summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2014-07-13 01:39:45 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:53:05 +0200
commit4fb4be4d279dd94cab33fc778cfa318b93d6926f (patch)
tree4f974016c4183c372010c7fa421cc1c9e5caa4c6 /roles
parent40ecc9de640b40a0175238fcff9929adfe537493 (diff)
Replace Postgrey with postscreen.
See http://www.postfix.org/POSTSCREEN_README.html and http://rob0.nodns4.us/postscreen.html It's infortunate that smtpd(8) cannot be chrooted any longer, which means that we have to un-chroot cleanup(8) as well. Indeed, currently smtpd(8) uses $virtual_alias_maps for recipient validation; later cleanup(8) uses it again for rewriting. So these processes need to be both chrooted, or both not.
Diffstat (limited to 'roles')
-rw-r--r--roles/MX/handlers/main.yml3
-rw-r--r--roles/MX/tasks/main.yml20
-rw-r--r--roles/MX/templates/etc/postfix/main.cf.j220
-rw-r--r--roles/MX/templates/etc/postfix/virtual/alias.cf.j22
-rw-r--r--roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j22
-rw-r--r--roles/MX/templates/etc/postfix/virtual/catchall.cf.j22
-rw-r--r--roles/MX/templates/etc/postfix/virtual/domains.cf.j22
-rw-r--r--roles/MX/templates/etc/postfix/virtual/list.cf.j22
-rw-r--r--roles/MX/templates/etc/postfix/virtual/mailbox.cf.j22
-rw-r--r--roles/common/files/etc/logcheck/ignore.d.server/postfix-local14
-rw-r--r--roles/common/files/etc/postfix/master.cf7
-rw-r--r--roles/out/handlers/main.yml3
12 files changed, 44 insertions, 35 deletions
diff --git a/roles/MX/handlers/main.yml b/roles/MX/handlers/main.yml
index 0482a49..99a5db2 100644
--- a/roles/MX/handlers/main.yml
+++ b/roles/MX/handlers/main.yml
@@ -1,6 +1,3 @@
---
-- name: Restart Postgrey
- service: name=postgrey state=restarted
-
- name: Reload Postfix
service: name=postfix state=reloaded
diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml
index db4bb58..8cd5106 100644
--- a/roles/MX/tasks/main.yml
+++ b/roles/MX/tasks/main.yml
@@ -1,30 +1,14 @@
-- name: Install Postfix & Postgrey
+- name: Install Postfix
apt: pkg={{ item }}
with_items:
- postfix
- postfix-pcre
- postfix-ldap
- postfix-cdb
- - postgrey
+ # The following is for reserved-alias.pl
- libnet-ldap-perl
- libauthen-sasl-perl
-- name: Configure Postgrey
- lineinfile: dest=/etc/default/postgrey
- regexp='^POSTGREY_OPTS='
- line='POSTGREY_OPTS="--privacy --unix=/var/spool/postfix-{{ postfix_instance[inst].name }}/private/postgrey"'
- owner=root group=root
- mode=0644
- register: r
- notify:
- - Restart Postgrey
-
-- name: Start Postgrey
- service: name=postgrey state=started
- when: not r.changed
-
-- meta: flush_handlers
-
- name: Configure Postfix
template: src=etc/postfix/main.cf.j2
dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 476178a..181066a 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -123,11 +123,25 @@ unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554
+postscreen_blacklist_action = drop
+postscreen_dnsbl_threshold = 3
+postscreen_dnsbl_action = enforce
+postscreen_dnsbl_sites =
+ zen.spamhaus.org*3
+ swl.spamhaus.org*-4
+ b.barracudacentral.org*2
+ bl.spameatingmonkey.net*2
+ bl.spamcop.net
+ dnsbl.sorbs.net
+ list.dnswl.org=127.[0..255].[0..255].0*-2
+ list.dnswl.org=127.[0..255].[0..255].1*-3
+ list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
+
+postscreen_greet_action = enforce
+postscreen_whitelist_interfaces = !88.80.11.28 static:all
smtpd_client_restrictions =
permit_mynetworks
- reject_rbl_client zen.spamhaus.org
- reject_rbl_client bl.spamcop.net
smtpd_helo_required = yes
smtpd_helo_restrictions =
@@ -144,7 +158,7 @@ smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
reject_unlisted_recipient
- check_policy_service unix:private/postgrey
+ permit_dnswl_client list.dnswl.org
smtpd_data_restrictions =
reject_unauth_pipelining
diff --git a/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2
index c0ab405..1710376 100644
--- a/roles/MX/templates/etc/postfix/virtual/alias.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2
@@ -1,4 +1,4 @@
-server_host = ldapi://%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
version = 3
search_base = fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
diff --git a/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2
index 7679a9c..119b8b2 100644
--- a/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2
@@ -1,4 +1,4 @@
-server_host = ldapi://%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
version = 3
search_base = ou=virtual,dc=fripost,dc=org
domain = static:all
diff --git a/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2
index 818ad02..66053c8 100644
--- a/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2
@@ -1,4 +1,4 @@
-server_host = ldapi://%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
version = 3
search_base = ou=virtual,dc=fripost,dc=org
domain = static:all
diff --git a/roles/MX/templates/etc/postfix/virtual/domains.cf.j2 b/roles/MX/templates/etc/postfix/virtual/domains.cf.j2
index 1cb8add..4ec247d 100644
--- a/roles/MX/templates/etc/postfix/virtual/domains.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/domains.cf.j2
@@ -1,3 +1,5 @@
+# XXX: How come we use a socked relative to the chroot here? smtpd(8) is
+# not (can't be) chrooted...
