Replace Postgrey with postscreen.

See http://www.postfix.org/POSTSCREEN_README.html and
    http://rob0.nodns4.us/postscreen.html

It's infortunate that smtpd(8) cannot be chrooted any longer, which
means that we have to un-chroot cleanup(8) as well.  Indeed, currently
smtpd(8) uses $virtual_alias_maps for recipient validation; later
cleanup(8) uses it again for rewriting.  So these processes need to be
both chrooted, or both not.

12 files changed, 44 insertions, 35 deletions

diff --git a/roles/MX/handlers/main.yml b/roles/MX/handlers/main.yml
index 0482a49..99a5db2 100644
--- a/roles/MX/handlers/main.yml
+++ b/roles/MX/handlers/main.yml
@@ -1,6 +1,3 @@
 ---
-- name: Restart Postgrey
-  service: name=postgrey state=restarted
-
 - name: Reload Postfix
   service: name=postfix state=reloaded
diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml
index db4bb58..8cd5106 100644
--- a/roles/MX/tasks/main.yml
+++ b/roles/MX/tasks/main.yml
@@ -1,47 +1,31 @@
-- name: Install Postfix & Postgrey
+- name: Install Postfix
   apt: pkg={{ item }}
   with_items:
     - postfix
     - postfix-pcre
     - postfix-ldap
     - postfix-cdb
-    - postgrey
+    # The following is for reserved-alias.pl
     - libnet-ldap-perl
     - libauthen-sasl-perl
 
-- name: Configure Postgrey
-  lineinfile: dest=/etc/default/postgrey
-              regexp='^POSTGREY_OPTS='
-              line='POSTGREY_OPTS="--privacy --unix=/var/spool/postfix-{{ postfix_instance[inst].name }}/private/postgrey"'
-              owner=root group=root
-              mode=0644
-  register: r
-  notify:
-    - Restart Postgrey
-
-- name: Start Postgrey
-  service: name=postgrey state=started
-  when: not r.changed
-
-- meta: flush_handlers
-
 - name: Configure Postfix
   template: src=etc/postfix/main.cf.j2
             dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf
             owner=root group=root
             mode=0644
   notify:
     - Reload Postfix
 
 - name: Create directory /etc/postfix-.../virtual
   file: path=/etc/postfix-{{ postfix_instance[inst].name }}/virtual
         state=directory
         owner=root group=root
         mode=0755
 
 - name: Copy lookup tables
   template: src=etc/postfix/virtual/{{ item }}.j2
             dest=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/{{ item }}
             owner=root group=root
             mode=0644
   with_items:
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 476178a..181066a 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -106,47 +106,61 @@ smtpd_tls_ask_ccert             = yes
 
 strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
 
 # UCE control
 invalid_hostname_reject_code        = 554
 multi_recipient_bounce_reject_code  = 554
 non_fqdn_reject_code                = 554
 relay_domains_reject_code           = 554
 unknown_address_reject_code         = 554
 unknown_client_reject_code          = 554
 unknown_hostname_reject_code        = 554
 unknown_local_recipient_reject_code = 554
 unknown_relay_recipient_reject_code = 554
 unknown_virtual_alias_reject_code   = 554
 unknown_virtual_mailbox_reject_code = 554
 unverified_recipient_reject_code    = 554
 unverified_sender_reject_code       = 554
 
+postscreen_blacklist_action = drop
+postscreen_dnsbl_threshold  = 3
+postscreen_dnsbl_action     = enforce
+postscreen_dnsbl_sites      =
+    zen.spamhaus.org*3
+    swl.spamhaus.org*-4
+    b.barracudacentral.org*2
+    bl.spameatingmonkey.net*2
+    bl.spamcop.net
+    dnsbl.sorbs.net
+    list.dnswl.org=127.[0..255].[0..255].0*-2
+    list.dnswl.org=127.[0..255].[0..255].1*-3
+    list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
+
+postscreen_greet_action          = enforce
+postscreen_whitelist_interfaces = !88.80.11.28 static:all
 
 smtpd_client_restrictions =
     permit_mynetworks
-    reject_rbl_client zen.spamhaus.org
-    reject_rbl_client bl.spamcop.net
 
 smtpd_helo_required     = yes
 smtpd_helo_restrictions =
     permit_mynetworks
     reject_non_fqdn_helo_hostname
     reject_invalid_helo_hostname
 
