diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2013-12-02 23:39:26 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:51:10 +0200 |
commit | 1a50ad8f85ae7b42d7749b43d8f01adb663114ff (patch) | |
tree | 39ef587ae5efaafbe6895a6aee2602a6a81c6e0b /roles | |
parent | 9ff98e18e5dd6967bce1457cff1884ec632cf2b5 (diff) |
Configure the Mail Submission Agent.
Diffstat (limited to 'roles')
-rw-r--r-- | roles/MSA/files/etc/postfix/anonymize_sender.pcre | 7 | ||||
-rw-r--r-- | roles/MSA/handlers/main.yml | 6 | ||||
-rw-r--r-- | roles/MSA/tasks/main.yml | 26 | ||||
-rw-r--r-- | roles/MSA/templates/etc/postfix/main.cf.j2 | 118 | ||||
-rw-r--r-- | roles/common/files/etc/postfix/master.cf | 1 | ||||
-rw-r--r-- | roles/common/templates/etc/fail2ban/jail.local.j2 | 10 | ||||
-rw-r--r-- | roles/common/templates/etc/iptables/services.j2 | 3 | ||||
-rw-r--r-- | roles/mx/templates/etc/postfix/main.cf.j2 | 1 |
8 files changed, 171 insertions, 1 deletions
diff --git a/roles/MSA/files/etc/postfix/anonymize_sender.pcre b/roles/MSA/files/etc/postfix/anonymize_sender.pcre new file mode 100644 index 0000000..bd3d5f1 --- /dev/null +++ b/roles/MSA/files/etc/postfix/anonymize_sender.pcre @@ -0,0 +1,7 @@ +/^Received:\s+from\s+(?:\S+\s+\(\S+\s+\[[[:xdigit:].:]{3,39}\]\)) + (\s+\(using\s+(?:TLS|SSL)(?:v\S+)?\s+with\s+cipher\s+\S+\s+\(\S+\s+bits\)\)\s+).* + (\bby\s+(?:\S+\.)?fripost\.org\s+\([^)]+\) + \s+with\s+E?SMTPS?A\s+id\s+[[:xdigit:]]+;?\s.*)/x + REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])${1}${2} + +/^X-Originating-IP:/ IGNORE diff --git a/roles/MSA/handlers/main.yml b/roles/MSA/handlers/main.yml new file mode 100644 index 0000000..c27834e --- /dev/null +++ b/roles/MSA/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart Postfix + service: name=postfix state=restarted + +- name: Reload Postfix + service: name=postfix state=reloaded diff --git a/roles/MSA/tasks/main.yml b/roles/MSA/tasks/main.yml new file mode 100644 index 0000000..a722311 --- /dev/null +++ b/roles/MSA/tasks/main.yml @@ -0,0 +1,26 @@ +- name: Install Postfix + apt: pkg={{ item }} + with_items: + - postfix + - postfix-pcre + +- name: Configure Postfix + template: src=etc/postfix/main.cf.j2 + dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf + owner=root group=root + mode=0644 + register: r + notify: + - Restart Postfix + +- name: Copy the Regex to anonymize senders + copy: src=etc/postfix/anonymize_sender.pcre + dest=/etc/postfix-{{ postfix_instance[inst].name }}/anonymize_sender.pcre + owner=root group=root + mode=0644 + +- name: Start Postfix + service: name=postfix state=started + when: not r.changed + +- meta: flush_handlers diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2 new file mode 100644 index 0000000..7d27909 --- /dev/null +++ b/roles/MSA/templates/etc/postfix/main.cf.j2 @@ -0,0 +1,118 @@ +######################################################################## +# MSA configuration +# +# {{ ansible_managed }} +# Do NOT edit this file directly! + +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no +readme_directory = no +mail_owner = postfix + +delay_warning_time = 4h +maximal_queue_lifetime = 5d + +myorigin = /etc/mailname +myhostname = smtp{{ mdano | default('') }}.$mydomain +mydomain = {{ ansible_domain }} +append_dot_mydomain = no + +# Turn off all TCP/IP listener ports except that necessary for the MSA. +master_service_disable = !submission.inet inet + +queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} +data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} +multi_instance_group = {{ postfix_instance[inst].group | default('') }} +multi_instance_name = postfix-{{ postfix_instance[inst].name }} +multi_instance_enable = yes + +# This server is a Mail Submission Agent +mynetworks_style = host +inet_interfaces = all +inet_protocols = all + +# No local delivery +mydestination = +local_transport = error:5.1.1 Mailbox unavailable +alias_maps = +alias_database = +local_recipient_maps = + +message_size_limit = 67108864 +recipient_delimiter = + + +# Forward everything to our internal mailhub +{% if 'MTA-out' in group_names %} +relayhost = [127.0.0.1]:{{ MTA_out.port }} +{% else %} +relayhost = [{{ MTA_out.IPv4 }}]:{{ MTA_out.port }} +{% endif %} +relay_domains = + +# Don't rewrite remote headers +local_header_rewrite_clients = +# Pass the client information along to the content filter +smtp_send_xforward_command = yes +# Avoid splitting the envelope and scanning messages multiple times +smtp_destination_recipient_limit = 1000 +# Tolerate occasional high latency +smtp_data_done_timeout = 1200s + +# Anonymize the (authenticated) sender; pass the mail to the antivirus +header_checks = pcre:$config_directory/anonymize_sender.pcre +#content_filter = amavisfeed:unix:public/amavisfeed-antivirus + +# Tunnel everything through IPSec +smtp_tls_security_level = none +smtp_bind_address = 172.16.0.1 + +# TLS +smtpd_tls_security_level = encrypt +smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem +smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key +smtpd_tls_CApath = /etc/ssl/certs/ +smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache +smtpd_tls_received_header = yes +smtpd_tls_ask_ccert = yes +smtpd_tls_fingerprint_digest = sha1 +smtpd_tls_eecdh_grade = strong +tls_random_source = dev:/dev/urandom + +# SASL +smtpd_sasl_auth_enable = yes +smtpd_sasl_authenticated_header = no +smtpd_sasl_local_domain = +smtpd_sasl_exceptions_networks = $mynetworks +smtpd_sasl_security_options = noanonymous, noplaintext +smtpd_sasl_tls_security_options = noanonymous +broken_sasl_auth_clients = no +smtpd_sasl_type = dovecot +smtpd_sasl_path = unix:private/dovecot-auth + + +strict_rfc821_envelopes = yes +smtpd_delay_reject = yes +disable_vrfy_command = yes + +# UCE control +unknown_client_reject_code = 554 + +smtpd_client_restrictions = + permit_sasl_authenticated + reject + +smtpd_helo_required = yes +smtpd_helo_restrictions = + reject_invalid_helo_hostname + +smtpd_sender_restrictions = + reject_non_fqdn_sender + reject_unknown_sender_domain + +smtpd_recipient_restrictions = + # RFC requirements + reject_non_fqdn_recipient + reject_unknown_recipient_domain + permit_mynetworks + permit_sasl_authenticated + reject_unauth_destination diff --git a/roles/common/files/etc/postfix/master.cf b/roles/common/files/etc/postfix/master.cf index fa8fed9..3540e32 100644 --- a/roles/common/files/etc/postfix/master.cf +++ b/roles/common/files/etc/postfix/master.cf @@ -11,6 +11,7 @@ smtp inet n - - - - smtpd 16132 inet n - - - - smtpd 2526 inet n - - - - smtpd +submission inet n - - - - smtpd pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2 index 96f2d6b..661c862 100644 --- a/roles/common/templates/etc/fail2ban/jail.local.j2 +++ b/roles/common/templates/etc/fail2ban/jail.local.j2 @@ -71,3 +71,13 @@ port = imap2,imap3,imaps,pop3,pop3s filter = dovecot logpath = /var/log/mail.log {% endif %} + + +{% if 'MSA' in group_names %} +[sasl] + +enabled = true +port = submission +filter = sasl +logpath = /var/log/mail.warn +{% endif %} diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2 index cd7a8bd..5243ae1 100644 --- a/roles/common/templates/etc/iptables/services.j2 +++ b/roles/common/templates/etc/iptables/services.j2 @@ -18,3 +18,6 @@ in tcp 25 # SMTP {% if 'IMAP' in group_names %} in tcp 993 # IMAPS {% endif %} +{% if 'MSA' in group_names %} +in tcp 587 # SMTP-AUTH +{% endif %} diff --git a/roles/mx/templates/etc/postfix/main.cf.j2 b/roles/mx/templates/etc/postfix/main.cf.j2 index a9ce8c4..0aa91b3 100644 --- a/roles/mx/templates/etc/postfix/main.cf.j2 +++ b/roles/mx/templates/etc/postfix/main.cf.j2 @@ -89,7 +89,6 @@ smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes smtpd_tls_fingerprint_digest = sha1 smtpd_tls_eecdh_grade = strong - tls_random_source = dev:/dev/urandom |