Add pdns resolver, changed some other files

data/conf/nginx/site.conf

@@ -3,6 +3,11 @@ server {
 		ssl on;
 		ssl_certificate /etc/ssl/mail/mail.crt;
 		ssl_certificate_key /etc/ssl/mail/mail.key;
+		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+		ssl_prefer_server_ciphers on;
+		ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+		ssl_ecdh_curve secp384r1;
+		add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
 	    index index.php index.html;
 	    server_name _;
 	    error_log  /var/log/nginx/error.log;

data/conf/pdns/pdns_custom.lua

@@ -0,0 +1 @@
+addNTA("mailcow-network", "nta for local")

data/conf/pdns/recursor.conf

@@ -0,0 +1,41 @@
+allow-from=127.0.0.0/8 172.18.0.0/16
+config-dir=/etc/powerdns
+daemon=no
+disable-syslog=yes
+dnssec=process
+dnssec-log-bogus=yes
+dont-query=10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10, 0.0.0.0/8, 192.0.0.0/24, 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, 240.0.0.0/4, ::/96, ::ffff:0:0/96, 100::/64, 2001:db8::/32
+export-etc-hosts=off
+# forward-zones=
+forward-zones-recurse=mailcow-network.=127.0.0.11
+local-address=0.0.0.0
+local-port=53
+loglevel=6
+# lowercase-outgoing=no
+lua-config-file=/etc/powerdns/pdns_custom.lua
+# max-cache-entries=1000000
+# max-cache-ttl=86400
+# max-mthreads=2048
+# max-negative-ttl=3600
+# max-packetcache-entries=500000
+# max-qperq=50
+# max-tcp-clients=128
+# max-tcp-per-client=0
+# max-total-msec=7000
+# minimum-ttl-override=0
+# network-timeout=1500
+# packetcache-servfail-ttl=60
+# packetcache-ttl=3600
+quiet=no
+# security-poll-suffix=secpoll.powerdns.com.
+# serve-rfc1918=yes
+# server-down-max-fails=64
+# server-down-throttle-time=60
+setgid=pdns
+setuid=pdns
+# spoof-nearmiss-max=20
+# stack-size=200000
+# threads=2
+# trace=off
+version-string=PowerDNS Recursor
+webserver=no

data/conf/postfix/main.cf

@@ -1,4 +1,4 @@
-myhostname=mail.mailcow.de
+myhostname=demo.example.org
 biff = no
 append_dot_mydomain = no
 smtpd_tls_cert_file = /etc/ssl/mail/mail.crt
@@ -9,9 +9,9 @@ smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
-myhostname=mail.mailcow.de
+myhostname=demo.example.org
 relayhost =
-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.55.0.0/16
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.55.0.0/16 172.18.0.0/16
 mailbox_size_limit = 0
 recipient_delimiter = +
 inet_interfaces = all
@@ -50,7 +50,8 @@ smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
 smtp_tls_cert_file = /etc/ssl/mail/mail.crt
 smtp_tls_key_file = /etc/ssl/mail/mail.key
 smtp_tls_loglevel = 1
-smtp_tls_security_level = may
+smtp_dns_support_level = dnssec
+smtp_tls_security_level = dane
 smtpd_data_restrictions = reject_unauth_pipelining, permit
 smtpd_delay_reject = yes
 smtpd_error_sleep_time = 10s