summaryrefslogtreecommitdiffstats
path: root/roles/MX
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-05-16 23:45:55 +0200
committerGuilhem Moulin <guilhem@fripost.org>2020-05-16 23:53:10 +0200
commitd82e85eea2485925481bf12b052acede9d9ae0f8 (patch)
treea4e2c95507ecff59788af95ddc97a01ffc7b0f12 /roles/MX
parentaf8880f3a3281612340ec3d38e823684d9af5baa (diff)
MX: Port to Debian 10.
For postfix, don't defer if "abused legit". (I.e., DBL return code in the 127.0.1.100+ range.) This used to work for Postfix 3.1.14 (Stretch) but for 3.4.8 (Buster) the 'defer_if_reject' also applies to $smtpd_relay_restrictions, to reject_unauth_destination & reject_unlisted_recipient in particular.
Diffstat (limited to 'roles/MX')
-rw-r--r--roles/MX/files/etc/opendmarc.conf41
-rw-r--r--roles/MX/templates/etc/postfix/main.cf.j24
2 files changed, 27 insertions, 18 deletions
diff --git a/roles/MX/files/etc/opendmarc.conf b/roles/MX/files/etc/opendmarc.conf
index 4a0b89c..575d02d 100644
--- a/roles/MX/files/etc/opendmarc.conf
+++ b/roles/MX/files/etc/opendmarc.conf
@@ -1,20 +1,46 @@
# This is a basic configuration that can easily be adapted to suit a standard
-# installation. For more advanced options, see opendkim.conf(5) and/or
+# installation. For more advanced options, see openmarc.conf(5) and/or
# /usr/share/doc/opendmarc/examples/opendmarc.conf.sample.
## AuthservID (string)
## defaults to MTA name
+##
+## Sets the "authserv-id" to use when generating the Authentication-Results:
+## header field after verifying a message. If the string "HOSTNAME" is
+## provided, the name of the host running the filter (as returned by the
+## gethostname(3) function) will be used.
#
# AuthservID name
## FailureReports { true | false }
## default "false"
##
+## Enables generation of failure reports when the DMARC test fails and the
+## purported sender of the message has requested such reports. Reports are
+## formatted per RFC6591.
+#
# FailureReports false
+## PublicSuffixList path
+## default (none)
+##
+## Specifies the path to a file that contains top-level domains (TLDs) that
+## will be used to compute the Organizational Domain for a given domain name,
+## as described in the DMARC specification. If not provided, the filter will
+## not be able to determine the Organizational Domain and only the presented
+## domain will be evaluated.
+#
+PublicSuffixList /usr/share/publicsuffix
+
## RejectFailures { true | false }
## default "false"
##
+## If set, messages will be rejected if they fail the DMARC evaluation, or
+## temp-failed if evaluation could not be completed. By default, no message
+## will be rejected or temp-failed regardless of the outcome of the DMARC
+## evaluation of the message. Instead, an Authentication-Results header
+## field will be added.
+#
RejectFailures false
## Socket socketspec
@@ -88,16 +114,3 @@ SPFSelfValidate true
## umask(2) for more information.
#
UMask 0007
-
-## UserID user[:group]
-## default (none)
-##
-## Attempts to become the specified userid before starting operations.
-## The process will be assigned all of the groups and primary group ID of
-## the named userid unless an alternate group is specified.
-#
-# UserID opendmarc
-
-## Path to system copy of PSL (needed to determine organizational domain)
-#
-PublicSuffixList /usr/share/publicsuffix/
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 5c2f97b..36315d1 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -149,10 +149,6 @@ smtpd_recipient_restrictions =
check_recipient_access ldap:$config_directory/reject-unknown-client-hostname.cf
reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99]
reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99]
- # defer if "abused legit": DBL return code in the 127.0.1.100+ range
- defer_if_reject
- reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[100..254]
- reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[100..254]
smtpd_data_restrictions =
reject_unauth_pipelining