 smtpd_sender_restrictions =
     reject_non_fqdn_sender
 
 smtpd_recipient_restrictions =
     # RFC requirements
     reject_non_fqdn_recipient
     permit_mynetworks
     reject_unauth_destination
     reject_unlisted_recipient
-    check_policy_service unix:private/postgrey
+    permit_dnswl_client list.dnswl.org
 
 smtpd_data_restrictions =
     reject_unauth_pipelining
 
 # vim: set filetype=pfmain :
diff --git a/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2
index c0ab405..1710376 100644
--- a/roles/MX/templates/etc/postfix/virtual/alias.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2
@@ -1,10 +1,10 @@
-server_host      = ldapi://%2Fprivate%2Fldapi/
+server_host      = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
 version          = 3
 search_base      = fvd=%d,ou=virtual,dc=fripost,dc=org
 domain           = static:all
 scope            = one
 bind             = yes
 bind_dn          = cn=postfix,ou=services,dc=fripost,dc=org
 bind_pw          = FIXME
 query_filter     = (&(objectClass=FripostVirtualAlias)(fvl=%u)(fripostIsStatusActive=TRUE))
 result_attribute = fripostMaildrop
diff --git a/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2
index 7679a9c..119b8b2 100644
--- a/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2
@@ -1,12 +1,12 @@
-server_host      = ldapi://%2Fprivate%2Fldapi/
+server_host      = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
 version          = 3
 search_base      = ou=virtual,dc=fripost,dc=org
 domain           = static:all
 scope            = one
 bind             = yes
 bind_dn          = cn=postfix,ou=services,dc=fripost,dc=org
 bind_pw          = FIXME
 # The domain has already been validated (it's active and not pending)
 query_filter     = (&(objectClass=FripostVirtualAliasDomain)(fvd=%d))
 result_attribute = fripostMaildrop
 result_format    = %U@%s
diff --git a/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2
index 818ad02..66053c8 100644
--- a/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2
@@ -1,11 +1,11 @@
-server_host      = ldapi://%2Fprivate%2Fldapi/
+server_host      = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
 version          = 3
 search_base      = ou=virtual,dc=fripost,dc=org
 domain           = static:all
 scope            = one
 bind             = yes
 bind_dn          = cn=postfix,ou=services,dc=fripost,dc=org
 bind_pw          = FIXME
 # The domain has already been validated (it's active and not pending)
 query_filter     = (&(objectClass=FripostVirtualDomain)(!(objectClass=FripostVirtualAliasDomain))(fvd=%d)(fripostOptionalMaildrop=*))
 result_attribute = fripostOptionalMaildrop
diff --git a/roles/MX/templates/etc/postfix/virtual/domains.cf.j2 b/roles/MX/templates/etc/postfix/virtual/domains.cf.j2
index 1cb8add..4ec247d 100644
--- a/roles/MX/templates/etc/postfix/virtual/domains.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/domains.cf.j2
@@ -1,10 +1,12 @@
+# XXX: How come we use a socked relative to the chroot here? smtpd(8) is
+# not (can't be) chrooted...
 server_host      = ldapi://%2Fprivate%2Fldapi/
 version          = 3
 search_base      = ou=virtual,dc=fripost,dc=org
 scope            = one
 bind             = yes
 bind_dn          = cn=postfix,ou=services,dc=fripost,dc=org
 bind_pw          = FIXME
 query_filter     = (&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(fvd=%s)(fripostIsStatusActive=TRUE))
 result_attribute = fvd
 result_format    = OK
diff --git a/roles/MX/templates/etc/postfix/virtual/list.cf.j2 b/roles/MX/templates/etc/postfix/virtual/list.cf.j2
index 80c7b7f..3b364c0 100644
--- a/roles/MX/templates/etc/postfix/virtual/list.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/list.cf.j2
@@ -1,13 +1,13 @@
-server_host      = ldapi://%2Fprivate%2Fldapi/
+server_host      = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
 version          = 3
 search_base      = fvd=%d,ou=virtual,dc=fripost,dc=org
 domain           = static:all
 scope            = one
 bind             = yes
