4 files changed, 55 insertions, 36 deletions
diff --git a/roles/MSA/templates/etc/postfix-policyd-spf-python/policyd-spf.conf.j2 b/roles/MSA/templates/etc/postfix-policyd-spf-python/policyd-spf.conf.j2
new file mode 100644
index 0000000..2cc1074
--- /dev/null
+++ b/roles/MSA/templates/etc/postfix-policyd-spf-python/policyd-spf.conf.j2
@@ -0,0 +1,18 @@
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+debugLevel = 1
+TestOnly = 1
+
+HELO_reject = Softfail
+Mail_From_reject = Softfail
+
+PermError_reject = False
+TempError_Defer = False
+
+# We're just trying to keep our outgoing IPs clean of SPF violations,
+# not seeking 100% accurate reports.  While it's possible that the
+# message is routed through a different IP (eg, IPv4 vs v6), giving a
+# potentially inaccurate prospective report, it's quite unlikely in
+# practice.
+Prospective = {{ lookup('pipe', 'dig outgoing.fripost.org A +short | sort | head -n1') }}
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index efcebef..6a544ac 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -1,128 +1,127 @@
 ########################################################################
-# MSA configuration
+# Mail Submission Agent (MSA) configuration
 #
 # {{ ansible_managed }}
 # Do NOT edit this file directly!
 
-smtpd_banner     = $myhostname ESMTP $mail_name (Debian/GNU)
-biff             = no
-readme_directory = no
-mail_owner       = postfix
+smtpd_banner        = $myhostname ESMTP $mail_name (Debian/GNU)
+biff                = no
+readme_directory    = no
+compatibility_level = 2
+smtputf8_enable     = no
 
 delay_warning_time     = 4h
 maximal_queue_lifetime = 5d
 
 myorigin            = /etc/mailname
 myhostname          = smtp{{ msano | default('') }}.$mydomain
 mydomain            = fripost.org
 append_dot_mydomain = no
 
-# Turn off all TCP/IP listener ports except that necessary for the MSA.
-master_service_disable = !submission.inet inet
+mynetworks = 127.0.0.0/8, [::1]/128
+{%- for h in groups.webmail | difference([inventory_hostname]) | sort -%}
+           , {{ ipsec[ hostvars[h].inventory_hostname_short ] | ansible.utils.ipaddr }}
+{% endfor %}
 
 queue_directory       = /var/spool/postfix-{{ postfix_instance[inst].name }}
 data_directory        = /var/lib/postfix-{{ postfix_instance[inst].name }}
 multi_instance_group  = {{ postfix_instance[inst].group | default('') }}
 multi_instance_name   = postfix-{{ postfix_instance[inst].name }}
 multi_instance_enable = yes
 
-# This server is a Mail Submission Agent
-mynetworks_style = host
-inet_interfaces  = all
-
 # No local delivery
 mydestination        =
 local_transport      = error:5.1.1 Mailbox unavailable
 alias_maps           =
 alias_database       =
 local_recipient_maps =
 
 message_size_limit  = 67108864
 recipient_delimiter = +
 
 # Forward everything to our internal outgoing proxy
-{% if 'out' in group_names %}
-relayhost     = [127.0.0.1]:{{ postfix_instance.out.port }}
-{% else %}
-relayhost     = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
-{% endif %}
+relayhost     = [{{ postfix_instance.out.addr | ansible.utils.ipaddr }}]:{{ postfix_instance.out.port }}
 relay_domains =
 
 
 # Don't rewrite remote headers
 local_header_rewrite_clients     =
 # Avoid splitting the envelope and scanning messages multiple times
 smtp_destination_recipient_limit = 1000
 # Tolerate occasional high latency
 smtp_data_done_timeout           = 1200s
+policyd-spf_time_limit           = $ipc_timeout
 
 # Anonymize the (authenticated) sender; pass the mail to the antivirus
 header_checks  = pcre:$config_directory/anonymize_sender.pcre
 #content_filter = amavisfeed:unix:public/amavisfeed-antivirus
 
