diff options
| -rw-r--r-- | roles/MSA/tasks/main.yml | 10 | ||||
| -rw-r--r-- | roles/MSA/templates/etc/postfix-policyd-spf-python/policyd-spf.conf.j2 | 18 | ||||
| -rw-r--r-- | roles/MSA/templates/etc/postfix/main.cf.j2 | 2 | ||||
| -rw-r--r-- | roles/common/templates/etc/postfix/main.cf.j2 | 2 | ||||
| -rw-r--r-- | roles/common/templates/etc/postfix/master.cf.j2 | 4 |
5 files changed, 35 insertions, 1 deletions
diff --git a/roles/MSA/tasks/main.yml b/roles/MSA/tasks/main.yml index 65d1dae..c78139a 100644 --- a/roles/MSA/tasks/main.yml +++ b/roles/MSA/tasks/main.yml @@ -1,26 +1,27 @@ - name: Install Postfix apt: pkg={{ packages }} vars: packages: - postfix - postfix-pcre + - postfix-policyd-spf-python - name: Copy Postfix sender login socketmap copy: src=usr/local/bin/postfix-sender-login.pl dest=/usr/local/bin/postfix-sender-login.pl owner=root group=staff mode=0755 - name: Copy Postfix sender login socketmap systemd unit files copy: src=etc/systemd/system/{{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 with_items: - postfix-sender-login.service - postfix-sender-login.socket notify: - systemctl daemon-reload - meta: flush_handlers @@ -42,40 +43,49 @@ # no need to reload upon change, as cleanup(8) is short-running copy: src=etc/postfix/anonymize_sender.pcre dest=/etc/postfix-{{ postfix_instance[inst].name }}/anonymize_sender.pcre owner=root group=root mode=0644 - name: Copy the check_sender_access map copy: src=etc/postfix/check_sender_access dest=/etc/postfix-{{ postfix_instance[inst].name }}/check_sender_access owner=root group=root mode=0644 - name: Compile the check_sender_access map # no need to reload upon change, as cleanup(8) is short-running postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/check_sender_access db=lmdb owner=root group=root mode=0644 notify: - Reload Postfix +- name: Configure policyd-spf + template: src=etc/postfix-policyd-spf-python/policyd-spf.conf.j2 + dest=/etc/postfix-policyd-spf-python/policyd-spf.conf + owner=root group=root + mode=0644 + # Reload Postifx to terminate spawn(8) daemon children + notify: + - Reload Postfix + - name: Create directory /etc/postfix/ssl file: path=/etc/postfix-{{ postfix_instance[inst].name }}/ssl state=directory owner=root group=root mode=0755 tags: - genkey - meta: flush_handlers - name: Start Postfix service: name=postfix state=started - name: Fetch Postfix's X.509 certificate # Ensure we don't fetch private data become: False # `/usr/sbin/postmulti -i msa -x /usr/sbin/postconf -xh smtpd_tls_cert_file` fetch_cmd: cmd="openssl x509 -noout -pubkey" stdin=/etc/postfix-{{ postfix_instance[inst].name }}/ssl/smtp.fripost.org.pem dest=certs/public/smtp.fripost.org.pub diff --git a/roles/MSA/templates/etc/postfix-policyd-spf-python/policyd-spf.conf.j2 b/roles/MSA/templates/etc/postfix-policyd-spf-python/policyd-spf.conf.j2 new file mode 100644 index 0000000..2cc1074 --- /dev/null +++ b/roles/MSA/templates/etc/postfix-policyd-spf-python/policyd-spf.conf.j2 @@ -0,0 +1,18 @@ +# {{ ansible_managed }} +# Do NOT edit this file directly! + +debugLevel = 1 +TestOnly = 1 + +HELO_reject = Softfail +Mail_From_reject = Softfail + +PermError_reject = False +TempError_Defer = False + +# We're just trying to keep our outgoing IPs clean of SPF violations, +# not seeking 100% accurate reports. While it's possible that the +# message is routed through a different IP (eg, IPv4 vs v6), giving a +# potentially inaccurate prospective report, it's quite unlikely in +# practice. +Prospective = {{ lookup('pipe', 'dig outgoing.fripost.org A +short | sort | head -n1') }} diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2 index a48a327..65a0339 100644 --- a/roles/MSA/templates/etc/postfix/main.cf.j2 +++ b/roles/MSA/templates/etc/postfix/main.cf.j2 @@ -33,40 +33,41 @@ multi_instance_enable = yes mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = alias_database = local_recipient_maps = message_size_limit = 67108864 recipient_delimiter = + # Forward everything to our internal outgoing proxy relayhost = [{{ postfix_instance.out.addr | ipaddr }}]:{{ postfix_instance.out.port }} relay_domains = # Don't rewrite remote headers local_header_rewrite_clients = # Avoid splitting the envelope and scanning messages multiple times smtp_destination_recipient_limit = 1000 # Tolerate occasional high latency smtp_data_done_timeout = 1200s +policyd-spf_time_limit = $ipc_timeout # Anonymize the (authenticated) sender; pass the mail to the antivirus header_checks = pcre:$config_directory/anonymize_sender.pcre #content_filter = amavisfeed:unix:public/amavisfeed-antivirus # TLS smtp_tls_security_level = none smtpd_tls_security_level = encrypt smtpd_tls_ciphers = high smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 smtpd_tls_cert_file = $config_directory/ssl/smtp.fripost.org.pem smtpd_tls_key_file = $config_directory/ssl/smtp.fripost.org.key smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem smtpd_tls_session_cache_database= smtpd_tls_received_header = yes # SASL smtpd_sasl_auth_enable = yes @@ -90,33 +91,34 @@ address_verify_relayhost = address_verify_sender_ttl = 8069m address_verify_negative_refresh_time = 5m unverified_recipient_defer_code = 250 unverified_recipient_reject_code = 550 address_verify_map = lmdb:$data_directory/verify_cache address_verify_default_transport = smtp_verify smtpd_client_restrictions = permit_sasl_authenticated reject smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname smtpd_sender_login_maps = socketmap:unix:private/sender-login:sender_login smtpd_sender_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain check_sender_access lmdb:$config_directory/check_sender_access + check_policy_service unix:private/policyd-spf reject_known_sender_login_mismatch smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain reject_unverified_recipient permit_sasl_authenticated reject smtpd_data_restrictions = reject_unauth_pipelining # vim: set filetype=pfmain : diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2 index 279611b..b369d43 100644 --- a/roles/common/templates/etc/postfix/main.cf.j2 +++ b/roles/common/templates/etc/postfix/main.cf.j2 @@ -22,27 +22,27 @@ inet_interfaces = loopback-only # No local delivery mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = local_recipient_maps = # All aliases are virtual default_database_type = lmdb virtual_alias_maps = lmdb:/etc/aliases alias_database = $virtual_alias_maps # Forward everything to our internal outgoing proxy relayhost = [{{ postfix_instance.out.addr | ipaddr }}]:{{ postfix_instance.out.port }} relay_domains = smtp_tls_security_level = none smtpd_tls_security_level = none {% set instances = postfix_instance.keys() | intersect(group_names) | list %} {%- if instances | length > 0 -%} -## Other postfix instances +# Other postfix instances multi_instance_wrapper = $command_directory/postmulti -p -- multi_instance_enable = yes multi_instance_directories ={% for i in instances | sort %} /etc/postfix-{{ postfix_instance[i].name }}{% endfor %} {% endif %} # vim: set filetype=pfmain : diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2 index 905c82e..d9cb5d3 100644 --- a/roles/common/templates/etc/postfix/master.cf.j2 +++ b/roles/common/templates/etc/postfix/master.cf.j2 @@ -48,40 +48,44 @@ smtp unix - - y - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 {% if inst is defined and inst == 'MSA' %} smtp_verify unix - - y - - smtp -o smtp_helo_name=noreply.$mydomain -o smtp_tls_security_level=may -o smtp_tls_ciphers=medium -o smtp_tls_protocols=!SSLv2,!SSLv3 -o smtp_tls_note_starttls_offer=yes -o smtp_tls_session_cache_database=lmdb:$data_directory/smtp_tls_session_cache {% endif %} relay unix - - y - - smtp showq unix n - y - - showq error unix - - y - - error retry unix - - y - - error discard unix - - y - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - y - - lmtp anvil unix - - y - 1 anvil scache unix - - y - 1 scache +{% if inst is defined and inst == 'MSA' %} +policyd-spf unix - n n - 0 spawn + user=policyd-spf argv=/usr/bin/policyd-spf +{% endif %} {% if inst is defined and inst == 'MX' %} reserved-alias unix - n n - - pipe flags=Rhu user=nobody argv=/usr/local/bin/reserved-alias.pl ${sender} ${original_recipient} @fripost.org {% endif %} {% if inst is defined and inst == 'lists' %} sympa unix - n n - - pipe flags=Rhu user=sympa argv=/usr/local/bin/sympa-queue ${user} {% endif %} {% if inst is defined and inst == 'out' %} # Client part (lmtp) - amavis amavisfeed unix - - n - 5 lmtp -o lmtp_destination_recipient_limit=1000 -o lmtp_send_xforward_command=yes -o lmtp_data_done_timeout=1200s -o disable_dns_lookups=yes # Server part (smtpd) - amavis [127.0.0.1]:10025 inet n - y - - smtpd -o content_filter= |