MX: Port to Debian 10.

For postfix, don't defer if "abused legit".  (I.e., DBL return code in
the 127.0.1.100+ range.)  This used to work for Postfix 3.1.14 (Stretch)
but for 3.4.8 (Buster) the 'defer_if_reject' also applies to
$smtpd_relay_restrictions, to reject_unauth_destination &
reject_unlisted_recipient in particular.

2 files changed, 27 insertions, 18 deletions

diff --git a/roles/MX/files/etc/opendmarc.conf b/roles/MX/files/etc/opendmarc.conf
index 4a0b89c..575d02d 100644
--- a/roles/MX/files/etc/opendmarc.conf
+++ b/roles/MX/files/etc/opendmarc.conf
@@ -1,20 +1,46 @@
 # This is a basic configuration that can easily be adapted to suit a standard
-# installation. For more advanced options, see opendkim.conf(5) and/or
+# installation. For more advanced options, see openmarc.conf(5) and/or
 # /usr/share/doc/opendmarc/examples/opendmarc.conf.sample.
 
 ##  AuthservID (string)
 ##  	defaults to MTA name
+##
+##  Sets the "authserv-id" to use when generating the Authentication-Results:
+##  header field after verifying a message.  If the string "HOSTNAME" is
+##  provided, the name of the host running the filter (as returned by the
+##  gethostname(3) function) will be used.
 #
 # AuthservID name
 
 ##  FailureReports { true | false }
 ##  	default "false"
 ##
+##  Enables generation of failure reports when the DMARC test fails and the
+##  purported sender of the message has requested such reports.  Reports are
+##  formatted per RFC6591.
+#
 # FailureReports false
 
+##  PublicSuffixList path
+##  	default (none)
+##
+##  Specifies the path to a file that contains top-level domains (TLDs) that
+##  will be used to compute the Organizational Domain for a given domain name,
+##  as described in the DMARC specification.  If not provided, the filter will
+##  not be able to determine the Organizational Domain and only the presented
+##  domain will be evaluated.
+#
+PublicSuffixList /usr/share/publicsuffix
+
 ##  RejectFailures { true | false }
 ##  	default "false"
 ##
+##  If set, messages will be rejected if they fail the DMARC evaluation, or
+##  temp-failed if evaluation could not be completed.  By default, no message
+##  will be rejected or temp-failed regardless of the outcome of the DMARC
+##  evaluation of the message.  Instead, an Authentication-Results header
+##  field will be added.
+#
 RejectFailures false
 
 ##  Socket socketspec
@@ -88,16 +114,3 @@ SPFSelfValidate true
 ##  umask(2) for more information.
 #
 UMask 0007
-
-##  UserID user[:group]
-##  	default (none)
-##
-##  Attempts to become the specified userid before starting operations.
-##  The process will be assigned all of the groups and primary group ID of
-##  the named userid unless an alternate group is specified.
-#
-# UserID opendmarc
-
-## Path to system copy of PSL (needed to determine organizational domain)
-#
-PublicSuffixList /usr/share/publicsuffix/
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 5c2f97b..36315d1 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -149,10 +149,6 @@ smtpd_recipient_restrictions =
     check_recipient_access ldap:$config_directory/reject-unknown-client-hostname.cf
     reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99]
     reject_rhsbl_sender         dbl.spamhaus.org=127.0.1.[2..99]
-    # defer if "abused legit": DBL return code in the 127.0.1.100+ range
-    defer_if_reject
-    reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[100..254]
-    reject_rhsbl_sender         dbl.spamhaus.org=127.0.1.[100..254]
 
 smtpd_data_restrictions =
     reject_unauth_pipelining