Configure the Mail Submission Agent.

4 files changed, 157 insertions, 0 deletions

diff --git a/roles/MSA/files/etc/postfix/anonymize_sender.pcre b/roles/MSA/files/etc/postfix/anonymize_sender.pcre
new file mode 100644
index 0000000..bd3d5f1
--- /dev/null
+++ b/roles/MSA/files/etc/postfix/anonymize_sender.pcre
@@ -0,0 +1,7 @@
+/^Received:\s+from\s+(?:\S+\s+\(\S+\s+\[[[:xdigit:].:]{3,39}\]\))
+        (\s+\(using\s+(?:TLS|SSL)(?:v\S+)?\s+with\s+cipher\s+\S+\s+\(\S+\s+bits\)\)\s+).*
+        (\bby\s+(?:\S+\.)?fripost\.org\s+\([^)]+\)
+        \s+with\s+E?SMTPS?A\s+id\s+[[:xdigit:]]+;?\s.*)/x
+    REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])${1}${2}
+
+/^X-Originating-IP:/    IGNORE
diff --git a/roles/MSA/handlers/main.yml b/roles/MSA/handlers/main.yml
new file mode 100644
index 0000000..c27834e
--- /dev/null
+++ b/roles/MSA/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart Postfix
+  service: name=postfix state=restarted
+
+- name: Reload Postfix
+  service: name=postfix state=reloaded
diff --git a/roles/MSA/tasks/main.yml b/roles/MSA/tasks/main.yml
new file mode 100644
index 0000000..a722311
--- /dev/null
+++ b/roles/MSA/tasks/main.yml
@@ -0,0 +1,26 @@
+- name: Install Postfix
+  apt: pkg={{ item }}
+  with_items:
+    - postfix
+    - postfix-pcre
+
+- name: Configure Postfix
+  template: src=etc/postfix/main.cf.j2
+            dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf
+            owner=root group=root
+            mode=0644
+  register: r
+  notify:
+    - Restart Postfix
+
+- name: Copy the Regex to anonymize senders
+  copy: src=etc/postfix/anonymize_sender.pcre
+        dest=/etc/postfix-{{ postfix_instance[inst].name }}/anonymize_sender.pcre
+        owner=root group=root
+        mode=0644
+
+- name: Start Postfix
+  service: name=postfix state=started
+  when: not r.changed
+
+- meta: flush_handlers
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
new file mode 100644
index 0000000..7d27909
--- /dev/null
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -0,0 +1,118 @@
+########################################################################
+# MSA configuration
+#
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+smtpd_banner     = $myhostname ESMTP $mail_name (Debian/GNU)
+biff             = no
+readme_directory = no
+mail_owner       = postfix
+
+delay_warning_time     = 4h
+maximal_queue_lifetime = 5d
+
+myorigin            = /etc/mailname
+myhostname          = smtp{{ mdano | default('') }}.$mydomain
+mydomain            = {{ ansible_domain }}
+append_dot_mydomain = no
+
+# Turn off all TCP/IP listener ports except that necessary for the MSA.
+master_service_disable = !submission.inet inet
+
+queue_directory       = /var/spool/postfix-{{ postfix_instance[inst].name }}
+data_directory        = /var/lib/postfix-{{ postfix_instance[inst].name }}
+multi_instance_group  = {{ postfix_instance[inst].group | default('') }}
+multi_instance_name   = postfix-{{ postfix_instance[inst].name }}
+multi_instance_enable = yes
+
+# This server is a Mail Submission Agent
+mynetworks_style = host
+inet_interfaces  = all
+inet_protocols   = all
+
+# No local delivery
+mydestination        =
+local_transport      = error:5.1.1 Mailbox unavailable
+alias_maps           =
+alias_database       =
+local_recipient_maps =
+
+message_size_limit   = 67108864
+recipient_delimiter  = +
+
+# Forward everything to our internal mailhub
+{% if 'MTA-out' in group_names %}
+relayhost     = [127.0.0.1]:{{ MTA_out.port }}
+{% else %}
+relayhost     = [{{ MTA_out.IPv4 }}]:{{ MTA_out.port }}
+{% endif %}
+relay_domains =
+
+# Don't rewrite remote headers
+local_header_rewrite_clients     =
+# Pass the client information along to the content filter
+smtp_send_xforward_command       = yes
+# Avoid splitting the envelope and scanning messages multiple times
+smtp_destination_recipient_limit = 1000
+# Tolerate occasional high latency
+smtp_data_done_timeout           = 1200s
+
+# Anonymize the (authenticated) sender; pass the mail to the antivirus
+header_checks  = pcre:$config_directory/anonymize_sender.pcre
+#content_filter = amavisfeed:unix:public/amavisfeed-antivirus
+
+# Tunnel everything through IPSec
+smtp_tls_security_level = none
+smtp_bind_address       = 172.16.0.1
+
+# TLS
+smtpd_tls_security_level        = encrypt
+smtpd_tls_cert_file             = /etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file              = /etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_CApath                = /etc/ssl/certs/
+smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
+smtpd_tls_received_header       = yes
+smtpd_tls_ask_ccert             = yes
+smtpd_tls_fingerprint_digest    = sha1
+smtpd_tls_eecdh_grade           = strong
+tls_random_source               = dev:/dev/urandom
+
+# SASL
+smtpd_sasl_auth_enable          = yes
+smtpd_sasl_authenticated_header = no
+smtpd_sasl_local_domain         =
+smtpd_sasl_exceptions_networks  = $mynetworks
+smtpd_sasl_security_options     = noanonymous, noplaintext
+smtpd_sasl_tls_security_options = noanonymous
+broken_sasl_auth_clients        = no
+smtpd_sasl_type                 = dovecot
+smtpd_sasl_path                 = unix:private/dovecot-auth
+
+
+strict_rfc821_envelopes = yes
+smtpd_delay_reject      = yes
+disable_vrfy_command    = yes
+
+# UCE control
+unknown_client_reject_code = 554
+
+smtpd_client_restrictions =
+    permit_sasl_authenticated
+    reject
+
+smtpd_helo_required     = yes
+smtpd_helo_restrictions =
+    reject_invalid_helo_hostname
+
+smtpd_sender_restrictions =
+    reject_non_fqdn_sender
+    reject_unknown_sender_domain
+
+smtpd_recipient_restrictions =
+    # RFC requirements
+    reject_non_fqdn_recipient
+    reject_unknown_recipient_domain
+    permit_mynetworks
+    permit_sasl_authenticated
+    reject_unauth_destination