fripost-ansible/roles/MX/files/etc, branch master Fripost ansible scripts OpenDMARC: Adjust configuration to bullseye. 2024-09-08T00:31:25+00:00 Guilhem Moulin guilhem@fripost.org 2024-09-08T00:31:13+00:00 7a36aa2b69d16b768c1e23829087d26a9e87423f 






MX: Port to Debian 10.
2020-05-16T21:53:10+00:00

Guilhem Moulin
guilhem@fripost.org

2020-05-16T21:45:55+00:00

d82e85eea2485925481bf12b052acede9d9ae0f8

For postfix, don't defer if "abused legit".  (I.e., DBL return code in
the 127.0.1.100+ range.)  This used to work for Postfix 3.1.14 (Stretch)
but for 3.4.8 (Buster) the 'defer_if_reject' also applies to
$smtpd_relay_restrictions, to reject_unauth_destination &
reject_unlisted_recipient in particular.





For postfix, don't defer if "abused legit".  (I.e., DBL return code in
the 127.0.1.100+ range.)  This used to work for Postfix 3.1.14 (Stretch)
but for 3.4.8 (Buster) the 'defer_if_reject' also applies to
$smtpd_relay_restrictions, to reject_unauth_destination &
reject_unlisted_recipient in particular.







MX: Install OpenDMARC to add Authentication-Results headers.
2020-05-16T16:26:55+00:00

Guilhem Moulin
guilhem@fripost.org

2020-05-16T16:26:53+00:00

2f9574850b356a746ee3ff9a8a311c450784b53c

On the infrastructure boundary.  We don't reject/quarantine as it would
affect members who forward their mail sent to <user@example.com> to
<user@fripost.org>.  Members can install Sieve rules to send any
messages with failed Authentication-Results headers directly in their
spambox.





On the infrastructure boundary.  We don't reject/quarantine as it would
affect members who forward their mail sent to <user@example.com> to
<user@fripost.org>.  Members can install Sieve rules to send any
messages with failed Authentication-Results headers directly in their
spambox.







MX: chroot postscreen(8), smtpd(8) and cleanup(8) daemons.
2018-12-09T19:25:39+00:00

Guilhem Moulin
guilhem@fripost.org

2018-12-06T20:06:38+00:00

09cd9f998780fb7179b7fc23c593c305a12b050a

Unlike what we wrote in 2014 (cf. 4fb4be4d279dd94cab33fc778cfa318b93d6926f)
the postscreen(8) server can run chrooted, meaning we can also chroot
the smtpd(8), tlsproxy(8), dnsblog(8) and cleanup(8) daemons.





Unlike what we wrote in 2014 (cf. 4fb4be4d279dd94cab33fc778cfa318b93d6926f)
the postscreen(8) server can run chrooted, meaning we can also chroot
the smtpd(8), tlsproxy(8), dnsblog(8) and cleanup(8) daemons.







Harden anti spam on the MX:es.
2018-06-08T22:29:09+00:00

Guilhem Moulin
guilhem@fripost.org

2018-04-04T14:20:03+00:00

4a841439606768e8b8783f4a1bd32096a7bbcd9c












Use blackhole subdomain for sender addresses of verify probes.
2017-05-15T23:29:28+00:00

Guilhem Moulin
guilhem@fripost.org

2017-05-15T21:31:13+00:00

45743fcc30ad310da0ef306d6319face3604ac4d

These addresses need to be accepted on the MX:es, as recipients
sometimes phone back during the SMTP session to check whether the sender
exists.

Since a time-dependent suffix is added to the local part (cf.
http://www.postfix.org/postconf.5.html#address_verify_sender_ttl) it's
not enough to drop incoming mails to ‘double-bounce@fripost.org’, and
it's impractical to do the same for /^double-bounce.*@fripost\.org$/.





These addresses need to be accepted on the MX:es, as recipients
sometimes phone back during the SMTP session to check whether the sender
exists.

Since a time-dependent suffix is added to the local part (cf.
http://www.postfix.org/postconf.5.html#address_verify_sender_ttl) it's
not enough to drop incoming mails to ‘double-bounce@fripost.org’, and
it's impractical to do the same for /^double-bounce.*@fripost\.org$/.







Add a reserved domain 'discard.fripost.org' to discard messages.
2015-06-07T00:54:27+00:00

Guilhem Moulin
guilhem@fripost.org

2015-06-05T16:25:09+00:00

f12db60f358dbf5506e373477c04488a2c269332

‘noreply@’ aliases can be added by routing them to
‘@discard.fripost.org’.





‘noreply@’ aliases can be added by routing them to
‘@discard.fripost.org’.







Upgrade the MX configuration from Wheezy to Jessie.
2015-06-07T00:53:53+00:00

Guilhem Moulin
guilhem@fripost.org

2015-05-30T11:23:19+00:00

fa82a617a0c50b7478cd2b7189aa5f7d14449954

In particular, since Postfix is now able to perform LDAP lookups using
SASL, previous hacks with simble binds on cn=postfix,ou=services,… can
now be removed.





In particular, since Postfix is now able to perform LDAP lookups using
SASL, previous hacks with simble binds on cn=postfix,ou=services,… can
now be removed.







Split templates / files in lookup tables.
2015-06-07T00:53:07+00:00

Guilhem Moulin
guilhem@fripost.org

2014-07-13T21:24:05+00:00

9ac2057bb6f1465b8392f18552ac1df17f6d81d6












Fix catchall resolution.
2015-06-07T00:51:33+00:00

Guilhem Moulin
guilhem@fripost.org

2014-01-14T04:58:33+00:00

0853c2afdc2ddba11692ef17bb859104d47071e0

It has to be performed last, to give a chance to be accepted as a
regular mailbox.

We introduce a new, dedicated, smtpd daemon whose only purpose is to
resolve catch-alls.





It has to be performed last, to give a chance to be accepted as a
regular mailbox.

We introduce a new, dedicated, smtpd daemon whose only purpose is to
resolve catch-alls.