 
 # TLS
-{% if 'out' in group_names %}
 smtp_tls_security_level         = none
-smtp_bind_address               = 127.0.0.1
-{% else %}
-smtp_tls_security_level         = encrypt
-smtp_tls_cert_file              = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
-smtp_tls_key_file               = /etc/postfix/ssl/{{ ansible_fqdn }}.key
-smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
-smtp_tls_policy_maps            = cdb:/etc/postfix/tls_policy
-smtp_tls_fingerprint_digest     = sha256
-{% endif %}
-
 smtpd_tls_security_level        = encrypt
-smtpd_tls_cert_file             = /etc/postfix/ssl/smtp.fripost.org.pem
-smtpd_tls_key_file              = /etc/postfix/ssl/private/smtp.fripost.org.key
-smtpd_tls_dh1024_param_file     = /etc/ssl/private/dhparams.pem
-smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
+smtpd_tls_mandatory_ciphers     = high
+smtpd_tls_mandatory_protocols   = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_cert_file             = $config_directory/ssl/smtp.fripost.org.pem
+smtpd_tls_key_file              = $config_directory/ssl/smtp.fripost.org.key
+smtpd_tls_dh1024_param_file     = /etc/ssl/dhparams.pem
+smtpd_tls_session_cache_database=
 smtpd_tls_received_header       = yes
-smtpd_tls_ask_ccert             = yes
+tls_high_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 
 # SASL
 smtpd_sasl_auth_enable          = yes
 smtpd_sasl_authenticated_header = no
 smtpd_sasl_local_domain         =
 smtpd_sasl_exceptions_networks  = $mynetworks
 smtpd_sasl_security_options     = noanonymous, noplaintext
 smtpd_sasl_tls_security_options = noanonymous
 broken_sasl_auth_clients        = yes
 smtpd_sasl_type                 = dovecot
 smtpd_sasl_path                 = unix:private/dovecot-auth
 
 
 strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
 
-address_verify_sender            = $double_bounce_sender@$mydomain
-unverified_recipient_defer_code  = 250
-unverified_recipient_reject_code = 550
+address_verify_sender                = $double_bounce_sender@noreply.$mydomain
+address_verify_poll_count            = 3
+address_verify_relayhost             =
+address_verify_sender_ttl            = 8069m
+address_verify_negative_refresh_time = 5m
+unverified_recipient_defer_code      = 250
+unverified_recipient_reject_code     = 550
+address_verify_map                   = lmdb:$data_directory/verify_cache
+address_verify_default_transport     = smtp_verify
 
 smtpd_client_restrictions =
     permit_sasl_authenticated
     reject
 
 smtpd_helo_required     = yes
 smtpd_helo_restrictions =
     reject_invalid_helo_hostname
 
+smtpd_sender_login_maps   = socketmap:unix:private/sender-login:sender_login
 smtpd_sender_restrictions =
     reject_non_fqdn_sender
     reject_unknown_sender_domain
+    check_sender_access lmdb:$config_directory/check_sender_access
+    check_policy_service unix:private/policyd-spf
+    reject_known_sender_login_mismatch
 
 smtpd_relay_restrictions =
     reject_non_fqdn_recipient
     reject_unknown_recipient_domain
     reject_unverified_recipient
-    permit_mynetworks
     permit_sasl_authenticated
     reject
 
 smtpd_data_restrictions =
     reject_unauth_pipelining
 
+smtpd_forbid_bare_newline = normalize
+smtpd_forbid_bare_newline_exclusions = $mynetworks
+
 # vim: set filetype=pfmain :
diff --git a/roles/MSA/templates/etc/postfix/master.cf.j2 b/roles/MSA/templates/etc/postfix/master.cf.j2
new file mode 120000
index 0000000..011f8e0
--- /dev/null
+++ b/roles/MSA/templates/etc/postfix/master.cf.j2
@@ -0,0 +1 @@
+../../../../common/templates/etc/postfix/master.cf.j2
+\ No newline at end of file
diff --git a/roles/MSA/templates/etc/postfix/smtp_tls_policy.j2 b/roles/MSA/templates/etc/postfix/smtp_tls_policy.j2
new file mode 120000
index 0000000..b40876f
--- /dev/null
+++ b/roles/MSA/templates/etc/postfix/smtp_tls_policy.j2
@@ -0,0 +1 @@
+../../../../out/templates/etc/postfix/smtp_tls_policy.j2
+\ No newline at end of file