diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2018-12-03 03:32:46 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2018-12-03 03:43:47 +0100 |
| commit | 5d9d8aec510d894f528b21013b6d099be961faf1 (patch) | |
| tree | 40cff28f2f2dc57521ec0cc77a1533c8ce2ea408 | |
| parent | 31ef7a78bc78a6ce2a24bcc6a4a11574bb2d5483 (diff) | |
Upgrade MX baseline to Debian Stretch.
| -rw-r--r-- | group_vars/all.yml | 4 | ||||
| -rw-r--r-- | roles/MX/templates/etc/postfix/main.cf.j2 | 16 |
2 files changed, 11 insertions, 9 deletions
diff --git a/group_vars/all.yml b/group_vars/all.yml index 0406a7e..7386dad 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -1,26 +1,24 @@ --- non_free_packages: - civett: - - firmware-linux-nonfree elefant: - - firmware-linux-nonfree + - firmware-bnx2 # Virtual (non-routable) IPv4 subnet for IPsec. It is always nullrouted # in the absence of xfrm lookup (i.e., when there is no matching IPsec # Security Association) to avoid data leaks. ipsec_subnet: 172.16.0.0/24 ipsec: # Virtual (non-routable) addresses for IPsec. They all need to be # distinct and belong to the above subnet 'ipsec_subnet'. antilop: 172.16.0.1 benjamin: 172.16.0.2 civett: 172.16.0.3 elefant: 172.16.0.4 giraff: 172.16.0.5 mistral: 172.16.0.6 postfix_instance: # The keys are the group names associated with a Postfix role, and the # values are the name and group (optional) of the instance dedicated # to that role. diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 index 8362d57..fe51826 100644 --- a/roles/MX/templates/etc/postfix/main.cf.j2 +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -1,30 +1,32 @@ ######################################################################## # Mail eXchange (MX) configuration # # {{ ansible_managed }} # Do NOT edit this file directly! -smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) -biff = no -readme_directory = no -mail_owner = postfix +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no +readme_directory = no +mail_owner = postfix +compatibility_level = 2 +smtputf8_enable = no delay_warning_time = 4h maximal_queue_lifetime = 5d myorigin = /etc/mailname myhostname = mx{{ mxno | default('') }}.$mydomain mydomain = fripost.org append_dot_mydomain = no mynetworks_style = host queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} multi_instance_group = {{ postfix_instance[inst].group | default('') }} multi_instance_name = postfix-{{ postfix_instance[inst].name }} multi_instance_enable = yes # No local delivery mydestination = local_transport = error:5.1.1 Mailbox unavailable @@ -140,27 +142,29 @@ smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_non_fqdn_helo_hostname reject_invalid_helo_hostname smtpd_sender_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain smtpd_relay_restrictions = reject_non_fqdn_recipient permit_mynetworks reject_unauth_destination reject_unlisted_recipient smtpd_recipient_restrictions = check_client_access cidr:$config_directory/access-list.cidr check_recipient_access ldap:$config_directory/reject-unknown-client-hostname.cf reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99] reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99] - defer_if_reject reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[100..254] - defer_if_reject reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[100..254] + # defer if "abused legit": DBL return code in the 127.0.1.100+ range + defer_if_reject + reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[100..254] + reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[100..254] smtpd_data_restrictions = reject_unauth_pipelining # vim: set filetype=pfmain : |