server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
search_base = ou=virtual,dc=fripost,dc=org
diff --git a/roles/MX/templates/etc/postfix/virtual/list.cf.j2 b/roles/MX/templates/etc/postfix/virtual/list.cf.j2
index 80c7b7f..3b364c0 100644
--- a/roles/MX/templates/etc/postfix/virtual/list.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/list.cf.j2
@@ -1,4 +1,4 @@
-server_host = ldapi://%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
version = 3
search_base = fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
diff --git a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2
index 9b584c9..4654607 100644
--- a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2
@@ -1,4 +1,4 @@
-server_host = ldapi://%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
version = 3
search_base = fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
diff --git a/roles/common/files/etc/logcheck/ignore.d.server/postfix-local b/roles/common/files/etc/logcheck/ignore.d.server/postfix-local
index e51bf24..e6c9771 100644
--- a/roles/common/files/etc/logcheck/ignore.d.server/postfix-local
+++ b/roles/common/files/etc/logcheck/ignore.d.server/postfix-local
@@ -6,7 +6,7 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/master[[[:digit:]]+]: reload -- version [.[:digit:]]+, configuration /etc/postfix$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/smtpd\[[[:digit:]]+\]: (dis)?connect from [^[:space:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/[ls]mtp\[[[:digit:]]+\]: [[:xdigit:]]{10}: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=[._[:alnum:]-]+\[[[:digit:].]{7,15}\](:[[:digit:]]{1,5})?, (conn_use=[[:digit:]]+, )?delay=[.[:digit:]]+(, delays=([.[:digit:]]+/){3}[.[:digit:]]+)?(, dsn=2(\.[[:digit:]]+){2})?, status=sent \(2[[:digit:]][[:digit:]] .+\)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/anvil\[[[:digit:]]+\]: statistics: max (message|recipient|connection) (count|rate) [/[:digit:]s]+ for \(([.:[:xdigit:]]+)?(smtps?|25|submission|587)?:([.:[:xdigit:]]+|unknown)\) at \w{3} [ :[:digit:]]{11}$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/anvil\[[[:digit:]]+\]: statistics: max (message|recipient|connection) (count|rate) [/[:digit:]s]+ for \(([.:[:xdigit:]]+)?(smtp[sd]?|25|submission|587)?:([.:[:xdigit:]]+|unknown)\) at \w{3} [ :[:digit:]]{11}$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/anvil\[[[:digit:]]+\]: statistics: max cache size [[:digit:]]+ at \w{3} [ :[:digit:]]{11}$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/scache\[[[:digit:]]+\]: statistics: start interval \w{3} [ :[:digit:]]{11}$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/scache\[[[:digit:]]+\]: statistics: (domain|address) lookup hits=[[:digit:]]+ miss=[[:digit:]]+ success=[[:digit:]]+%$
@@ -46,7 +46,6 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: lost connection after [[:upper:]]+( \([[:digit:]]+ bytes\))? from [._[:alnum:]-]+\[(unknown|[[:xdigit:].:]{3,39})\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: [[:upper:][:digit:]]+: reject: (CONNECT|RCPT) from [^[:space:]]+: [45][[:digit:]][[:digit:]]( [45](\.[[:digit:]]){2})? Service unavailable; Client host \[([[:digit:].]{7,15}|[-._[:alnum:]]+)\] blocked using [._[:alnum:]-]+;( .+;)? (from=<[^[:space:]]*> to=<[^[:space:]]+> )?proto=E?SMTP( helo=<[^[:space:]]+>)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: [[:upper:][:digit:]]+: reject: RCPT from [^[:space:]]+: [[:digit:]]{3}( [45](\.[[:digit:]]){2})? <[^[:space:]]*>: Relay access denied; from=<[^[:space:]]*> to=<[^[:space:]]+> proto=E?SMTP helo=<[^[:space:]]+>$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postgrey\[[[:digit:]]+\]: whitelisted: [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: warning: ([-._[:alnum:]]+): RBL lookup error: Host or domain name not found\. Name service error for name=\1 type=A: Host not found, try again$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: warning: TLS library problem: [[:digit:]]+:error:[[:xdigit:]]+:SSL routines:SSL3_READ_BYTES:(reason\([[:digit:]]+\)|sslv3 alert (unexpected message|bad certificate)):s3_pkt\.c:[[:digit:]]+:SSL alert number (0|10|42):$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: SSL_accept error from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]: -?[[:digit:]]+$
