postfix-sender-login: Better hardening.

Run as a dedicated user, not ‘postfix’.
author: Guilhem Moulin <guilhem@fripost.org> 2020-05-20 15:46:27 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2020-05-21 03:40:53 +0200
commit: 6d1daa0424c168eae4bfa9f6772add3f77ec506f (patch)
tree: a45e83f4fefa0a3976c534078d26d3ff003e9935 /roles/MSA/tasks
parent: 5118f8d3394579a245b355c863c69410fe92e26e (diff)
1 files changed, 16 insertions, 0 deletions
diff --git a/roles/MSA/tasks/main.yml b/roles/MSA/tasks/main.yml
index c78139a..2eee925 100644
--- a/roles/MSA/tasks/main.yml
+++ b/roles/MSA/tasks/main.yml
@@ -6,12 +6,28 @@
     - postfix-pcre
     - postfix-policyd-spf-python
 
+- name: Install Net::LDAP and Authen::SASL
+  apt: pkg={{ packages }}
+  vars:
+    packages:
+    - libnet-ldap-perl
+    - libauthen-sasl-perl
+
 - name: Copy Postfix sender login socketmap
   copy: src=usr/local/bin/postfix-sender-login.pl
         dest=/usr/local/bin/postfix-sender-login.pl
         owner=root group=staff
         mode=0755
 
+- name: Create '_postfix-sender-login' user
+  user: name=_postfix-sender-login system=yes
+        group=nogroup
+        createhome=no
+        home=/nonexistent
+        shell=/usr/sbin/nologin
+        password=!
+        state=present
+
 - name: Copy Postfix sender login socketmap systemd unit files
   copy: src=etc/systemd/system/{{ item }}
         dest=/etc/systemd/system/{{ item }}
author	Guilhem Moulin <guilhem@fripost.org>	2020-05-20 15:46:27 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2020-05-21 03:40:53 +0200
commit	6d1daa0424c168eae4bfa9f6772add3f77ec506f (patch)
tree	a45e83f4fefa0a3976c534078d26d3ff003e9935 /roles/MSA/tasks
parent	5118f8d3394579a245b355c863c69410fe92e26e (diff)