diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2018-12-11 21:13:19 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2018-12-12 13:46:44 +0100 |
commit | a0d439f832721ab1b4bdcf9ab844ee20d4dc1682 (patch) | |
tree | 64b56a401e9a92622fb7bf734453882ca4f9d6a4 /roles/MSA/templates/etc | |
parent | 7beb915bb8dddac847ca3aca85c187e314a6c0fa (diff) |
submission: Prospective SPF checking.
Cf. http://www.openspf.org/Best_Practices/Outbound .
Diffstat (limited to 'roles/MSA/templates/etc')
-rw-r--r-- | roles/MSA/templates/etc/postfix-policyd-spf-python/policyd-spf.conf.j2 | 18 | ||||
-rw-r--r-- | roles/MSA/templates/etc/postfix/main.cf.j2 | 2 |
2 files changed, 20 insertions, 0 deletions
diff --git a/roles/MSA/templates/etc/postfix-policyd-spf-python/policyd-spf.conf.j2 b/roles/MSA/templates/etc/postfix-policyd-spf-python/policyd-spf.conf.j2 new file mode 100644 index 0000000..2cc1074 --- /dev/null +++ b/roles/MSA/templates/etc/postfix-policyd-spf-python/policyd-spf.conf.j2 @@ -0,0 +1,18 @@ +# {{ ansible_managed }} +# Do NOT edit this file directly! + +debugLevel = 1 +TestOnly = 1 + +HELO_reject = Softfail +Mail_From_reject = Softfail + +PermError_reject = False +TempError_Defer = False + +# We're just trying to keep our outgoing IPs clean of SPF violations, +# not seeking 100% accurate reports. While it's possible that the +# message is routed through a different IP (eg, IPv4 vs v6), giving a +# potentially inaccurate prospective report, it's quite unlikely in +# practice. +Prospective = {{ lookup('pipe', 'dig outgoing.fripost.org A +short | sort | head -n1') }} diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2 index a48a327..65a0339 100644 --- a/roles/MSA/templates/etc/postfix/main.cf.j2 +++ b/roles/MSA/templates/etc/postfix/main.cf.j2 @@ -50,6 +50,7 @@ local_header_rewrite_clients = smtp_destination_recipient_limit = 1000 # Tolerate occasional high latency smtp_data_done_timeout = 1200s +policyd-spf_time_limit = $ipc_timeout # Anonymize the (authenticated) sender; pass the mail to the antivirus header_checks = pcre:$config_directory/anonymize_sender.pcre @@ -107,6 +108,7 @@ smtpd_sender_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain check_sender_access lmdb:$config_directory/check_sender_access + check_policy_service unix:private/policyd-spf reject_known_sender_login_mismatch smtpd_relay_restrictions = |