summaryrefslogtreecommitdiffstats
path: root/roles/MSA
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2013-12-02 23:39:26 +0100
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:51:10 +0200
commit1a50ad8f85ae7b42d7749b43d8f01adb663114ff (patch)
tree39ef587ae5efaafbe6895a6aee2602a6a81c6e0b /roles/MSA
parent9ff98e18e5dd6967bce1457cff1884ec632cf2b5 (diff)
Configure the Mail Submission Agent.
Diffstat (limited to 'roles/MSA')
-rw-r--r--roles/MSA/files/etc/postfix/anonymize_sender.pcre7
-rw-r--r--roles/MSA/handlers/main.yml6
-rw-r--r--roles/MSA/tasks/main.yml26
-rw-r--r--roles/MSA/templates/etc/postfix/main.cf.j2118
4 files changed, 157 insertions, 0 deletions
diff --git a/roles/MSA/files/etc/postfix/anonymize_sender.pcre b/roles/MSA/files/etc/postfix/anonymize_sender.pcre
new file mode 100644
index 0000000..bd3d5f1
--- /dev/null
+++ b/roles/MSA/files/etc/postfix/anonymize_sender.pcre
@@ -0,0 +1,7 @@
+/^Received:\s+from\s+(?:\S+\s+\(\S+\s+\[[[:xdigit:].:]{3,39}\]\))
+ (\s+\(using\s+(?:TLS|SSL)(?:v\S+)?\s+with\s+cipher\s+\S+\s+\(\S+\s+bits\)\)\s+).*
+ (\bby\s+(?:\S+\.)?fripost\.org\s+\([^)]+\)
+ \s+with\s+E?SMTPS?A\s+id\s+[[:xdigit:]]+;?\s.*)/x
+ REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])${1}${2}
+
+/^X-Originating-IP:/ IGNORE
diff --git a/roles/MSA/handlers/main.yml b/roles/MSA/handlers/main.yml
new file mode 100644
index 0000000..c27834e
--- /dev/null
+++ b/roles/MSA/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart Postfix
+ service: name=postfix state=restarted
+
+- name: Reload Postfix
+ service: name=postfix state=reloaded
diff --git a/roles/MSA/tasks/main.yml b/roles/MSA/tasks/main.yml
new file mode 100644
index 0000000..a722311
--- /dev/null
+++ b/roles/MSA/tasks/main.yml
@@ -0,0 +1,26 @@
+- name: Install Postfix
+ apt: pkg={{ item }}
+ with_items:
+ - postfix
+ - postfix-pcre
+
+- name: Configure Postfix
+ template: src=etc/postfix/main.cf.j2
+ dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf
+ owner=root group=root
+ mode=0644
+ register: r
+ notify:
+ - Restart Postfix
+
+- name: Copy the Regex to anonymize senders
+ copy: src=etc/postfix/anonymize_sender.pcre
+ dest=/etc/postfix-{{ postfix_instance[inst].name }}/anonymize_sender.pcre
+ owner=root group=root
+ mode=0644
+
+- name: Start Postfix
+ service: name=postfix state=started
+ when: not r.changed
+
+- meta: flush_handlers
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
new file mode 100644
index 0000000..7d27909
--- /dev/null
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -0,0 +1,118 @@
+########################################################################
+# MSA configuration
+#
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+readme_directory = no
+mail_owner = postfix
+
+delay_warning_time = 4h
+maximal_queue_lifetime = 5d
+
+myorigin = /etc/mailname
+myhostname = smtp{{ mdano | default('') }}.$mydomain
+mydomain = {{ ansible_domain }}
+append_dot_mydomain = no
+
+# Turn off all TCP/IP listener ports except that necessary for the MSA.
+master_service_disable = !submission.inet inet
+
+queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }}
+data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }}
+multi_instance_group = {{ postfix_instance[inst].group | default('') }}
+multi_instance_name = postfix-{{ postfix_instance[inst].name }}
+multi_instance_enable = yes
+
+# This server is a Mail Submission Agent
+mynetworks_style = host
+inet_interfaces = all
+inet_protocols = all
+
+# No local delivery
+mydestination =
+local_transport = error:5.1.1 Mailbox unavailable
+alias_maps =
+alias_database =
+local_recipient_maps =
+
+message_size_limit = 67108864
+recipient_delimiter = +
+
+# Forward everything to our internal mailhub
+{% if 'MTA-out' in group_names %}
+relayhost = [127.0.0.1]:{{ MTA_out.port }}
+{% else %}
+relayhost = [{{ MTA_out.IPv4 }}]:{{ MTA_out.port }}
+{% endif %}
+relay_domains =
+
+# Don't rewrite remote headers
+local_header_rewrite_clients =
+# Pass the client information along to the content filter
+smtp_send_xforward_command = yes
+# Avoid splitting the envelope and scanning messages multiple times
+smtp_destination_recipient_limit = 1000
+# Tolerate occasional high latency
+smtp_data_done_timeout = 1200s
+
+# Anonymize the (authenticated) sender; pass the mail to the antivirus
+header_checks = pcre:$config_directory/anonymize_sender.pcre
+#content_filter = amavisfeed:unix:public/amavisfeed-antivirus
+
+# Tunnel everything through IPSec
+smtp_tls_security_level = none
+smtp_bind_address = 172.16.0.1
+
+# TLS
+smtpd_tls_security_level = encrypt
+smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_CApath = /etc/ssl/certs/
+smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
+smtpd_tls_received_header = yes
+smtpd_tls_ask_ccert = yes
+smtpd_tls_fingerprint_digest = sha1
+smtpd_tls_eecdh_grade = strong
+tls_random_source = dev:/dev/urandom
+
+# SASL
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_authenticated_header = no
+smtpd_sasl_local_domain =
+smtpd_sasl_exceptions_networks = $mynetworks
+smtpd_sasl_security_options = noanonymous, noplaintext
+smtpd_sasl_tls_security_options = noanonymous
+broken_sasl_auth_clients = no
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = unix:private/dovecot-auth
+
+
+strict_rfc821_envelopes = yes
+smtpd_delay_reject = yes
+disable_vrfy_command = yes
+
+# UCE control
+unknown_client_reject_code = 554
+
+smtpd_client_restrictions =
+ permit_sasl_authenticated
+ reject
+
+smtpd_helo_required = yes
+smtpd_helo_restrictions =
+ reject_invalid_helo_hostname
+
+smtpd_sender_restrictions =
+ reject_non_fqdn_sender
+ reject_unknown_sender_domain
+
+smtpd_recipient_restrictions =
+ # RFC requirements
+ reject_non_fqdn_recipient
+ reject_unknown_recipient_domain
+ permit_mynetworks
+ permit_sasl_authenticated
+ reject_unauth_destination