summaryrefslogtreecommitdiffstats
path: root/roles/MSA/files/etc
diff options
context:
space:
mode:
Diffstat (limited to 'roles/MSA/files/etc')
-rw-r--r--roles/MSA/files/etc/postfix/anonymize_sender.pcre5
-rw-r--r--roles/MSA/files/etc/postfix/check_sender_access1
-rw-r--r--roles/MSA/files/etc/systemd/system/postfix-sender-login.service25
-rw-r--r--roles/MSA/files/etc/systemd/system/postfix-sender-login.socket8
4 files changed, 37 insertions, 2 deletions
diff --git a/roles/MSA/files/etc/postfix/anonymize_sender.pcre b/roles/MSA/files/etc/postfix/anonymize_sender.pcre
index bd3d5f1..b91b981 100644
--- a/roles/MSA/files/etc/postfix/anonymize_sender.pcre
+++ b/roles/MSA/files/etc/postfix/anonymize_sender.pcre
@@ -1,7 +1,8 @@
-/^Received:\s+from\s+(?:\S+\s+\(\S+\s+\[[[:xdigit:].:]{3,39}\]\))
- (\s+\(using\s+(?:TLS|SSL)(?:v\S+)?\s+with\s+cipher\s+\S+\s+\(\S+\s+bits\)\)\s+).*
+/^Received:\s+from\s+(?:\S+\s+\(\S+\s+\[(?:IPv6:)?[[:xdigit:].:]{3,39}\]\))
+ (\s+\(using\s+(?:TLS|SSL)(?:v\S+)?\s+with\s+cipher\s+\S+\s+\(\S+\s+bits\)
+ (?:\s+key-exchange\s+\S+\s+(?:\([^)]+\)\s+)?server-signature\s+\S+\s+\(\d+\s+bits\)(?:\s+server-[[:alnum:]]+\s+\S+)*)?\)\s+).*
(\bby\s+(?:\S+\.)?fripost\.org\s+\([^)]+\)
\s+with\s+E?SMTPS?A\s+id\s+[[:xdigit:]]+;?\s.*)/x
REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])${1}${2}
/^X-Originating-IP:/ IGNORE
diff --git a/roles/MSA/files/etc/postfix/check_sender_access b/roles/MSA/files/etc/postfix/check_sender_access
new file mode 100644
index 0000000..07d2874
--- /dev/null
+++ b/roles/MSA/files/etc/postfix/check_sender_access
@@ -0,0 +1 @@
+<> REJECT Null sender not allowed
diff --git a/roles/MSA/files/etc/systemd/system/postfix-sender-login.service b/roles/MSA/files/etc/systemd/system/postfix-sender-login.service
new file mode 100644
index 0000000..d652f75
--- /dev/null
+++ b/roles/MSA/files/etc/systemd/system/postfix-sender-login.service
@@ -0,0 +1,25 @@
+[Unit]
+Description=Postfix sender login socketmap
+After=mail-transport-agent.target
+Requires=postfix-sender-login.socket
+
+[Service]
+User=_postfix-sender-login
+StandardInput=null
+SyslogFacility=mail
+ExecStart=/usr/local/bin/postfix-sender-login.pl
+
+# Hardening
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+ProtectHome=yes
+ProtectSystem=strict
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX
+
+[Install]
+WantedBy=multi-user.target
+Also=postfix-sender-login.socket
diff --git a/roles/MSA/files/etc/systemd/system/postfix-sender-login.socket b/roles/MSA/files/etc/systemd/system/postfix-sender-login.socket
new file mode 100644
index 0000000..e8d99b5
--- /dev/null
+++ b/roles/MSA/files/etc/systemd/system/postfix-sender-login.socket
@@ -0,0 +1,8 @@
+[Socket]
+SocketUser=postfix
+SocketGroup=postfix
+SocketMode=0600
+ListenStream=/var/spool/postfix-msa/private/sender-login
+
+[Install]
+WantedBy=sockets.target
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-29 15:50:08 +0000