 bind_dn          = cn=postfix,ou=services,dc=fripost,dc=org
 bind_pw          = FIXME
 query_filter     = (&(objectClass=FripostVirtualList)(!(objectClass=FripostPendingEntry))(fvl=%u)(fripostIsStatusActive=TRUE))
 result_attribute = fripostListManager
 # Use a dedicated "virtual" domain to decongestion potential bottlenecks
 # on trivial_rewrite(8) due to slow LDAP lookups in tranport_maps.
 result_format    = %D/%U@%s.fripost.org
diff --git a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2
index 9b584c9..4654607 100644
--- a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2
@@ -1,13 +1,13 @@
-server_host      = ldapi://%2Fprivate%2Fldapi/
+server_host      = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
 version          = 3
 search_base      = fvd=%d,ou=virtual,dc=fripost,dc=org
 domain           = static:all
 scope            = one
 bind             = yes
 bind_dn          = cn=postfix,ou=services,dc=fripost,dc=org
 bind_pw          = FIXME
 query_filter     = (&(objectClass=FripostVirtualUser)(fvl=%u)(fripostIsStatusActive=TRUE))
 result_attribute = fvl
 # Use a dedicated "virtual" domain to decongestion potential bottlenecks
 # on trivial_rewrite(8) due to slow LDAP lookups in tranport_maps.
 result_format    = %D/%U@mda.fripost.org
diff --git a/roles/common/files/etc/logcheck/ignore.d.server/postfix-local b/roles/common/files/etc/logcheck/ignore.d.server/postfix-local
index e51bf24..e6c9771 100644
--- a/roles/common/files/etc/logcheck/ignore.d.server/postfix-local
+++ b/roles/common/files/etc/logcheck/ignore.d.server/postfix-local
@@ -1,64 +1,74 @@
 # Ansible Managed
 # Do NOT edit this file directly!
 #
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/local\[[[:digit:]]+\]: [[:xdigit:]]{10}: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=local, delay=[.[:digit:]]+(, delays=([.[:digit:]]+/){3}[.[:digit:]]+)?(, dsn=2(\.[[:digit:]]+){2})?, status=sent \(forwarded as [[:xdigit:]]{10}\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/postfix-script\[[[:digit:]]+\]: refreshing the Postfix mail system$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/master[[[:digit:]]+]: reload -- version [.[:digit:]]+, configuration /etc/postfix$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/smtpd\[[[:digit:]]+\]: (dis)?connect from [^[:space:]]+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/[ls]mtp\[[[:digit:]]+\]: [[:xdigit:]]{10}: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=[._[:alnum:]-]+\[[[:digit:].]{7,15}\](:[[:digit:]]{1,5})?, (conn_use=[[:digit:]]+, )?delay=[.[:digit:]]+(, delays=([.[:digit:]]+/){3}[.[:digit:]]+)?(, dsn=2(\.[[:digit:]]+){2})?, status=sent \(2[[:digit:]][[:digit:]] .+\)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/anvil\[[[:digit:]]+\]: statistics: max (message|recipient|connection) (count|rate) [/[:digit:]s]+ for \(([.:[:xdigit:]]+)?(smtps?|25|submission|587)?:([.:[:xdigit:]]+|unknown)\) at \w{3} [ :[:digit:]]{11}$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/anvil\[[[:digit:]]+\]: statistics: max (message|recipient|connection) (count|rate) [/[:digit:]s]+ for \(([.:[:xdigit:]]+)?(smtp[sd]?|25|submission|587)?:([.:[:xdigit:]]+|unknown)\) at \w{3} [ :[:digit:]]{11}$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/anvil\[[[:digit:]]+\]: statistics: max cache size [[:digit:]]+ at \w{3} [ :[:digit:]]{11}$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/scache\[[[:digit:]]+\]: statistics: start interval \w{3} [ :[:digit:]]{11}$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/scache\[[[:digit:]]+\]: statistics: (domain|address) lookup hits=[[:digit:]]+ miss=[[:digit:]]+ success=[[:digit:]]+%$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/scache\[[[:digit:]]+\]: statistics: max simultaneous domains=[[:digit:]]+ addresses=[[:digit:]]+ connection=[[:digit:]]+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/smtpd\[[[:digit:]]+\]: [[:alnum:]]+: client=[._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/cleanup\[[[:digit:]]+\]: [[:alnum:]]+: (resent-|)message-id=<?[^>]+>?( \(added by [^[:space:]]+\))?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/qmgr\[[[:digit:]]+\]: [[:alnum:]]+: from=<[^[:space:]]*>, size=[[:digit:]]+, nrcpt=[[:digit:]]+ \(queue active\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/n?qmgr\[[[:digit:]]+\]: [[:alnum:]]+: from=<.*>, status=expired, returned to sender$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/n?qmgr\[[[:digit:]]+\]: [[:alnum:]]+: message-id=(<?[^[:space:]]+>?)?( \(added by [^[:space:]]+\))?
