summaryrefslogtreecommitdiffstats
path: root/roles/MX
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2014-07-13 01:39:45 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:53:05 +0200
commit4fb4be4d279dd94cab33fc778cfa318b93d6926f (patch)
tree4f974016c4183c372010c7fa421cc1c9e5caa4c6 /roles/MX
parent40ecc9de640b40a0175238fcff9929adfe537493 (diff)
Replace Postgrey with postscreen.
See http://www.postfix.org/POSTSCREEN_README.html and http://rob0.nodns4.us/postscreen.html It's infortunate that smtpd(8) cannot be chrooted any longer, which means that we have to un-chroot cleanup(8) as well. Indeed, currently smtpd(8) uses $virtual_alias_maps for recipient validation; later cleanup(8) uses it again for rewriting. So these processes need to be both chrooted, or both not.
Diffstat (limited to 'roles/MX')
-rw-r--r--roles/MX/handlers/main.yml3
-rw-r--r--roles/MX/tasks/main.yml20
-rw-r--r--roles/MX/templates/etc/postfix/main.cf.j220
-rw-r--r--roles/MX/templates/etc/postfix/virtual/alias.cf.j22
-rw-r--r--roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j22
-rw-r--r--roles/MX/templates/etc/postfix/virtual/catchall.cf.j22
-rw-r--r--roles/MX/templates/etc/postfix/virtual/domains.cf.j22
-rw-r--r--roles/MX/templates/etc/postfix/virtual/list.cf.j22
-rw-r--r--roles/MX/templates/etc/postfix/virtual/mailbox.cf.j22
9 files changed, 26 insertions, 29 deletions
diff --git a/roles/MX/handlers/main.yml b/roles/MX/handlers/main.yml
index 0482a49..99a5db2 100644
--- a/roles/MX/handlers/main.yml
+++ b/roles/MX/handlers/main.yml
@@ -1,6 +1,3 @@
---
-- name: Restart Postgrey
- service: name=postgrey state=restarted
-
- name: Reload Postfix
service: name=postfix state=reloaded
diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml
index db4bb58..8cd5106 100644
--- a/roles/MX/tasks/main.yml
+++ b/roles/MX/tasks/main.yml
@@ -1,30 +1,14 @@
-- name: Install Postfix & Postgrey
+- name: Install Postfix
apt: pkg={{ item }}
with_items:
- postfix
- postfix-pcre
- postfix-ldap
- postfix-cdb
- - postgrey
+ # The following is for reserved-alias.pl
- libnet-ldap-perl
- libauthen-sasl-perl
-- name: Configure Postgrey
- lineinfile: dest=/etc/default/postgrey
- regexp='^POSTGREY_OPTS='
- line='POSTGREY_OPTS="--privacy --unix=/var/spool/postfix-{{ postfix_instance[inst].name }}/private/postgrey"'
- owner=root group=root
- mode=0644
- register: r
- notify:
- - Restart Postgrey
-
-- name: Start Postgrey
- service: name=postgrey state=started
- when: not r.changed
-
-- meta: flush_handlers
-
- name: Configure Postfix
template: src=etc/postfix/main.cf.j2
dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 476178a..181066a 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -123,11 +123,25 @@ unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554
+postscreen_blacklist_action = drop
+postscreen_dnsbl_threshold = 3
+postscreen_dnsbl_action = enforce
+postscreen_dnsbl_sites =
+ zen.spamhaus.org*3
+ swl.spamhaus.org*-4
+ b.barracudacentral.org*2
+ bl.spameatingmonkey.net*2
+ bl.spamcop.net
+ dnsbl.sorbs.net
+ list.dnswl.org=127.[0..255].[0..255].0*-2
+ list.dnswl.org=127.[0..255].[0..255].1*-3
+ list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
+
+postscreen_greet_action = enforce
+postscreen_whitelist_interfaces = !88.80.11.28 static:all
smtpd_client_restrictions =
permit_mynetworks
- reject_rbl_client zen.spamhaus.org
- reject_rbl_client bl.spamcop.net
smtpd_helo_required = yes
smtpd_helo_restrictions =
@@ -144,7 +158,7 @@ smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
reject_unlisted_recipient
- check_policy_service unix:private/postgrey
+ permit_dnswl_client list.dnswl.org
smtpd_data_restrictions =
reject_unauth_pipelining
diff --git a/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2
index c0ab405..1710376 100644
--- a/roles/MX/templates/etc/postfix/virtual/alias.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2
@@ -1,4 +1,4 @@
-server_host = ldapi://%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
version = 3
search_base = fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
diff --git a/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2
index 7679a9c..119b8b2 100644
--- a/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2
@@ -1,4 +1,4 @@
-server_host = ldapi://%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
version = 3
search_base = ou=virtual,dc=fripost,dc=org
domain = static:all
diff --git a/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2
index 818ad02..66053c8 100644
--- a/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2
@@ -1,4 +1,4 @@
-server_host = ldapi://%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
version = 3
search_base = ou=virtual,dc=fripost,dc=org
domain = static:all
diff --git a/roles/MX/templates/etc/postfix/virtual/domains.cf.j2 b/roles/MX/templates/etc/postfix/virtual/domains.cf.j2
index 1cb8add..4ec247d 100644
--- a/roles/MX/templates/etc/postfix/virtual/domains.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/domains.cf.j2
@@ -1,3 +1,5 @@
+# XXX: How come we use a socked relative to the chroot here? smtpd(8) is
+# not (can't be) chrooted...
server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
search_base = ou=virtual,dc=fripost,dc=org
diff --git a/roles/MX/templates/etc/postfix/virtual/list.cf.j2 b/roles/MX/templates/etc/postfix/virtual/list.cf.j2
index 80c7b7f..3b364c0 100644
--- a/roles/MX/templates/etc/postfix/virtual/list.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/list.cf.j2
@@ -1,4 +1,4 @@
-server_host = ldapi://%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
version = 3
search_base = fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
diff --git a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2
index 9b584c9..4654607 100644
--- a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2
@@ -1,4 +1,4 @@
-server_host = ldapi://%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
version = 3
search_base = fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all