From e4299a8ca44debf95ff3197aafe0703565658523 Mon Sep 17 00:00:00 2001
From: Quentin Dufour <quentin@deuxfleurs.fr>
Date: Thu, 25 Jan 2024 09:06:36 +0100
Subject: [PATCH] Improve the SMTP doc

---
 content/documentation/cookbook/_index.md      |  4 ++
 content/documentation/cookbook/smtp-server.md | 61 ++++++++++++++++---
 2 files changed, 56 insertions(+), 9 deletions(-)

diff --git a/content/documentation/cookbook/_index.md b/content/documentation/cookbook/_index.md
index 58deed2..f651a4a 100644
--- a/content/documentation/cookbook/_index.md
+++ b/content/documentation/cookbook/_index.md
@@ -23,6 +23,9 @@ work will be required.
  - [Integration with a service manager](@/documentation/cookbook/service-manager.md) (systemd or docker)
  - [SMTP server integration](@/documentation/cookbook/smtp-server.md) (MTA)
 
+*Multi-node deployments and lifecycle maintainance are not covered yet.*
+
+<!--
 ## Multi-nodes, standard deployment
 
 Aerogramme is intended for multi-nodes deployment. This guide
@@ -44,3 +47,4 @@ Hopefully you will love Aerogramme, and thus you will have to do some maintainan
 ## Hardened flavor
 
  - [Manual configuration](@/documentation/cookbook/manual-hardened.md)
+-->
diff --git a/content/documentation/cookbook/smtp-server.md b/content/documentation/cookbook/smtp-server.md
index 46ac4a8..c58b79f 100644
--- a/content/documentation/cookbook/smtp-server.md
+++ b/content/documentation/cookbook/smtp-server.md
@@ -3,19 +3,27 @@ title = "SMTP servers"
 weight = 50
 +++
 
-Many email Message Transfer Agent (MTA) supports LMTP delivery.
-Some of them are covered here.
+SMTP servers that are recommended for Aerogramme are the ones that support:
+ - TCP delivery over the LMTP protocol
+ - TCP authentication over the [Dovecot SASL Auth protocol](https://doc.dovecot.org/developer_manual/design/auth_protocol/)
+
+Postfix supports these 2 features and is the only recommended choice *for now*.
 
 ## Postfix
 
-Configuring Postfix requires to add these 2 lines to `main.cf`:
+Configuring [Postfix](https://www.postfix.org/) requires to add these 4 lines to `main.cf`:
 
 ```ini
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = inet:localhost:12345
 virtual_mailbox_domains = your-domain.tld
 virtual_transport = lmtp:[::1]:1025
 ```
 
-Make sure that `your-domain.org` is not already configured in the `mydomain` variable,
+Aerogramme implements Dovecot SASL protocol. By configuring Postfix
+with it, 
+
+Make sure that `your-domain.tld` is not already configured in the `mydomain` variable,
 or it might conflict with Postfix local delivery logic.
 
 *Indeed, Postfix internally has its default configuration for "local" mail delivery,
@@ -26,6 +34,14 @@ the "virtual" ones.*
 
 You can learn more about Postfix LMTP capabilities on this page: [lmtp(8)](https://www.postfix.org/lmtp.8.html).
 
+## Maddy
+
+[Maddy](https://maddy.email/) is a more recent email server written in Go.
+However it does not support LMTP delivery over TCP, only over UNIX socket: without a specific adapter, it's not yet compatible with Aerogramme.
+
+For LMTP delivery, read [SMTP & LMTP transparent forwarding](https://maddy.email/reference/targets/smtp/#smtp-lmtp-transparent-forwarding).
+For the Dovecot Auth Protocol, read [Dovecot SASL](https://maddy.email/reference/auth/dovecot_sasl/).
+
 ## OpenSMTPD
 
 Something like below might work (untested):
@@ -36,14 +52,19 @@ match from any for domain "your-domain.tld" action "remote_mail"
 ```
 
 The syntax is described in their manpage [smtpd.conf(5)](https://man.openbsd.org/smtpd.conf#lmtp).
+opensmtpd does not support Dovecot's SASL protocol, you can signal your interest [in their dedicated issue](https://github.com/OpenSMTPD/OpenSMTPD/issues/1085).
+
+## Chasquid
+
+[chasquid](https://blitiri.com.ar/p/chasquid/) supports [LMTP delivery](https://blitiri.com.ar/p/chasquid/howto/#configure-chasquid) 
+and the [Dovecot Auth Protocol](https://blitiri.com.ar/p/chasquid/docs/dovecot/) but only over UNIX sockets. Thus, it's not yet compatible with Aerogramme.
 
 ## Other servers
 
-[Maddy](https://maddy.email/) might be configured to deliver LMTP messages to Aerogramme through its [SMTP & LMTP transparent forwarding](https://maddy.email/reference/targets/smtp/#smtp-lmtp-transparent-forwarding) feature.
-
 [Exim](https://www.exim.org/) has some support [for LMTP](https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_lmtp_transport.html) too.
 
-[sendmail](https://www.proofpoint.com/us/products/email-protection/open-source-email-solution) might deliver to LMTP through a dedicated binary named [smtpc](https://www.sympa.community/manual/customize/lmtp-delivery.html)
+[sendmail](https://www.proofpoint.com/us/products/email-protection/open-source-email-solution) might deliver to LMTP through a dedicated binary named [smtpc](https://www.sympa.community/manual/customize/lmtp-delivery.html).
+
 
 <!--
 Let start by creating a folder for Postfix, for example `/opt/aerogramme-postfix`:
@@ -64,14 +85,31 @@ sudo groupadd postdrop
 The considered `main.cf`:
 
 ```
-mynetworks=127.0.0.0/8
-compatibility_level=3.6
+# postfix files
 queue_directory=/tmp/postfix-test/queue
 data_directory=/tmp/postfix-test/data
 maillog_file=/dev/stdout
+
+# nuke postfix legacy as much as possible (an era of UNIX account and open relay on local networks...)
+mynetworks=127.0.0.0/8
+compatibility_level=3.6
 alias_database=
 alias_maps=
 
+# add support for authentication
+smtpd_sasl_auth_enable=yes
+smtpd_tls_auth_only = yes
+smtpd_relay_restrictions =
+  permit_sasl_authenticated
+  reject_unauth_destination
+
+# add support for TLS (RSA only for now)
+smtpd_tls_cert_file=/home/quentin/.lego/certificates/saint-ex.deuxfleurs.org.crt
+smtpd_tls_key_file=/home/quentin/.lego/certificates/saint-ex.deuxfleurs.org.key
+
+# aerogramme specific configuration
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = inet:localhost:12345
 virtual_mailbox_domains=saint-ex.deuxfleurs.org
 virtual_transport=lmtp:[::1]:1025
 ```
@@ -81,6 +119,11 @@ The considered `master.cf`:
 ```
 smtp inet n - n - - smtpd
 smtp unix - - n - - smtp
+smtps inet n - n - - smtpd
+    -o smtpd_tls_wrappermode=yes
+    -o smtpd_sasl_auth_enable=yes
+    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+    -o milter_macro_daemon_name=ORIGINATING
 lmtp unix - - n - - lmtp
 anvil unix - - n - 1 anvil
 rewrite unix - - n - - trivial-rewrite