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/n?qmgr\[[[:digit:]]+\]: [[:alnum:]]+: removed$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/n?qmgr\[[[:digit:]]+\]: [[:alnum:]]+: skipped, still being delivered$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/smtpd\[[[:digit:]]+\]: lost connection after AUTH from [._[:alnum:]-]+\[[[:digit:].]{7,15}\]$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(msa|mx)/smtpd\[[[:digit:]]+\]: lost connection after (CONNECT|STARTTLS) from [._[:alnum:]-]+\[([[:digit:].]{7,15}|unknown)\]$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/cleanup\[[[:digit:]]+\]: [[:xdigit:]]{10}: replace: header\s
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/smtpd\[[[:digit:]]+\]: [[:xdigit:]]{10}: client=[^[:space:]]+, sasl_method=[-[:alnum:]]+, sasl_username=[-_.@[:alnum:]]+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(msa|mx)/smtpd\[[[:digit:]]+\]: improper command pipelining after EHLO from [._[:alnum:]-]+\[[[:digit:].]{7,15}\]:\s
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(msa|mx)/smtpd\[[[:digit:]]+\]: warning: hostname [._[:alnum:]-]+ does not resolve to address [[:xdigit:].:]{3,39}(: Name or service not known)?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(msa|mx)/smtpd\[[[:digit:]]+\]: timeout after [-[:upper:]]+( \([[:digit:]]+ bytes\))? from [^[:space:]]+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-((msa|mx)/smtpd|out/smtp)\[[[:digit:]]+\]: warning: (tls_text_name: [-._[:alnum:]]+\[[.[:digit:]]+\]: )?peer certificate has no (subject CN|issuer Organization)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(msa|webmail)/smtpd\[[[:digit:]]+\]: (NOQUEUE|[[:xdigit:]]+): reject: [[:upper:]]+ from [^[:space:]]+: 450( 4\.1\.2)? <[^>]*>: Recipient address rejected: Domain not found;( from=<[^>]*> to=<[^[:space:]]+>)? proto=E?SMTP( helo=<[^[:space:]]+>)?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mda/lmtp\[[[:digit:]]+\]: [[:xdigit:]]{10}: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=[._[:alnum:]-]+\[private/dovecot-lmtpd\],( conn_use=[[:digit:]]+,)? delay=[.[:digit:]]+(, delays=([.[:digit:]]+/){3}[.[:digit:]]+)?(, dsn=2(\.[[:digit:]]+){2})?, status=sent \(2[[:digit:]][[:digit:]] .+\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-out/(error|n?qmgr|smtp)\[[[:digit:]]+\]: [[:alnum:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=(none|[^[:space:]]+\[[[:digit:].]{7,15}\]:(25|587)),( conn_use=[[:digit:]]+,)? delay=[[:digit:].]+,( delays=[[:digit:]./]+,)?( dsn=[45]\.[[:digit:]]\.[[:digit:]],)? status=(deferred|undeliverable) \((delivery temporarily suspended: )?((lost connection with [^[:space:]]+|conversation with [^[:space:]]+ timed out) while (sending [[:alnum:]]+( [[:alnum:]]+)?|performing the (HELO|EHLO) handshake|receiving the initial server greeting|sending [[:alnum:]]+( [/[:alnum:]]+)?|sending end of data -- message may be sent more than once)|connect to [^[:space:]]+: (Connection timed out|read timeout|Connection refused)|Host or domain name not found. Name service errorfor name=[^[:space:]]+ type=MX: Host not found, try again|User unknown in virtual alias table)\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-out/smtp\[[[:digit:]]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>(, orig_to=<[^[:space:]]+>)?, relay=[._[:alnum:]-]+\[[[:digit:].]{7,15}\](:[[:digit:]]{1,5})?,( conn_use=[[:digit:]]+,)? delay=[.[:digit:]]+(, delays=([.[:digit:]]+/){3}[.[:digit:]]+)?(, dsn=[45](\.