summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2013-12-02 23:39:26 +0100
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:51:10 +0200
commit1a50ad8f85ae7b42d7749b43d8f01adb663114ff (patch)
tree39ef587ae5efaafbe6895a6aee2602a6a81c6e0b /roles
parent9ff98e18e5dd6967bce1457cff1884ec632cf2b5 (diff)
Configure the Mail Submission Agent.
Diffstat (limited to 'roles')
-rw-r--r--roles/MSA/files/etc/postfix/anonymize_sender.pcre7
-rw-r--r--roles/MSA/handlers/main.yml6
-rw-r--r--roles/MSA/tasks/main.yml26
-rw-r--r--roles/MSA/templates/etc/postfix/main.cf.j2118
-rw-r--r--roles/common/files/etc/postfix/master.cf1
-rw-r--r--roles/common/templates/etc/fail2ban/jail.local.j210
-rw-r--r--roles/common/templates/etc/iptables/services.j23
-rw-r--r--roles/mx/templates/etc/postfix/main.cf.j21
8 files changed, 171 insertions, 1 deletions
diff --git a/roles/MSA/files/etc/postfix/anonymize_sender.pcre b/roles/MSA/files/etc/postfix/anonymize_sender.pcre
new file mode 100644
index 0000000..bd3d5f1
--- /dev/null
+++ b/roles/MSA/files/etc/postfix/anonymize_sender.pcre
@@ -0,0 +1,7 @@
+/^Received:\s+from\s+(?:\S+\s+\(\S+\s+\[[[:xdigit:].:]{3,39}\]\))
+ (\s+\(using\s+(?:TLS|SSL)(?:v\S+)?\s+with\s+cipher\s+\S+\s+\(\S+\s+bits\)\)\s+).*
+ (\bby\s+(?:\S+\.)?fripost\.org\s+\([^)]+\)
+ \s+with\s+E?SMTPS?A\s+id\s+[[:xdigit:]]+;?\s.*)/x
+ REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])${1}${2}
+
+/^X-Originating-IP:/ IGNORE
diff --git a/roles/MSA/handlers/main.yml b/roles/MSA/handlers/main.yml
new file mode 100644
index 0000000..c27834e
--- /dev/null
+++ b/roles/MSA/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart Postfix
+ service: name=postfix state=restarted
+
+- name: Reload Postfix
+ service: name=postfix state=reloaded
diff --git a/roles/MSA/tasks/main.yml b/roles/MSA/tasks/main.yml
new file mode 100644
index 0000000..a722311
--- /dev/null
+++ b/roles/MSA/tasks/main.yml
@@ -0,0 +1,26 @@
+- name: Install Postfix
+ apt: pkg={{ item }}
+ with_items:
+ - postfix
+ - postfix-pcre
+
+- name: Configure Postfix
+ template: src=etc/postfix/main.cf.j2
+ dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf
+ owner=root group=root
+ mode=0644
+ register: r
+ notify:
+ - Restart Postfix
+
+- name: Copy the Regex to anonymize senders
+ copy: src=etc/postfix/anonymize_sender.pcre
+ dest=/etc/postfix-{{ postfix_instance[inst].name }}/anonymize_sender.pcre
+ owner=root group=root
+ mode=0644
+
+- name: Start Postfix
+ service: name=postfix state=started
+ when: not r.changed
+
+- meta: flush_handlers
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
new file mode 100644
index 0000000..7d27909
--- /dev/null
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -0,0 +1,118 @@
+########################################################################
+# MSA configuration
+#
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+readme_directory = no
+mail_owner = postfix
+
+delay_warning_time = 4h
+maximal_queue_lifetime = 5d
+
+myorigin = /etc/mailname
+myhostname = smtp{{ mdano | default('') }}.$mydomain
+mydomain = {{ ansible_domain }}
+append_dot_mydomain = no
+
+# Turn off all TCP/IP listener ports except that necessary for the MSA.
