summaryrefslogtreecommitdiffstats
path: root/roles/MSA
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2018-12-11 21:13:19 +0100
committerGuilhem Moulin <guilhem@fripost.org>2018-12-12 13:46:44 +0100
commita0d439f832721ab1b4bdcf9ab844ee20d4dc1682 (patch)
tree64b56a401e9a92622fb7bf734453882ca4f9d6a4 /roles/MSA
parent7beb915bb8dddac847ca3aca85c187e314a6c0fa (diff)
submission: Prospective SPF checking.
Cf. http://www.openspf.org/Best_Practices/Outbound .
Diffstat (limited to 'roles/MSA')
-rw-r--r--roles/MSA/tasks/main.yml10
-rw-r--r--roles/MSA/templates/etc/postfix-policyd-spf-python/policyd-spf.conf.j218
-rw-r--r--roles/MSA/templates/etc/postfix/main.cf.j22
3 files changed, 30 insertions, 0 deletions
diff --git a/roles/MSA/tasks/main.yml b/roles/MSA/tasks/main.yml
index 65d1dae..c78139a 100644
--- a/roles/MSA/tasks/main.yml
+++ b/roles/MSA/tasks/main.yml
@@ -4,6 +4,7 @@
packages:
- postfix
- postfix-pcre
+ - postfix-policyd-spf-python
- name: Copy Postfix sender login socketmap
copy: src=usr/local/bin/postfix-sender-login.pl
@@ -59,6 +60,15 @@
notify:
- Reload Postfix
+- name: Configure policyd-spf
+ template: src=etc/postfix-policyd-spf-python/policyd-spf.conf.j2
+ dest=/etc/postfix-policyd-spf-python/policyd-spf.conf
+ owner=root group=root
+ mode=0644
+ # Reload Postifx to terminate spawn(8) daemon children
+ notify:
+ - Reload Postfix
+
- name: Create directory /etc/postfix/ssl
file: path=/etc/postfix-{{ postfix_instance[inst].name }}/ssl
state=directory
diff --git a/roles/MSA/templates/etc/postfix-policyd-spf-python/policyd-spf.conf.j2 b/roles/MSA/templates/etc/postfix-policyd-spf-python/policyd-spf.conf.j2
new file mode 100644
index 0000000..2cc1074
--- /dev/null
+++ b/roles/MSA/templates/etc/postfix-policyd-spf-python/policyd-spf.conf.j2
@@ -0,0 +1,18 @@
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+debugLevel = 1
+TestOnly = 1
+
+HELO_reject = Softfail
+Mail_From_reject = Softfail
+
+PermError_reject = False
+TempError_Defer = False
+
+# We're just trying to keep our outgoing IPs clean of SPF violations,
+# not seeking 100% accurate reports. While it's possible that the
+# message is routed through a different IP (eg, IPv4 vs v6), giving a
+# potentially inaccurate prospective report, it's quite unlikely in
+# practice.
+Prospective = {{ lookup('pipe', 'dig outgoing.fripost.org A +short | sort | head -n1') }}
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index a48a327..65a0339 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -50,6 +50,7 @@ local_header_rewrite_clients =
smtp_destination_recipient_limit = 1000
# Tolerate occasional high latency
smtp_data_done_timeout = 1200s
+policyd-spf_time_limit = $ipc_timeout
# Anonymize the (authenticated) sender; pass the mail to the antivirus
header_checks = pcre:$config_directory/anonymize_sender.pcre
@@ -107,6 +108,7 @@ smtpd_sender_restrictions =
reject_non_fqdn_sender
reject_unknown_sender_domain
check_sender_access lmdb:$config_directory/check_sender_access
+ check_policy_service unix:private/policyd-spf
reject_known_sender_login_mismatch
smtpd_relay_restrictions =