[[:digit:]]+){2})?, status=(deferred|bounced|undeliverable|SOFTBOUNCE) \(host [._[:alnum:]-]+\[[[:digit:].]{7,15}\] said: [45][[:digit:]][[:digit:]][- ]+.* \(in reply to (HELO|EHLO|MAIL FROM|RCPT TO|DATA|end of DATA) command\)\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-out/smtp\[[[:digit:]]+\]: connect to [^[:space:]]+: (read timeout|Connection (refused|timed out)|Network is unreachable|No route to host)( \(port [[:digit:]]+\))?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-out/[ls]mtp\[[[:digit:]]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>, relay=[._[:alnum:]-]+\[[[:digit:].]{7,15}\](:[[:digit:]]{1,5})?, (conn_use=[[:digit:]]+, )?delay=[.[:digit:]]+(, delays=([.[:digit:]]+/){3}[.[:digit:]]+)?(, dsn=[45](\.[[:digit:]]+){2})?, status=(deferred|bounced|undeliverable) \(host [._[:alnum:]-]+\[[[:digit:].]{7,15}\] said: [45][[:digit:]][[:digit:]] .+ \(in reply to (HELO|EHLO|MAIL FROM|RCPT TO|end of DATA) command\)\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-out/smtp\[[[:digit:]]+\]: [[:upper:][:digit:]]+: host [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\] said: [45][[:digit:]][[:digit:]][- ]+.* \(in reply to (HELO|EHLO|MAIL FROM|RCPT TO|(end of )?DATA) command\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(mda|out)/smtpd\[[[:digit:]]+\]: [[:xdigit:]]{10}: client=[._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\], orig_queue_id=[[:xdigit:]]{10}, orig_client=[._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-out/smtp\[[[:digit:]]+\]: [A-Z[:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,) relay=[^[:space:]]+, delay=[[:digit:]]+, status=deferred \(host [^[:space:]]+ said: [45][[:digit:]]{2} <[^[:space:]]*>: Recipient address rejected: Greylisted for [[:digit:]]+ (seconds|minutes)(\(see http://isg.ee.ethz.ch/tools/postgrey/help/[.[:alnum:]-]+.html\))? \(in reply to (HELO|EHLO|MAIL FROM|RCPT TO|DATA|end of DATA) command\)\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-out/smtp\[[[:digit:]]+\]: [[:alnum:]]+: to=<.*>,( orig_to=<[^[:space:]]+>,)? relay=[^[:space:]]+\](:[[:digit:]]+)?,( conn_use=[[:digit:]]+,)? delay=[[:digit:].]+,( delays=[[:digit:]./]+,)?( dsn=4\.[[:digit:]]\.[[:digit:]],)? status=deferred \(host [^[:space:]]+\] said: .*$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(mda|out)/smtpd?\[[[:digit:]]+\]: warning: numeric domain name in resource data of MX record for [._[:alnum:]-]+: [[:xdigit:].:]{3,39}$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/smtpd\[[[:digit:]]+\]: SSL_accept error from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]: (lost connection|0)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/smtpd\[[[:digit:]]+\]: warning: TLS library problem: 10681:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1258:SSL alert number 48:$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-out/bounce\[[[:digit:]]+\]: [[:xdigit:]]+: sender (delay|non-delivery|delivery status) notification: [[:xdigit:]]+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-out/smtp\[[[:digit:]]+\]: [[:upper:][:digit:]]+: enabling PIX <CRLF>\.<CRLF> workaround for [._[:alnum:]-]+\[[[:digit:].]{7,15}\](:[[:digit:]]{1,5})?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-out/smtp\[[[:digit:]]+\]: [[:upper:][:digit:]]+: enabling PIX workarounds:( (disable_esmtp|delay_dotcrlf))+ for [._[:alnum:]-]+\[[[:digit:].]{7,15}\](:[[:digit:]]{1,5})?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: [[:upper:][:digit:]]+: reject: RCPT from [^[:space:]]+: 4[[:digit:]][[:digit:]]( 4(\.[[:digit:]]){2}) <[^[:space:]]*>: Recipient address rejected: Greylisted( for [[:digit:]]+ (second|minute)s)?, see https?://[-_.:/[:alnum:]]+\.html?; from=<[^[:space:]]*> to=<[^[:space:]]+> proto=E?SMTP helo=<[^[:space:]]+>$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: lost connection after [[:upper:]]+( \([[:digit:]]+ bytes\))? from [._[:alnum:]-]+\[(unknown|[[:xdigit:].:]{3,39})\]$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: [[:upper:][:digit:]]+: reject: (CONNECT|RCPT) from [^[:space:]]+: [45][[:digit:]][[:digit:]]( [45](\.