From bde7745d2fc44dbbc290344c0beada0a2372148e Mon Sep 17 00:00:00 2001
From: Jonas Smedegaard <dr@jones.dk>
Date: Fri, 9 Oct 2020 15:49:38 +0200
Subject: handle submission separate from amavis or dkimproxy

---
 postfix/postfix.sh | 36 +++++++++++++++++++++---------------
 1 file changed, 21 insertions(+), 15 deletions(-)

(limited to 'postfix/postfix.sh')

diff --git a/postfix/postfix.sh b/postfix/postfix.sh
index 1b280a3..22ee0ce 100755
--- a/postfix/postfix.sh
+++ b/postfix/postfix.sh
@@ -64,6 +64,8 @@ if [ -f /etc/ssl/certs/postfix.pem ] && [ -f /etc/ssl/private/postfix.pem ]; the
 else
 	warn "No TLS encryption - requires SSL certificate at /etc/ssl/certs/postfix.pem and private key at /etc/ssl/private/postfix.pem."
 fi
+# TODO: enable only on systems with user accounts
+submission=1
 sasl=
 if [ -n "$tls_cert" ] && [ -n "$dovecot" ]; then
 	sasl=1
@@ -313,6 +315,19 @@ _postconf -X smtp_tls_session_cache_database
 _postconf -X tls_random_exchange_name
 _postconf -X tls_random_source
 
+# submission
+# <http://www.postfix.org/SASL_README.html>
+if [ -n "$submission" ]; then
+	_postconf -Me submission/inet='
+submission inet	n	-	n	-	-	smtpd
+	-o syslog_name=postfix/$service_name
+	-o smtpd_tls_security_level=encrypt
+	-o smtpd_sasl_auth_enable=yes
+'
+else
+	_postconf -MX submission/inet
+fi
+
 if [ -n "$amavis" ]; then
 	_postconf -e 'max_use = 10' # Avoid too much reuse
 	amavis_maxproc=$(getperlvarfromfile max_servers "$default_amavis_maxproc" amavisd.conf.addon amavis)
@@ -348,14 +363,10 @@ amavisfeed unix -	-	n	-	$amavis_maxproc	lmtp
 	_postconf -e receive_override_options=no_address_mappings
 	if [ -n "$dkimproxy" ]; then
 		_postconf -e 'content_filter = amavisfeed:[127.0.0.1]:10028'
-		_postconf -Me submission/inet='
-submission inet	n	-	n	-	-	smtpd
-	-o syslog_name=postfix/submission
-	-o smtpd_tls_security_level=encrypt
-	-o smtpd_sasl_auth_enable=yes
-	-o content_filter=dkimsign:[127.0.0.1]:10028
-'
 		_postconf -Pe pickup/fifo/content_filter=dkimsign:127.0.0.1:10028
+		if [ -n "$submission" ]; then
+			_postconf -Pe submission/inet/content_filter='dkimsign:[127.0.0.1]:10028'
+		fi
 		_postconf -Me dkimsign/unix="
 dkimsign unix	-	-	n	-	$dkimproxy_maxproc_out	smtp
 	-o smtp_send_xforward_command=yes
@@ -374,14 +385,10 @@ dkimsign unix	-	-	n	-	$dkimproxy_maxproc_out	smtp
 '
 	else
 		_postconf -e 'content_filter = amavisfeed:[127.0.0.1]:10024'
-		_postconf -Me submission/inet='
-submission inet	n	-	n	-	-	smtpd
-	-o syslog_name=postfix/submission
-	-o smtpd_tls_security_level=encrypt
-	-o smtpd_sasl_auth_enable=yes
-'
 		_postconf -PX pickup/fifo/content_filter
-'
+		if [ -n "$submission" ]; then
+			_postconf -PX submission/inet/content_filter
+		fi
 	fi
 else
 	_postconf -X content_filter
@@ -439,7 +446,6 @@ fi
 # RBLs replaced with those recommended by http://www.antispews.org/
 # spam filter based on these: http://www.postfix.org/FILTER_README.html
 #   https://www.ijs.si/software/amavisd/amavisd-new-docs.html
-# AUTH-SMTP based on this: http://www.postfix.org/SASL_README.html
 # TLS based on this: http://www.postfix.org/TLS_README.html
 
 # Here's a convenient overview of different blackholes:
-- 
cgit v1.2.3