summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2018-12-03 03:32:46 +0100
committerGuilhem Moulin <guilhem@fripost.org>2018-12-03 03:43:47 +0100
commit5d9d8aec510d894f528b21013b6d099be961faf1 (patch)
tree40cff28f2f2dc57521ec0cc77a1533c8ce2ea408
parent31ef7a78bc78a6ce2a24bcc6a4a11574bb2d5483 (diff)
Upgrade MX baseline to Debian Stretch.
-rw-r--r--group_vars/all.yml4
-rw-r--r--roles/MX/templates/etc/postfix/main.cf.j216
2 files changed, 11 insertions, 9 deletions
diff --git a/group_vars/all.yml b/group_vars/all.yml
index 0406a7e..7386dad 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -1,9 +1,7 @@
---
non_free_packages:
- civett:
- - firmware-linux-nonfree
elefant:
- - firmware-linux-nonfree
+ - firmware-bnx2
# Virtual (non-routable) IPv4 subnet for IPsec. It is always nullrouted
# in the absence of xfrm lookup (i.e., when there is no matching IPsec
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 8362d57..fe51826 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -4,10 +4,12 @@
# {{ ansible_managed }}
# Do NOT edit this file directly!
-smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
-biff = no
-readme_directory = no
-mail_owner = postfix
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+readme_directory = no
+mail_owner = postfix
+compatibility_level = 2
+smtputf8_enable = no
delay_warning_time = 4h
maximal_queue_lifetime = 5d
@@ -157,8 +159,10 @@ smtpd_recipient_restrictions =
check_recipient_access ldap:$config_directory/reject-unknown-client-hostname.cf
reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99]
reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99]
- defer_if_reject reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[100..254]
- defer_if_reject reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[100..254]
+ # defer if "abused legit": DBL return code in the 127.0.1.100+ range
+ defer_if_reject
+ reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[100..254]
+ reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[100..254]
smtpd_data_restrictions =
reject_unauth_pipelining