is used, mail processes should have access to its socket.
# # For example: mode=0660, group=vmail and global mail_access_groups=vmail
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -178,14 +178,14 @@ service auth-worker {
</span> # }
# }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> service dns_client {
unix_listener dns-client {
mode = 0600
}
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> # # for stats plugin, if enabled
# service stats {
# fifo_listener stats-mail {
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-ssl.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-ssl.conf
</span><span style='display:block; white-space:pre;color:#808080;'>index 12c46b4..1092270 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-ssl.conf
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-ssl.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -89,11 +89,11 @@ ssl_ca = <@PREFIX@/etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.cha
</span> ssl_dh = <@PREFIX@/etc/dovecot/dh2048.pem
# SSL protocols to use
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> # ssl_protocols = !SSLv2 !SSLv3
# SSL ciphers to use
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> # ssl_cipher_list=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DH [...]
# SSL crypto device to use, for valid values run "openssl engine"
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/15-mailboxes.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/15-mailboxes.conf
</span><span style='display:block; white-space:pre;color:#808080;'>index 243158e..1d21d14 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/mail/mail-server/files/prefix/etc/dovecot/conf.d/15-mailboxes.conf
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/15-mailboxes.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -49,7 +49,7 @@ namespace inbox {
</span> auto = subscribe
special_use = \Sent
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>- # macOS Server v.5.7 configuration; used by iOS:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # macOS Server v.5.6 configuration; used by iOS:
</span> mailbox "Sent Messages" {
special_use = \Sent
}
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/auth-od.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/conf.d/auth-od.conf.ext
</span><span style='display:block; white-space:pre;color:#808080;'>index 9887c0f..bcd4a0d 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/mail/mail-server/files/prefix/etc/dovecot/conf.d/auth-od.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/auth-od.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -183,7 +183,7 @@ userdb passwd {
</span> ## driver = passwd
## }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> # passdb {
# # OD cache refresh intervals. The positive cache TTL applies to
# # enabled accounts. The negative cache TTL applies to disabled
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -193,7 +193,7 @@ userdb passwd {
</span> # # driver = od
# }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> # userdb {
# # OD cache refresh intervals. The positive cache TTL applies to
# # enabled accounts. The negative cache TTL applies to disabled
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -205,7 +205,7 @@ userdb passwd {
</span> # # additional args: pos_cache_ttl=3600 neg_cache_ttl=60
# # luser_relay=<userid> enforce_quotas=no
# # use_getpwnam_ext=yes blocking=no
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# # macOS Server v.5.7 configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # macOS Server v.5.6 configuration
</span> # # driver = od
# driver = ldap
# args = partition=@PREFIX@/etc/dovecot/partition_map.conf global_quota=8192 enforce_quotas=yes
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/postfix/main.cf b/mail/mail-server/files/prefix/etc/postfix/main.cf
</span><span style='display:block; white-space:pre;color:#808080;'>index ef31d88..adf252f 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/mail/mail-server/files/prefix/etc/postfix/main.cf
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/postfix/main.cf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -675,7 +675,7 @@ sample_directory = @PREFIX@/share/postfix/sample
</span> #
readme_directory = @PREFIX@/share/postfix/readme
# inet_protocols = ipv4
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> inet_protocols = all
meta_directory = @PREFIX@/etc/postfix
shlib_directory = @PREFIX@/libexec/postfix
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -686,7 +686,7 @@ shlib_directory = @PREFIX@/libexec/postfix
</span> ############################
# macOS Open Source Server #
############################
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# Based on /Library/Server_v57/Mail/Config/postfix/main.cf,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Based on /Library/Server_v56/Mail/Config/postfix/main.cf,
</span> # https://www.c0ffee.net/blog/mail-server-guide/
## Create these directories, files
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -694,7 +694,7 @@ shlib_directory = @PREFIX@/libexec/postfix
</span> # sudo chmod go-rwx @PREFIX@/var/log/mail
## Create @PREFIX@/etc/postfix/sasl/passwd, passwd.db with secure permissions
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# sudo rsync -a /Library/Server_v57/Mail/Config/postfix/sasl @PREFIX@/etc/postfix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo rsync -a /Library/Server_v56/Mail/Config/postfix/sasl @PREFIX@/etc/postfix
</span> # sudo newaliases
# sudo -u _postfix openssl dhparam -out @PREFIX@/var/lib/postfix/dh2048.pem 2048
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -736,9 +736,9 @@ shlib_directory = @PREFIX@/libexec/postfix
</span> # sudo postmap @PREFIX@/etc/postfix/sasl/passwd
## NOTE: Do *not* copy over HUGE Berkeley .db files from High Sierra APNS file systems;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-## this APNS/Berkeley DB bug was fixed in Mojave, which doesn't run Server.app v.5.7.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## this APNS/Berkeley DB bug was fixed in Mojave, which doesn't run Server.app v.5.6.
