From 18bba9b58e17896a128d92e50c3228b95dbb7386 Mon Sep 17 00:00:00 2001
From: Jeff Moe <moe@forksand.com>
Date: Wed, 4 Jul 2018 13:21:08 -0600
Subject: [PATCH] Tweaklets needed for mail server

---
 source/resources/apps/email-ansible/TODO | 28 ++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/source/resources/apps/email-ansible/TODO b/source/resources/apps/email-ansible/TODO
index b805555..b175d4d 100644
--- a/source/resources/apps/email-ansible/TODO
+++ b/source/resources/apps/email-ansible/TODO
@@ -8,6 +8,9 @@ chown -R mailarchive:mailarchive /home/mailarchive/Maildir
 # DMARC
 Instead of "p=reject", set to "p=none" until confirmed working.
 
+Need to restart opendmarc after install, or it doesn't listen:
+netstat -pant | grep opendmarc | grep LISTEN
+
 # DKIM
 Jul  4 12:38:50 mx1 opendkim[23469]: can't load key from /etc/opendkim/forksand.com.dkim.private: Permission denied
 
@@ -16,6 +19,9 @@ XXX
 chown opendkim /etc/opendkim/forksand.com.dkim.private
 service opendkim restart
 
+XXX
+Install haveged for entropy/random number generation, or process can hang.
+
 # Set up DNS records:
 
 TXT     @       "v=spf1 include:_spf.protonmail.ch mx ip4:174.128.244.233 ip4:174.128.244.234 -all"
@@ -32,3 +38,25 @@ MX      @       900     10      mx1.forksand.com.
 
 MX      @       900     50      mail.protonmail.ch.
 
+
+# Firewall
+
+XXX
+iptables:
+The main 25, 587, 993, etc ports were all locked out...
+
+# Postfix
+main.cf changes:
+smtpd_helo_restrictions = permit_mynetworks
+smtpd_helo_required = no
+
+
+Remove:
+smtpd_client_restrictions = reject_rbl_client dnsbl.sorbs.net
+virtual_alias_domains = 
+virtual_alias_maps = hash:/etc/postfix/virtual
+
+Add:
+local_recipient_maps = 
+luser_relay = jebba
+