MX: Install OpenDMARC to add Authentication-Results headers.

On the infrastructure boundary.  We don't reject/quarantine as it would
affect members who forward their mail sent to <user@example.com> to
<user@fripost.org>.  Members can install Sieve rules to send any
messages with failed Authentication-Results headers directly in their
spambox.

1 files changed, 1 insertions, 0 deletions

diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index a2cc2a8..5c2f97b 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -106,40 +106,41 @@ postscreen_dnsbl_sites      =
     #swl.spamhaus.org*-4
     b.barracudacentral.org=127.0.0.2*7
     bl.mailspike.net=127.0.0.2*5
     bl.mailspike.net=127.0.0.[10..12]*4
     wl.mailspike.net=127.0.0.[18..20]*-2
     bl.spameatingmonkey.net=127.0.0.2*4
     bl.spamcop.net=127.0.0.2*2
     dnsbl.sorbs.net=127.0.0.10*8
     dnsbl.sorbs.net=127.0.0.5*6
     dnsbl.sorbs.net=127.0.0.7*3
     dnsbl.sorbs.net=127.0.0.8*2
     dnsbl.sorbs.net=127.0.0.6*2
     dnsbl.sorbs.net=127.0.0.9*2
     list.dnswl.org=127.0.[0..255].0*-2
     list.dnswl.org=127.0.[0..255].1*-3
     list.dnswl.org=127.0.[0..255].[2..3]*-4
 
 postscreen_greet_action         = enforce
 postscreen_whitelist_interfaces = static:all
 
+smtpd_milters = { unix:public/opendmarc, protocol=6, default_action=accept }
 
 smtpd_client_restrictions =
     permit_mynetworks
 
 smtpd_helo_required     = yes
 smtpd_helo_restrictions =
     permit_mynetworks
     reject_non_fqdn_helo_hostname
     reject_invalid_helo_hostname
 
 smtpd_sender_restrictions =
     reject_non_fqdn_sender
     reject_unknown_sender_domain
 
 smtpd_relay_restrictions =
     reject_non_fqdn_recipient
     permit_mynetworks
     reject_unauth_destination
     reject_unlisted_recipient