</span> ## Rather,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# sudo find /Library/Server_v57/Mail/Config -type f -name '*.db' -exec sudo du -sm {} ';' | sort -rn
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo find /Library/Server_v56/Mail/Config -type f -name '*.db' -exec sudo du -sm {} ';' | sort -rn
</span> ## to find affected files, then use postmap to recreate them on the new server.
## The only way to fix these on an old server is to create the .db files on
## an attached HDFS drive, then create symbolic links on the High Sierra APNS drive.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -765,18 +765,18 @@ maillog_file_compressor = bzip2
</span> maillog_file_prefixes = @PREFIX@/var/log/mail
# maillog_file_rotate_suffix =
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> smtp_tls_loglevel = 1
# use 0 for Postfix >= 2.9, and 1 for earlier versions
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf)
</span> smtpd_tls_loglevel = 0
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration settings that do not appear elsewhere
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration settings that do not appear elsewhere
</span> # Commented-out settings are often specific to macOS Server.app's postfix build
# dovecot
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> # dovecot_destination_recipient_limit = 1
# Alias maps, database if mailman is used
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -801,20 +801,20 @@ tls_random_source = dev:/dev/urandom
</span> # larger than this number of bytes. 0, the default, means no limit.
# mime_max_body_size = 0
#======================================================================
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> # mydomain_fallback = localhost
mynetworks = 127.0.0.0/8, [::1]/128
inet_interfaces = all
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration; site-specific, pre-defined
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration; site-specific, pre-defined
</span> # config_directory = /Library/Server/Mail/Config/postfix
# smtpd_require_virtual_map = yes
# virtual_alias_domains = $virtual_alias_maps, hash:@PREFIX@/etc/postfix/virtual_domains
# virtual_alias_maps = $virtual_maps, hash:@PREFIX@/etc/postfix/virtual_users
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> # enable_server_options = yes
# smtpd_pw_server_security_options = cram-md5,digest-md5,gssapi,login,plain
# content_filter = smtp-amavis:[127.0.0.1]:10024
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> # smtpd_use_pw_server = yes
header_checks = pcre:@PREFIX@/etc/postfix/custom_header_checks
recipient_canonical_maps = hash:@PREFIX@/etc/postfix/system_user_maps
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -843,24 +843,24 @@ mydomain = @domain@.@tld@
</span> # virtual domains, which are configured below. Make sure to specify the FQDN
# of your sever, as well as localhost.
# Note: NEVER specify any virtual domains here!!! Those come later.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
# Domain appended to mail sent locally from this machine - such as mail sent
# via the `sendmail` command.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf)
</span> myorigin = $mydomain
# prevent spammers from searching for valid users
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf)
</span> disable_vrfy_command = yes
# require properly formatted email addresses - prevents a lot of spam
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf)
</span> strict_rfc821_envelopes = yes
# don't give any helpful info when a mailbox doesn't exist
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf)
</span> show_user_unknown_table_name = no
# limit maximum e-mail size to 25MB. mailbox size must be at least as big as
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -871,13 +871,13 @@ message_size_limit = 25165824
</span> mailbox_size_limit = 0
# require addresses of the form "user@domain.tld"
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf)