[[:digit:]]){2})? Service unavailable; Client host \[([[:digit:].]{7,15}|[-._[:alnum:]]+)\] blocked using [._[:alnum:]-]+;( .+;)? (from=<[^[:space:]]*> to=<[^[:space:]]+> )?proto=E?SMTP( helo=<[^[:space:]]+>)?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: [[:upper:][:digit:]]+: reject: RCPT from [^[:space:]]+: [[:digit:]]{3}( [45](\.[[:digit:]]){2})? <[^[:space:]]*>: Relay access denied; from=<[^[:space:]]*> to=<[^[:space:]]+> proto=E?SMTP helo=<[^[:space:]]+>$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postgrey\[[[:digit:]]+\]: whitelisted: [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: warning: ([-._[:alnum:]]+): RBL lookup error: Host or domain name not found\. Name service error for name=\1 type=A: Host not found, try again$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: warning: TLS library problem: [[:digit:]]+:error:[[:xdigit:]]+:SSL routines:SSL3_READ_BYTES:(reason\([[:digit:]]+\)|sslv3 alert (unexpected message|bad certificate)):s3_pkt\.c:[[:digit:]]+:SSL alert number (0|10|42):$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: SSL_accept error from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]: -?[[:digit:]]+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: (NOQUEUE|[[:xdigit:]]+): reject: [[:upper:]]+ from [^[:space:]]+: 554( 5\.1\.[01])? <[^[:space:]]*>: Recipient address rejected: User unknown in virtual alias table;( from=<[^[:space:]]*> to=<[^[:space:]]+>)? proto=E?SMTP( helo=<[^[:space:]]+>)?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: [[:upper:][:digit:]]+: reject: RCPT from [^[:space:]]+: [45][[:digit:]][[:digit:]]( [45](\.[[:digit:]]){2})? <[^[:space:]]*>: Helo command rejected: .+; from=<[^[:space:]]*> to=<[^[:space:]]+> proto=E?SMTP helo=<[^[:space:]]+>$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: too many errors after ([[:upper:]]{4}|END-OF-MESSAGE|UNKNOWN|DATA \(0 bytes\)) from [._[:alnum:]-]+\[[.[:digit:]]+\]$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: warning: hostname [^[:space:]]+ does not resolve to address [[:xdigit:].:]{3,39}: No address associated with hostname$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: warning: numeric hostname: [[:xdigit:].:]{3,39}$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/pipe\[[[:digit:]]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)* relay=([-_.[:alnum:]]+), delay=[.[:digit:]]+(, delays=([.[:digit:]]+/){3}[.[:digit:]]+)?(, dsn=2(\.[[:digit:]]+){2})?, status=sent \(delivered via \2 service\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: warning: Illegal address syntax from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\] in MAIL command: .*$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: PASS (OLD|NEW) \[[[:xdigit:].:]{3,39}\]:[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: CONNECT from \[[[:xdigit:].:]{3,39}\]:[[:digit:]]+ to \[[[:xdigit:].:]{3,39}\]:25$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: DISCONNECT \[[[:xdigit:].:]{3,39}\]:[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: PREGREET [[:digit:]]+ after [.[:digit:]]+ from \[[[:xdigit:].:]{3,39}\]:[[:digit:]]+: (EHLO|HELO)\s
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: HANGUP after [.[:digit:]]+ from \[[[:xdigit:].:]{3,39}\]:[[:digit:]]+ in tests (before|after) SMTP handshake$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: DNSBL rank [[:digit:]]+ for \[[[:xdigit:].:]{3,39}\]:[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from (\[[[:xdigit:].:]{3,39}\]):[[:digit:]]+: [45][[:digit:]][[:digit:]]( [45](\.[[:digit:]]){2})? Service unavailable; client \1 blocked using [._[:alnum:]-]+;( .+;)? (from=<[^[:space:]]*>, to=<[^[:space:]]+>, )?proto=E?SMTP(, helo=<[^[:space:]]+>)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: COMMAND TIME LIMIT from \[[[:xdigit:].:]{3,39}\]:[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: cache [a-z]+:\S+ full cleanup: retained=[[:digit:]]+ dropped=[[:digit:]]+ entries$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/dnsblog\[[[:digit:]]+\]: addr [[:xdigit:].:]{3,39} listed by domain [._[:alnum:]-]+ as [[:xdigit:].:]{3,39}$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/dnsblog\[[[:digit:]]+\]: warning: dnsblog_query: lookup error for DNS query ([._[:alnum:]-]+): Host or domain name not found. Name service error for name=\1 type=A: Host not found, try again$
