MX: Port to Debian 10.

For postfix, don't defer if "abused legit".  (I.e., DBL return code in
the 127.0.1.100+ range.)  This used to work for Postfix 3.1.14 (Stretch)
but for 3.4.8 (Buster) the 'defer_if_reject' also applies to
$smtpd_relay_restrictions, to reject_unauth_destination &
reject_unlisted_recipient in particular.

2 files changed, 27 insertions, 18 deletions

diff --git a/roles/MX/files/etc/opendmarc.conf b/roles/MX/files/etc/opendmarc.conf
index 4a0b89c..575d02d 100644
--- a/roles/MX/files/etc/opendmarc.conf
+++ b/roles/MX/files/etc/opendmarc.conf
@@ -1,37 +1,63 @@
 # This is a basic configuration that can easily be adapted to suit a standard
-# installation. For more advanced options, see opendkim.conf(5) and/or
+# installation. For more advanced options, see openmarc.conf(5) and/or
 # /usr/share/doc/opendmarc/examples/opendmarc.conf.sample.
 
 ##  AuthservID (string)
 ##  	defaults to MTA name
+##
+##  Sets the "authserv-id" to use when generating the Authentication-Results:
+##  header field after verifying a message.  If the string "HOSTNAME" is
+##  provided, the name of the host running the filter (as returned by the
+##  gethostname(3) function) will be used.
 #
 # AuthservID name
 
 ##  FailureReports { true | false }
 ##  	default "false"
 ##
+##  Enables generation of failure reports when the DMARC test fails and the
+##  purported sender of the message has requested such reports.  Reports are
+##  formatted per RFC6591.
+#
 # FailureReports false
 
+##  PublicSuffixList path
+##  	default (none)
+##
+##  Specifies the path to a file that contains top-level domains (TLDs) that
+##  will be used to compute the Organizational Domain for a given domain name,
+##  as described in the DMARC specification.  If not provided, the filter will
+##  not be able to determine the Organizational Domain and only the presented
+##  domain will be evaluated.
+#
+PublicSuffixList /usr/share/publicsuffix
+
 ##  RejectFailures { true | false }
 ##  	default "false"
 ##
+##  If set, messages will be rejected if they fail the DMARC evaluation, or
+##  temp-failed if evaluation could not be completed.  By default, no message
+##  will be rejected or temp-failed regardless of the outcome of the DMARC
+##  evaluation of the message.  Instead, an Authentication-Results header
+##  field will be added.
+#
 RejectFailures false
 
 ##  Socket socketspec
 ##  	default (none)
 ##
 ##  Specifies the socket that should be established by the filter to receive
 ##  connections from sendmail(8) in order to provide service.  socketspec is
 ##  in one of two forms: local:path, which creates a UNIX domain socket at
 ##  the specified path, or inet:port[@host] or inet6:port[@host] which creates
 ##  a TCP socket on the specified port for the appropriate protocol family.
 ##  If the host is not given as either a hostname or an IP address, the
 ##  socket will be listening on all interfaces.  This option is mandatory
 ##  either in the configuration file or on the command line.  If an IP
 ##  address is used, it must be enclosed in square brackets.
 #
 Socket local:/var/run/opendmarc/opendmarc.sock
 
 ##  Syslog { true | false }
 ##  	default "false"
 ##
@@ -71,33 +97,20 @@ SPFIgnoreResults true
 ##  	default "false"
 ##
 ##  Causes the filter to perform a fallback SPF check itself when it can
 ##  find no SPF results in the message header.  If SPFIgnoreResults is also
 ##  set, it never looks for SPF results in headers and always performs the
 ##  SPF check itself when this is set.
 #
 SPFSelfValidate true
 
 ##  UMask mask
 ##  	default (none)
 ##
 ##  Requests a specific permissions mask to be used for file creation.  This
 ##  only really applies to creation of the socket when Socket specifies a
 ##  UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary
 ##  files are normally created by the mkstemp(3) function that enforces a
 ##  specific file mode on creation regardless of the process umask.  See
 ##  umask(2) for more information.
 #
 UMask 0007
-
-##  UserID user[:group]
-##  	default (none)
-##
-##  Attempts to become the specified userid before starting operations.
-##  The process will be assigned all of the groups and primary group ID of
-##  the named userid unless an alternate group is specified.
-#
-# UserID opendmarc
-
-## Path to system copy of PSL (needed to determine organizational domain)
-#
-PublicSuffixList /usr/share/publicsuffix/
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 5c2f97b..36315d1 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -132,29 +132,25 @@ smtpd_helo_required     = yes
 smtpd_helo_restrictions =
     permit_mynetworks
     reject_non_fqdn_helo_hostname
     reject_invalid_helo_hostname
 
 smtpd_sender_restrictions =
     reject_non_fqdn_sender
     reject_unknown_sender_domain
 
 smtpd_relay_restrictions =
     reject_non_fqdn_recipient
     permit_mynetworks
     reject_unauth_destination
     reject_unlisted_recipient
 
 smtpd_recipient_restrictions =
     check_client_access cidr:$config_directory/access-list.cidr
     check_recipient_access ldap:$config_directory/reject-unknown-client-hostname.cf
     reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99]
     reject_rhsbl_sender         dbl.spamhaus.org=127.0.1.[2..99]
-    # defer if "abused legit": DBL return code in the 127.0.1.100+ range
-    defer_if_reject
-    reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[100..254]
-    reject_rhsbl_sender         dbl.spamhaus.org=127.0.1.[100..254]
 
 smtpd_data_restrictions =
     reject_unauth_pipelining
 
 # vim: set filetype=pfmain :