diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2014-07-13 01:39:45 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:53:05 +0200 |
commit | 4fb4be4d279dd94cab33fc778cfa318b93d6926f (patch) | |
tree | 4f974016c4183c372010c7fa421cc1c9e5caa4c6 /roles/MX | |
parent | 40ecc9de640b40a0175238fcff9929adfe537493 (diff) |
Replace Postgrey with postscreen.
See http://www.postfix.org/POSTSCREEN_README.html and
http://rob0.nodns4.us/postscreen.html
It's infortunate that smtpd(8) cannot be chrooted any longer, which
means that we have to un-chroot cleanup(8) as well. Indeed, currently
smtpd(8) uses $virtual_alias_maps for recipient validation; later
cleanup(8) uses it again for rewriting. So these processes need to be
both chrooted, or both not.
Diffstat (limited to 'roles/MX')
-rw-r--r-- | roles/MX/handlers/main.yml | 3 | ||||
-rw-r--r-- | roles/MX/tasks/main.yml | 20 | ||||
-rw-r--r-- | roles/MX/templates/etc/postfix/main.cf.j2 | 20 | ||||
-rw-r--r-- | roles/MX/templates/etc/postfix/virtual/alias.cf.j2 | 2 | ||||
-rw-r--r-- | roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 | 2 | ||||
-rw-r--r-- | roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 | 2 | ||||
-rw-r--r-- | roles/MX/templates/etc/postfix/virtual/domains.cf.j2 | 2 | ||||
-rw-r--r-- | roles/MX/templates/etc/postfix/virtual/list.cf.j2 | 2 | ||||
-rw-r--r-- | roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 | 2 |
9 files changed, 26 insertions, 29 deletions
diff --git a/roles/MX/handlers/main.yml b/roles/MX/handlers/main.yml index 0482a49..99a5db2 100644 --- a/roles/MX/handlers/main.yml +++ b/roles/MX/handlers/main.yml @@ -1,6 +1,3 @@ --- -- name: Restart Postgrey - service: name=postgrey state=restarted - - name: Reload Postfix service: name=postfix state=reloaded diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml index db4bb58..8cd5106 100644 --- a/roles/MX/tasks/main.yml +++ b/roles/MX/tasks/main.yml @@ -1,30 +1,14 @@ -- name: Install Postfix & Postgrey +- name: Install Postfix apt: pkg={{ item }} with_items: - postfix - postfix-pcre - postfix-ldap - postfix-cdb - - postgrey + # The following is for reserved-alias.pl - libnet-ldap-perl - libauthen-sasl-perl -- name: Configure Postgrey - lineinfile: dest=/etc/default/postgrey - regexp='^POSTGREY_OPTS=' - line='POSTGREY_OPTS="--privacy --unix=/var/spool/postfix-{{ postfix_instance[inst].name }}/private/postgrey"' - owner=root group=root - mode=0644 - register: r - notify: - - Restart Postgrey - -- name: Start Postgrey - service: name=postgrey state=started - when: not r.changed - -- meta: flush_handlers - - name: Configure Postfix template: src=etc/postfix/main.cf.j2 dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 index 476178a..181066a 100644 --- a/roles/MX/templates/etc/postfix/main.cf.j2 +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -123,11 +123,25 @@ unknown_virtual_mailbox_reject_code = 554 unverified_recipient_reject_code = 554 unverified_sender_reject_code = 554 +postscreen_blacklist_action = drop +postscreen_dnsbl_threshold = 3 +postscreen_dnsbl_action = enforce +postscreen_dnsbl_sites = + zen.spamhaus.org*3 + swl.spamhaus.org*-4 + b.barracudacentral.org*2 + bl.spameatingmonkey.net*2 + bl.spamcop.net + dnsbl.sorbs.net + list.dnswl.org=127.[0..255].[0..255].0*-2 + list.dnswl.org=127.[0..255].[0..255].1*-3 + list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 + +postscreen_greet_action = enforce +postscreen_whitelist_interfaces = !88.80.11.28 static:all smtpd_client_restrictions = permit_mynetworks - reject_rbl_client zen.spamhaus.org - reject_rbl_client bl.spamcop.net smtpd_helo_required = yes smtpd_helo_restrictions = @@ -144,7 +158,7 @@ smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination reject_unlisted_recipient - check_policy_service unix:private/postgrey + permit_dnswl_client list.dnswl.org smtpd_data_restrictions = reject_unauth_pipelining diff --git a/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 index c0ab405..1710376 100644 --- a/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 @@ -1,4 +1,4 @@ -server_host = ldapi://%2Fprivate%2Fldapi/ +server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/ version = 3 search_base = fvd=%d,ou=virtual,dc=fripost,dc=org domain = static:all diff --git a/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 index 7679a9c..119b8b2 100644 --- a/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 @@ -1,4 +1,4 @@ -server_host = ldapi://%2Fprivate%2Fldapi/ +server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/ version = 3 search_base = ou=virtual,dc=fripost,dc=org domain = static:all diff --git a/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 index 818ad02..66053c8 100644 --- a/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 @@ -1,4 +1,4 @@ -server_host = ldapi://%2Fprivate%2Fldapi/ +server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/ version = 3 search_base = ou=virtual,dc=fripost,dc=org domain = static:all diff --git a/roles/MX/templates/etc/postfix/virtual/domains.cf.j2 b/roles/MX/templates/etc/postfix/virtual/domains.cf.j2 index 1cb8add..4ec247d 100644 --- a/roles/MX/templates/etc/postfix/virtual/domains.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/domains.cf.j2 @@ -1,3 +1,5 @@ +# XXX: How come we use a socked relative to the chroot here? smtpd(8) is +# not (can't be) chrooted... server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = ou=virtual,dc=fripost,dc=org diff --git a/roles/MX/templates/etc/postfix/virtual/list.cf.j2 b/roles/MX/templates/etc/postfix/virtual/list.cf.j2 index 80c7b7f..3b364c0 100644 --- a/roles/MX/templates/etc/postfix/virtual/list.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/list.cf.j2 @@ -1,4 +1,4 @@ -server_host = ldapi://%2Fprivate%2Fldapi/ +server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/ version = 3 search_base = fvd=%d,ou=virtual,dc=fripost,dc=org domain = static:all diff --git a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 index 9b584c9..4654607 100644 --- a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 @@ -1,4 +1,4 @@ -server_host = ldapi://%2Fprivate%2Fldapi/ +server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/ version = 3 search_base = fvd=%d,ou=virtual,dc=fripost,dc=org domain = static:all |