</span> allow_percent_hack = no
swap_bangpath = no
# allow plus-aliasing: "user+tag@domain.tld" delivers to "user" mailbox
# Handle both Postfix and qmail extensions (Postfix 2.11 and later).
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf)
</span>
# `recipient_delimiter = +` used by CalendarServer
# Do *not* use `smtpd_recipient_restrictions = reject_unverified_recipient …`
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -913,7 +913,7 @@ smtp_dns_support_level = dnssec
</span> # Implement DNSSEC if named is ever put outside the firewall, and DNSSEC infrastructure uses ED25519
# smtp_tls_security_level = may
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -924,7 +924,7 @@ smtp_tls_protocols = !SSLv2, !SSLv3
</span> smtp_tls_exclude_ciphers = EXPORT, LOW, MD5, aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2
# SMTP Relay and SASL Authentication Configuration
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> # `relayhost` is the host:port of the SMTP relay e.g. smtp.comcast.net:587
relayhost = [@RELAYHOST@]:submission
# `smtp_sasl_password_maps` has SMTP server authentication credentials of the form:
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -980,11 +980,11 @@ smtp_tls_CApath = @PREFIX@/etc/postfix/etc/certificates
</span> # IP address used by postfix to send outgoing mail. You only need this if
# your machine has multiple IP addresses - set it to your MX address to
# satisfy your SPF record.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf)
</span> # smtp_bind_address = my IP == `host $mydomain`
# smtp_bind_address6 = my IPv6 == `host -6 $mydomain`
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration that doesn't appear elewhere
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration that doesn't appear elewhere
</span>
# smtpd (postfix server) configuration
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -993,10 +993,10 @@ smtp_tls_CApath = @PREFIX@/etc/postfix/etc/certificates
</span> # https://serverfault.com/questions/693179/postfix-mandatory-smtp-smtpd-vs-not-mandatory-difference-and-configuration
# allow other mail servers to connect using TLS, but don't require it
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf)
</span> smtpd_tls_security_level = may
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> smtpd_enforce_tls = no
smtpd_use_tls = yes
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1014,20 +1014,20 @@ smtpd_use_tls = yes
</span> # therefore, do *not* set smtpd_tls_mandatory_protocols or smtpd_tls_protocols to be too restrictive
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf)
</span> smtpd_tls_mandatory_ciphers = high
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> smtpd_tls_ciphers = medium
# man 5 postconf /tls_high_cipherlist: "You are strongly encouraged to not change this setting."
# tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> # smtpd_tls_protocols = !SSLv2, !SSLv3
# smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
# List of ciphers or cipher types to exclude from the SMTP server cipher
# list at all TLS security levels.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# # macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # macOS Server v.5.6 configuration:
</span> # smtpd_tls_exclude_ciphers = SSLv2, 3DES, aNULL, ADH, eNULL, EXPORT
smtpd_tls_exclude_ciphers = SSLv2, 3DES, aNULL, ADH, eNULL, EXPORT, LOW, MD5, SEED, IDEA, RC2
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1042,12 +1042,12 @@ smtpd_tls_exclude_ciphers = SSLv2, 3DES, aNULL, ADH, eNULL, EXPORT, LOW, MD5, SE
</span> # sudo -u _postfix openssl dhparam -out @PREFIX@/var/lib/postfix/dh512.pem 512
# sudo -u _postfix openssl dhparam -out @PREFIX@/var/lib/postfix/dh2048.pem 1024
# sudo -u _postfix openssl dhparam -out @PREFIX@/var/lib/postfix/dh2048.pem 2048
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf)
</span> smtpd_tls_dh1024_param_file=${data_directory}/dh2048.pem
smtpd_tls_eecdh_grade = ultra
# cache incoming and outgoing TLS sessions
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf)
</span> # man 5 postconf : "for Postfix >= 2.11 this parameter should generally be left empty"
# smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_tlscache
# smtp_tls_session_cache_database = btree:${data_directory}/smtp_tlscache
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1060,7 +1060,7 @@ import_environment="KRB5_KTNAME=@PREFIX@/etc/postfix/smtp.keytab"
</span> # Kerberos REALM
smtpd_sasl_local_domain = @HOST@.@DOMAIN@.@TLD@
# Dovecot SASL
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf)
</span> smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1069,19 +1069,19 @@ smtpd_sasl_type = dovecot
</span> ## smtpd_sasl_type = cyrus
# only allow authentication over TLS
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf)
