summaryrefslogtreecommitdiffstats
path: root/roles/MX/tasks
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-05-16 18:26:53 +0200
committerGuilhem Moulin <guilhem@fripost.org>2020-05-16 18:26:55 +0200
commit2f9574850b356a746ee3ff9a8a311c450784b53c (patch)
treeb4da3e9490c148c2ec1a67e7900bc6adaa27ffb9 /roles/MX/tasks
parent809a185dca11424cef6220b5314a8b7aed487164 (diff)
MX: Install OpenDMARC to add Authentication-Results headers.
On the infrastructure boundary. We don't reject/quarantine as it would affect members who forward their mail sent to <user@example.com> to <user@fripost.org>. Members can install Sieve rules to send any messages with failed Authentication-Results headers directly in their spambox.
Diffstat (limited to 'roles/MX/tasks')
-rw-r--r--roles/MX/tasks/main.yml46
1 files changed, 46 insertions, 0 deletions
diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml
index 507a4f2..300dbfb 100644
--- a/roles/MX/tasks/main.yml
+++ b/roles/MX/tasks/main.yml
@@ -137,3 +137,49 @@
- munin-node
notify:
- Restart munin-node
+
+# XXX we probaly want SPF verification for domains without DMARC
+# policies
+- name: Install OpenDMARC
+ apt: pkg=opendmarc
+
+- name: Copy OpenDMARC configuration
+ copy: src=etc/opendmarc.conf
+ dest=/etc/opendmarc.conf
+ owner=root group=root
+ mode=0644
+ notify:
+ - Stop OpenDMARC
+
+- name: Create directory /etc/systemd/system/opendmarc.service.d
+ file: path=/etc/systemd/system/opendmarc.service.d
+ state=directory
+ owner=root group=root
+ mode=0755
+
+- name: Harden OpenDMARC service unit
+ copy: src=etc/systemd/system/opendmarc.service.d/override.conf
+ dest=/etc/systemd/system/opendmarc.service.d/override.conf
+ owner=root group=root
+ mode=0644
+ notify:
+ - systemctl daemon-reload
+ - Stop OpenDMARC
+
+- meta: flush_handlers
+
+- name: Copy OpenDMARC socket unit
+ copy: src=etc/systemd/system/opendmarc.socket
+ dest=/etc/systemd/system/opendmarc.socket
+ owner=root group=root
+ mode=0644
+ register: r
+ notify:
+ - systemctl daemon-reload
+ - Restart OpenDMARC
+
+- name: Disable OpenDMARC service
+ service: name=opendmarc.service enabled=false
+
+- name: Start OpenDMARC socket
+ service: name=opendmarc.socket state=started enabled=true