MX: Install OpenDMARC to add Authentication-Results headers.

On the infrastructure boundary.  We don't reject/quarantine as it would
affect members who forward their mail sent to <user@example.com> to
<user@fripost.org>.  Members can install Sieve rules to send any
messages with failed Authentication-Results headers directly in their
spambox.

1 files changed, 46 insertions, 0 deletions

diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml
index 507a4f2..300dbfb 100644
--- a/roles/MX/tasks/main.yml
+++ b/roles/MX/tasks/main.yml
@@ -137,3 +137,49 @@
     - munin-node
   notify:
     - Restart munin-node
+
+# XXX we probaly want SPF verification for domains without DMARC
+# policies
+- name: Install OpenDMARC
+  apt: pkg=opendmarc
+
+- name: Copy OpenDMARC configuration
+  copy: src=etc/opendmarc.conf
+        dest=/etc/opendmarc.conf
+        owner=root group=root
+        mode=0644
+  notify:
+    - Stop OpenDMARC
+
+- name: Create directory /etc/systemd/system/opendmarc.service.d
+  file: path=/etc/systemd/system/opendmarc.service.d
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Harden OpenDMARC service unit
+  copy: src=etc/systemd/system/opendmarc.service.d/override.conf
+        dest=/etc/systemd/system/opendmarc.service.d/override.conf
+        owner=root group=root
+        mode=0644
+  notify:
+    - systemctl daemon-reload
+    - Stop OpenDMARC
+
+- meta: flush_handlers
+
+- name: Copy OpenDMARC socket unit
+  copy: src=etc/systemd/system/opendmarc.socket
+        dest=/etc/systemd/system/opendmarc.socket
+        owner=root group=root
+        mode=0644
+  register: r
+  notify:
+    - systemctl daemon-reload
+    - Restart OpenDMARC
+
+- name: Disable OpenDMARC service
+  service: name=opendmarc.service enabled=false
+
+- name: Start OpenDMARC socket
+  service: name=opendmarc.socket state=started enabled=true