</span> smtpd_tls_auth_only = yes
# don't allow plaintext auth methods on unencrypted connections
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> # smtpd_sasl_security_options = noanonymous
# smtpd_sasl_security_options = noanonymous, noplaintext
# but plaintext auth is fine when using TLS
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf)
</span> smtpd_sasl_tls_security_options = noanonymous
# add a message header when email was recieved over TLS
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf)
</span> smtpd_tls_received_header = yes
# require that connecting mail servers identify themselves - this greatly
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1095,7 +1095,7 @@ smtpd_helo_required = yes
</span> # entry and present a valid, FQDN HELO hostname. In addition, they can only
# send mail to valid mailboxes on the server, and the sender's domain must
# actually exist.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> # smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_rbl_client zen.spamhaus.org permit
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client, zen.spamhaus.org, permit
# The settings `reject_unknown_reverse_client_hostname, reject_unauth_pipelining` here cause "451 4.3.5 Server configuration error"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1105,7 +1105,7 @@ smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject
</span> # here. This will reject all incoming connections without a reverse DNS
# entry that resolves back to the client's IP address. This is a very
# restrictive check and may reject legitimate mail.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.6 configuration:
</span> # smtpd_helo_restrictions = reject_non_fqdn_helo_hostname reject_invalid_helo_hostname
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname
# you might want to consider:
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1113,15 +1113,15 @@ smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_n
</span> # here. This will reject all incoming mail without a HELO hostname that
# properly resolves in DNS. This is a somewhat restrictive check and may
# reject legitimate mail
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf)
</span> smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf); but commented out
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf); but commented out
</span> # #smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
# !!! THIS SETTING PREVENTS YOU FROM BEING AN OPEN RELAY !!!
reject_unauth_destination
# !!! DO NOT REMOVE IT UNDER ANY CIRCUMSTANCES !!!
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf); but commented out
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf); but commented out
</span> # # Added by Server.app>Mail>Filtering Settings... > Enable greylist filtering
# # smtpd_recipient_restrictions = permit_sasl_authenticated reject_unauth_destination check_policy_service unix:private/policy permit
# # SMTP Recipient and Relay Restrictions
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1134,7 +1134,7 @@ smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
</span> # if `recipient_delimiter = yes` *and* dovecot-lmtp is used; also see
# dovecot/conf.d/15-lda.conf and dovecot/conf.d/20-lmtp.conf
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf)
</span> smtpd_data_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_multi_recipient_bounce, reject_unauth_pipelining
# Check:
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1160,7 +1160,7 @@ smtpd_data_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_m
</span> # Virtual users. Uncomment these after LDAP authentication set up
# deliver mail for virtual users to Dovecot's LMTP socket
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf)
</span> virtual_transport = lmtp:unix:private/dovecot-lmtp
# LDAP query to find which domains we accept mail for
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/postfix/smtp.keytab.README.sh b/mail/mail-server/files/prefix/etc/postfix/smtp.keytab.README.sh
</span><span style='display:block; white-space:pre;color:#808080;'>index 4c7e17e..dfdf3e4 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/mail/mail-server/files/prefix/etc/postfix/smtp.keytab.README.sh
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/postfix/smtp.keytab.README.sh
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -144,7 +144,7 @@ sudo killall saslauthd
</span> ## ## smtpd_sasl_type = cyrus
##
## # only allow authentication over TLS
<span style='display:block; white-space:pre;background:#ffe0e0;'>-## # (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf)
</span> ## # smtpd_tls_auth_only = yes
## smtpd_tls_auth_only = no
## smtpd_recipient_restrictions = permit_mynetworks,
</pre><pre style='margin:0'>
</pre>