diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2014-07-13 01:39:45 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:53:05 +0200 |
commit | 4fb4be4d279dd94cab33fc778cfa318b93d6926f (patch) | |
tree | 4f974016c4183c372010c7fa421cc1c9e5caa4c6 /roles/MX/templates/etc/postfix | |
parent | 40ecc9de640b40a0175238fcff9929adfe537493 (diff) |
Replace Postgrey with postscreen.
See http://www.postfix.org/POSTSCREEN_README.html and
http://rob0.nodns4.us/postscreen.html
It's infortunate that smtpd(8) cannot be chrooted any longer, which
means that we have to un-chroot cleanup(8) as well. Indeed, currently
smtpd(8) uses $virtual_alias_maps for recipient validation; later
cleanup(8) uses it again for rewriting. So these processes need to be
both chrooted, or both not.
Diffstat (limited to 'roles/MX/templates/etc/postfix')
7 files changed, 24 insertions, 8 deletions
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 index 476178a..181066a 100644 --- a/roles/MX/templates/etc/postfix/main.cf.j2 +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -123,11 +123,25 @@ unknown_virtual_mailbox_reject_code = 554 unverified_recipient_reject_code = 554 unverified_sender_reject_code = 554 +postscreen_blacklist_action = drop +postscreen_dnsbl_threshold = 3 +postscreen_dnsbl_action = enforce +postscreen_dnsbl_sites = + zen.spamhaus.org*3 + swl.spamhaus.org*-4 + b.barracudacentral.org*2 + bl.spameatingmonkey.net*2 + bl.spamcop.net + dnsbl.sorbs.net + list.dnswl.org=127.[0..255].[0..255].0*-2 + list.dnswl.org=127.[0..255].[0..255].1*-3 + list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 + +postscreen_greet_action = enforce +postscreen_whitelist_interfaces = !88.80.11.28 static:all smtpd_client_restrictions = permit_mynetworks - reject_rbl_client zen.spamhaus.org - reject_rbl_client bl.spamcop.net smtpd_helo_required = yes smtpd_helo_restrictions = @@ -144,7 +158,7 @@ smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination reject_unlisted_recipient - check_policy_service unix:private/postgrey + permit_dnswl_client list.dnswl.org smtpd_data_restrictions = reject_unauth_pipelining diff --git a/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 index c0ab405..1710376 100644 --- a/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 @@ -1,4 +1,4 @@ -server_host = ldapi://%2Fprivate%2Fldapi/ +server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/ version = 3 search_base = fvd=%d,ou=virtual,dc=fripost,dc=org domain = static:all diff --git a/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 index 7679a9c..119b8b2 100644 --- a/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 @@ -1,4 +1,4 @@ -server_host = ldapi://%2Fprivate%2Fldapi/ +server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/ version = 3 search_base = ou=virtual,dc=fripost,dc=org domain = static:all diff --git a/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 index 818ad02..66053c8 100644 --- a/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 @@ -1,4 +1,4 @@ -server_host = ldapi://%2Fprivate%2Fldapi/ +server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/ version = 3 search_base = ou=virtual,dc=fripost,dc=org domain = static:all diff --git a/roles/MX/templates/etc/postfix/virtual/domains.cf.j2 b/roles/MX/templates/etc/postfix/virtual/domains.cf.j2 index 1cb8add..4ec247d 100644 --- a/roles/MX/templates/etc/postfix/virtual/domains.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/domains.cf.j2 @@ -1,3 +1,5 @@ +# XXX: How come we use a socked relative to the chroot here? smtpd(8) is +# not (can't be) chrooted... server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = ou=virtual,dc=fripost,dc=org diff --git a/roles/MX/templates/etc/postfix/virtual/list.cf.j2 b/roles/MX/templates/etc/postfix/virtual/list.cf.j2 index 80c7b7f..3b364c0 100644 --- a/roles/MX/templates/etc/postfix/virtual/list.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/list.cf.j2 @@ -1,4 +1,4 @@ -server_host = ldapi://%2Fprivate%2Fldapi/ +server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/ version = 3 search_base = fvd=%d,ou=virtual,dc=fripost,dc=org domain = static:all diff --git a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 index 9b584c9..4654607 100644 --- a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 @@ -1,4 +1,4 @@ -server_host = ldapi://%2Fprivate%2Fldapi/ +server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/ version = 3 search_base = fvd=%d,ou=virtual,dc=fripost,dc=org domain = static:all |