@@ -57,6 +56,17 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: warning: numeric hostname: [[:xdigit:].:]{3,39}$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/pipe\[[[:digit:]]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)* relay=([-_.[:alnum:]]+), delay=[.[:digit:]]+(, delays=([.[:digit:]]+/){3}[.[:digit:]]+)?(, dsn=2(\.[[:digit:]]+){2})?, status=sent \(delivered via \2 service\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: warning: Illegal address syntax from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\] in MAIL command: .*$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: PASS (OLD|NEW) \[[[:xdigit:].:]{3,39}\]:[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: CONNECT from \[[[:xdigit:].:]{3,39}\]:[[:digit:]]+ to \[[[:xdigit:].:]{3,39}\]:25$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: DISCONNECT \[[[:xdigit:].:]{3,39}\]:[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: PREGREET [[:digit:]]+ after [.[:digit:]]+ from \[[[:xdigit:].:]{3,39}\]:[[:digit:]]+: (EHLO|HELO)\s
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: HANGUP after [.[:digit:]]+ from \[[[:xdigit:].:]{3,39}\]:[[:digit:]]+ in tests (before|after) SMTP handshake$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: DNSBL rank [[:digit:]]+ for \[[[:xdigit:].:]{3,39}\]:[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from (\[[[:xdigit:].:]{3,39}\]):[[:digit:]]+: [45][[:digit:]][[:digit:]]( [45](\.[[:digit:]]){2})? Service unavailable; client \1 blocked using [._[:alnum:]-]+;( .+;)? (from=<[^[:space:]]*>, to=<[^[:space:]]+>, )?proto=E?SMTP(, helo=<[^[:space:]]+>)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: COMMAND TIME LIMIT from \[[[:xdigit:].:]{3,39}\]:[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: cache [a-z]+:\S+ full cleanup: retained=[[:digit:]]+ dropped=[[:digit:]]+ entries$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/dnsblog\[[[:digit:]]+\]: addr [[:xdigit:].:]{3,39} listed by domain [._[:alnum:]-]+ as [[:xdigit:].:]{3,39}$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/dnsblog\[[[:digit:]]+\]: warning: dnsblog_query: lookup error for DNS query ([._[:alnum:]-]+): Host or domain name not found. Name service error for name=\1 type=A: Host not found, try again$
#
# Amavis
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed (CLEAN|UNCHECKED) {RelayedOutbound}, OUTGOING LOCAL \[(IPv6:)?[[:xdigit:].:]{3,39}\]:[[:digit:]]+( \[[[:xdigit:].:]{3,39}\])? <[^>]*> -> <[^>]*>(,<[^>]*>)*,( Queue-ID: [[:xdigit:]]+,)?( Message-ID: <[^>]+>,)? mail_id: [_-+[:alnum:]]+, Hits: -, size: [[:digit:]]+, queued_as: [[:xdigit:]]+, dkim_new=[-.:[:alnum:]]+, [[:digit:]]+ ms$
diff --git a/roles/common/files/etc/postfix/master.cf b/roles/common/files/etc/postfix/master.cf
index 02e1658..b60be94 100644
--- a/roles/common/files/etc/postfix/master.cf
+++ b/roles/common/files/etc/postfix/master.cf
@@ -8,10 +8,15 @@
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
-smtp inet n - - - - smtpd
+smtpd pass - - n - - smtpd
+ -o cleanup_service_name=cleanup_nochroot
+smtp inet n - n - 1 postscreen
+tlsproxy unix - - n - 0 tlsproxy
+dnsblog unix - - n - 0 dnsblog
submission inet n - - - - smtpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
+cleanup_nochroot unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
diff --git a/roles/out/handlers/main.yml b/roles/out/handlers/main.yml
index 0482a49..99a5db2 100644
--- a/roles/out/handlers/main.yml
+++ b/roles/out/handlers/main.yml
@@ -1,6 +1,3 @@
---
-- name: Restart Postgrey
- service: name=postgrey state=restarted
-
- name: Reload Postfix
service: name=postfix state=reloaded