Replace Postgrey with postscreen.

See http://www.postfix.org/POSTSCREEN_README.html and http://rob0.nodns4.us/postscreen.html It's infortunate that smtpd(8) cannot be chrooted any longer, which means that we have to un-chroot cleanup(8) as well. Indeed, currently smtpd(8) uses $virtual_alias_maps for recipient validation; later cleanup(8) uses it again for rewriting. So these processes need to be both chrooted, or both not.
author: Guilhem Moulin <guilhem@fripost.org> 2014-07-13 01:39:45 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2015-06-07 02:53:05 +0200
commit: 4fb4be4d279dd94cab33fc778cfa318b93d6926f (patch)
tree: 4f974016c4183c372010c7fa421cc1c9e5caa4c6 /roles/MX
parent: 40ecc9de640b40a0175238fcff9929adfe537493 (diff)
9 files changed, 26 insertions, 29 deletions
diff --git a/roles/MX/handlers/main.yml b/roles/MX/handlers/main.yml
index 0482a49..99a5db2 100644
--- a/roles/MX/handlers/main.yml
+++ b/roles/MX/handlers/main.yml
@@ -1,6 +1,3 @@
 ---
-- name: Restart Postgrey
-  service: name=postgrey state=restarted
-
 - name: Reload Postfix
   service: name=postfix state=reloaded
diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml
index db4bb58..8cd5106 100644
--- a/roles/MX/tasks/main.yml
+++ b/roles/MX/tasks/main.yml
@@ -1,30 +1,14 @@
-- name: Install Postfix & Postgrey
+- name: Install Postfix
   apt: pkg={{ item }}
   with_items:
     - postfix
     - postfix-pcre
     - postfix-ldap
     - postfix-cdb
-    - postgrey
+    # The following is for reserved-alias.pl
     - libnet-ldap-perl
     - libauthen-sasl-perl
 
-- name: Configure Postgrey
-  lineinfile: dest=/etc/default/postgrey
-              regexp='^POSTGREY_OPTS='
-              line='POSTGREY_OPTS="--privacy --unix=/var/spool/postfix-{{ postfix_instance[inst].name }}/private/postgrey"'
-              owner=root group=root
-              mode=0644
-  register: r
-  notify:
-    - Restart Postgrey
-
-- name: Start Postgrey
-  service: name=postgrey state=started
-  when: not r.changed
-
-- meta: flush_handlers
-
 - name: Configure Postfix
   template: src=etc/postfix/main.cf.j2
             dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 476178a..181066a 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -123,11 +123,25 @@ unknown_virtual_mailbox_reject_code = 554
 unverified_recipient_reject_code    = 554
 unverified_sender_reject_code       = 554
 
+postscreen_blacklist_action = drop
+postscreen_dnsbl_threshold  = 3
+postscreen_dnsbl_action     = enforce
+postscreen_dnsbl_sites      =
+    zen.spamhaus.org*3
+    swl.spamhaus.org*-4
+    b.barracudacentral.org*2
+    bl.spameatingmonkey.net*2
+    bl.spamcop.net
+    dnsbl.sorbs.net
+    list.dnswl.org=127.[0..255].[0..255].0*-2
+    list.dnswl.org=127.[0..255].[0..255].1*-3
+    list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
+
+postscreen_greet_action          = enforce
+postscreen_whitelist_interfaces = !88.80.11.28 static:all
 
 smtpd_client_restrictions =
     permit_mynetworks
-    reject_rbl_client zen.spamhaus.org
-    reject_rbl_client bl.spamcop.net
 
 smtpd_helo_required     = yes
 smtpd_helo_restrictions =
@@ -144,7 +158,7 @@ smtpd_recipient_restrictions =
     permit_mynetworks
     reject_unauth_destination
     reject_unlisted_recipient
-    check_policy_service unix:private/postgrey
+    permit_dnswl_client list.dnswl.org
 
 smtpd_data_restrictions =
     reject_unauth_pipelining
diff --git a/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2
index c0ab405..1710376 100644
--- a/roles/MX/templates/etc/postfix/virtual/alias.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2
@@ -1,4 +1,4 @@
-server_host      = ldapi://%2Fprivate%2Fldapi/
+server_host      = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
 version          = 3
 search_base      = fvd=%d,ou=virtual,dc=fripost,dc=org
 domain           = static:all
diff --git a/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2
index 7679a9c..119b8b2 100644
--- a/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2
@@ -1,4 +1,4 @@
-server_host      = ldapi://%2Fprivate%2Fldapi/
+server_host      = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
 version          = 3
 search_base      = ou=virtual,dc=fripost,dc=org
 domain           = static:all
diff --git a/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2
index 818ad02..66053c8 100644
--- a/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2
@@ -1,4 +1,4 @@
-server_host      = ldapi://%2Fprivate%2Fldapi/
+server_host      = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
 version          = 3
 search_base      = ou=virtual,dc=fripost,dc=org
 domain           = static:all
diff --git a/roles/MX/templates/etc/postfix/virtual/domains.cf.j2 b/roles/MX/templates/etc/postfix/virtual/domains.cf.j2
index 1cb8add..4ec247d 100644
--- a/roles/MX/templates/etc/postfix/virtual/domains.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/domains.cf.j2
@@ -1,3 +1,5 @@
+# XXX: How come we use a socked relative to the chroot here? smtpd(8) is
+# not (can't be) chrooted...
 server_host      = ldapi://%2Fprivate%2Fldapi/
 version          = 3
 search_base      = ou=virtual,dc=fripost,dc=org
diff --git a/roles/MX/templates/etc/postfix/virtual/list.cf.j2 b/roles/MX/templates/etc/postfix/virtual/list.cf.j2
index 80c7b7f..3b364c0 100644
--- a/roles/MX/templates/etc/postfix/virtual/list.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/list.cf.j2
@@ -1,4 +1,4 @@
-server_host      = ldapi://%2Fprivate%2Fldapi/
+server_host      = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
 version          = 3
 search_base      = fvd=%d,ou=virtual,dc=fripost,dc=org
 domain           = static:all
diff --git a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2
index 9b584c9..4654607 100644
--- a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2
@@ -1,4 +1,4 @@
-server_host      = ldapi://%2Fprivate%2Fldapi/
+server_host      = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
 version          = 3
 search_base      = fvd=%d,ou=virtual,dc=fripost,dc=org
 domain           = static:all
author	Guilhem Moulin <guilhem@fripost.org>	2014-07-13 01:39:45 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2015-06-07 02:53:05 +0200
commit	4fb4be4d279dd94cab33fc778cfa318b93d6926f (patch)
tree	4f974016c4183c372010c7fa421cc1c9e5caa4c6 /roles/MX
parent	40ecc9de640b40a0175238fcff9929adfe537493 (diff)