+master_service_disable = !submission.inet inet
+
+queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }}
+data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }}
+multi_instance_group = {{ postfix_instance[inst].group | default('') }}
+multi_instance_name = postfix-{{ postfix_instance[inst].name }}
+multi_instance_enable = yes
+
+# This server is a Mail Submission Agent
+mynetworks_style = host
+inet_interfaces = all
+inet_protocols = all
+
+# No local delivery
+mydestination =
+local_transport = error:5.1.1 Mailbox unavailable
+alias_maps =
+alias_database =
+local_recipient_maps =
+
+message_size_limit = 67108864
+recipient_delimiter = +
+
+# Forward everything to our internal mailhub
+{% if 'MTA-out' in group_names %}
+relayhost = [127.0.0.1]:{{ MTA_out.port }}
+{% else %}
+relayhost = [{{ MTA_out.IPv4 }}]:{{ MTA_out.port }}
+{% endif %}
+relay_domains =
+
+# Don't rewrite remote headers
+local_header_rewrite_clients =
+# Pass the client information along to the content filter
+smtp_send_xforward_command = yes
+# Avoid splitting the envelope and scanning messages multiple times
+smtp_destination_recipient_limit = 1000
+# Tolerate occasional high latency
+smtp_data_done_timeout = 1200s
+
+# Anonymize the (authenticated) sender; pass the mail to the antivirus
+header_checks = pcre:$config_directory/anonymize_sender.pcre
+#content_filter = amavisfeed:unix:public/amavisfeed-antivirus
+
+# Tunnel everything through IPSec
+smtp_tls_security_level = none
+smtp_bind_address = 172.16.0.1
+
+# TLS
+smtpd_tls_security_level = encrypt
+smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_CApath = /etc/ssl/certs/
+smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
+smtpd_tls_received_header = yes
+smtpd_tls_ask_ccert = yes
+smtpd_tls_fingerprint_digest = sha1
+smtpd_tls_eecdh_grade = strong
+tls_random_source = dev:/dev/urandom
+
+# SASL
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_authenticated_header = no
+smtpd_sasl_local_domain =
+smtpd_sasl_exceptions_networks = $mynetworks
+smtpd_sasl_security_options = noanonymous, noplaintext
+smtpd_sasl_tls_security_options = noanonymous
+broken_sasl_auth_clients = no
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = unix:private/dovecot-auth
+
+
+strict_rfc821_envelopes = yes
+smtpd_delay_reject = yes
+disable_vrfy_command = yes
+
+# UCE control
+unknown_client_reject_code = 554
+
+smtpd_client_restrictions =
+ permit_sasl_authenticated
+ reject
+
+smtpd_helo_required = yes
+smtpd_helo_restrictions =
+ reject_invalid_helo_hostname
+
+smtpd_sender_restrictions =
+ reject_non_fqdn_sender
+ reject_unknown_sender_domain
+
+smtpd_recipient_restrictions =
+ # RFC requirements
+ reject_non_fqdn_recipient
+ reject_unknown_recipient_domain
+ permit_mynetworks
+ permit_sasl_authenticated
+ reject_unauth_destination
diff --git a/roles/common/files/etc/postfix/master.cf b/roles/common/files/etc/postfix/master.cf
index fa8fed9..3540e32 100644
--- a/roles/common/files/etc/postfix/master.cf
+++ b/roles/common/files/etc/postfix/master.cf
@@ -11,6 +11,7 @@
smtp inet n - - - - smtpd
16132 inet n - - - - smtpd
2526 inet n - - - - smtpd
+submission inet n - - - - smtpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2
index 96f2d6b..661c862 100644
--- a/roles/common/templates/etc/fail2ban/jail.local.j2
+++ b/roles/common/templates/etc/fail2ban/jail.local.j2
@@ -71,3 +71,13 @@ port = imap2,imap3,imaps,pop3,pop3s
filter = dovecot
logpath = /var/log/mail.log
{% endif %}
+
+
+{% if 'MSA' in group_names %}
+[sasl]
+
+enabled = true
+port = submission
+filter = sasl
+logpath = /var/log/mail.warn
+{% endif %}
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
index cd7a8bd..5243ae1 100644
--- a/roles/common/templates/etc/iptables/services.j2
+++ b/roles/common/templates/etc/iptables/services.j2
@@ -18,3 +18,6 @@ in tcp 25 # SMTP
{% if 'IMAP' in group_names %}
in tcp 993 # IMAPS
{% endif %}
+{% if 'MSA' in group_names %}
+in tcp 587 # SMTP-AUTH
+{% endif %}
diff --git a/roles/mx/templates/etc/postfix/main.cf.j2 b/roles/mx/templates/etc/postfix/main.cf.j2
index a9ce8c4..0aa91b3 100644
--- a/roles/mx/templates/etc/postfix/main.cf.j2
+++ b/roles/mx/templates/etc/postfix/main.cf.j2
@@ -89,7 +89,6 @@ smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_eecdh_grade = strong
-
tls_random_source = dev:/dev/urandom