diff options
Diffstat (limited to 'roles/MSA')
| -rw-r--r-- | roles/MSA/files/etc/postfix/check_sender_access | 1 | ||||
| -rw-r--r-- | roles/MSA/tasks/main.yml | 14 | ||||
| -rw-r--r-- | roles/MSA/templates/etc/postfix/main.cf.j2 | 1 |
3 files changed, 16 insertions, 0 deletions
diff --git a/roles/MSA/files/etc/postfix/check_sender_access b/roles/MSA/files/etc/postfix/check_sender_access new file mode 100644 index 0000000..07d2874 --- /dev/null +++ b/roles/MSA/files/etc/postfix/check_sender_access @@ -0,0 +1 @@ +<> REJECT Null sender not allowed diff --git a/roles/MSA/tasks/main.yml b/roles/MSA/tasks/main.yml index 3068e1b..6eff2cf 100644 --- a/roles/MSA/tasks/main.yml +++ b/roles/MSA/tasks/main.yml @@ -5,40 +5,54 @@ - postfix-pcre - name: Configure Postfix template: src=etc/postfix/{{ item }}.j2 dest=/etc/postfix-{{ postfix_instance[inst].name }}/{{ item }} owner=root group=root mode=0644 with_items: - main.cf - master.cf notify: - Reload Postfix - name: Copy the Regex to anonymize senders # no need to reload upon change, as cleanup(8) is short-running copy: src=etc/postfix/anonymize_sender.pcre dest=/etc/postfix-{{ postfix_instance[inst].name }}/anonymize_sender.pcre owner=root group=root mode=0644 +- name: Copy the check_sender_access map + copy: src=etc/postfix/check_sender_access + dest=/etc/postfix-{{ postfix_instance[inst].name }}/check_sender_access + owner=root group=root + mode=0644 + +- name: Compile the check_sender_access map + # no need to reload upon change, as cleanup(8) is short-running + postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/check_sender_access db=cdb + owner=root group=root + mode=0644 + notify: + - Reload Postfix + - name: Create directory /etc/postfix/ssl file: path=/etc/postfix-{{ postfix_instance[inst].name }}/ssl state=directory owner=root group=root mode=0755 tags: - genkey - meta: flush_handlers - name: Start Postfix service: name=postfix state=started - name: Fetch Postfix's X.509 certificate # Ensure we don't fetch private data become: False # `/usr/sbin/postmulti -i msa -x /usr/sbin/postconf -xh smtpd_tls_cert_file` fetch_cmd: cmd="openssl x509 -noout -pubkey" stdin=/etc/postfix-{{ postfix_instance[inst].name }}/ssl/smtp.fripost.org.pem dest=certs/public/smtp.fripost.org.pub diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2 index 3c040b0..cbd5264 100644 --- a/roles/MSA/templates/etc/postfix/main.cf.j2 +++ b/roles/MSA/templates/etc/postfix/main.cf.j2 @@ -79,32 +79,33 @@ smtpd_sasl_path = unix:private/dovecot-auth strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes address_verify_sender = $double_bounce_sender@$mydomain address_verify_sender_ttl = 24h unverified_recipient_defer_code = 250 unverified_recipient_reject_code = 550 smtpd_client_restrictions = permit_sasl_authenticated reject smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname smtpd_sender_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain + check_sender_access cdb:$config_directory/check_sender_access smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain reject_unverified_recipient permit_sasl_authenticated reject smtpd_data_restrictions = reject_unauth_pipelining # vim: set filetype=pfmain : |