 #
 # Amavis
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed (CLEAN|UNCHECKED) {RelayedOutbound}, OUTGOING LOCAL \[(IPv6:)?[[:xdigit:].:]{3,39}\]:[[:digit:]]+( \[[[:xdigit:].:]{3,39}\])? <[^>]*> -> <[^>]*>(,<[^>]*>)*,( Queue-ID: [[:xdigit:]]+,)?( Message-ID: <[^>]+>,)? mail_id: [_-+[:alnum:]]+, Hits: -, size: [[:digit:]]+, queued_as: [[:xdigit:]]+, dkim_new=[-.:[:alnum:]]+, [[:digit:]]+ ms$
 # SMTP client connection caching was introduced in 2.6.0; the SMTP session is held for the next task, and is terminated by Postfix if the next mail comes soon enough
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-out/smtpd\[[[:digit:]]+\]: timeout after END-OF-MESSAGE from [._[:alnum:]-]+\[(127.0.0.1|::1)\]$
diff --git a/roles/common/files/etc/postfix/master.cf b/roles/common/files/etc/postfix/master.cf
index 02e1658..b60be94 100644
--- a/roles/common/files/etc/postfix/master.cf
+++ b/roles/common/files/etc/postfix/master.cf
@@ -1,34 +1,39 @@
 #
 # Postfix master process configuration file.  For details on the format
 # of the file, see the master(5) manual page (command: "man 5 master").
 #
 # Do not forget to execute "postfix reload" after editing this file.
 #
 # ==========================================================================
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (yes)   (never) (100)
 # ==========================================================================
-smtp      inet  n       -       -       -       -       smtpd
+smtpd     pass  -       -       n       -       -       smtpd
+  -o cleanup_service_name=cleanup_nochroot
+smtp      inet  n       -       n       -       1       postscreen
+tlsproxy  unix  -       -       n       -       0       tlsproxy
+dnsblog   unix  -       -       n       -       0       dnsblog
 submission inet n       -       -       -       -       smtpd
 pickup    fifo  n       -       -       60      1       pickup
 cleanup   unix  n       -       -       -       0       cleanup
+cleanup_nochroot unix n -       n       -       0       cleanup
 qmgr      fifo  n       -       n       300     1       qmgr
 tlsmgr    unix  -       -       -       1000?   1       tlsmgr
 rewrite   unix  -       -       -       -       -       trivial-rewrite
 bounce    unix  -       -       -       -       0       bounce
 defer     unix  -       -       -       -       0       bounce
 trace     unix  -       -       -       -       0       bounce
 verify    unix  -       -       -       -       1       verify
 flush     unix  n       -       -       1000?   0       flush
 proxymap  unix  -       -       n       -       -       proxymap
 proxywrite unix -       -       n       -       1       proxymap
 smtp      unix  -       -       -       -       -       smtp
 smtpl     unix  -       -       -       -       -       smtp
   -o smtp_bind_address=127.0.0.1
 relay     unix  -       -       -       -       -       smtp
 #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
 showq     unix  n       -       -       -       -       showq
 error     unix  -       -       -       -       -       error
 retry     unix  -       -       -       -       -       error
 discard   unix  -       -       -       -       -       discard
 local     unix  -       n       n       -       -       local
diff --git a/roles/out/handlers/main.yml b/roles/out/handlers/main.yml
index 0482a49..99a5db2 100644
--- a/roles/out/handlers/main.yml
+++ b/roles/out/handlers/main.yml
@@ -1,6 +1,3 @@
 ---
-- name: Restart Postgrey
-  service: name=postgrey state=restarted
-
 - name: Reload Postfix
   service: name=postfix state=reloaded