6 files changed, 47 insertions, 16 deletions

diff --git a/roles/MSA/files/etc/postfix/anonymize_sender.pcre b/roles/MSA/files/etc/postfix/anonymize_sender.pcre
index 7c11f4e..b91b981 100644
--- a/roles/MSA/files/etc/postfix/anonymize_sender.pcre
+++ b/roles/MSA/files/etc/postfix/anonymize_sender.pcre
@@ -1,5 +1,6 @@
 /^Received:\s+from\s+(?:\S+\s+\(\S+\s+\[(?:IPv6:)?[[:xdigit:].:]{3,39}\]\))
-        (\s+\(using\s+(?:TLS|SSL)(?:v\S+)?\s+with\s+cipher\s+\S+\s+\(\S+\s+bits\)\)\s+).*
+        (\s+\(using\s+(?:TLS|SSL)(?:v\S+)?\s+with\s+cipher\s+\S+\s+\(\S+\s+bits\)
+            (?:\s+key-exchange\s+\S+\s+(?:\([^)]+\)\s+)?server-signature\s+\S+\s+\(\d+\s+bits\)(?:\s+server-[[:alnum:]]+\s+\S+)*)?\)\s+).*
         (\bby\s+(?:\S+\.)?fripost\.org\s+\([^)]+\)
         \s+with\s+E?SMTPS?A\s+id\s+[[:xdigit:]]+;?\s.*)/x
     REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])${1}${2}
diff --git a/roles/MSA/files/etc/systemd/system/postfix-sender-login.service b/roles/MSA/files/etc/systemd/system/postfix-sender-login.service
index f5e6d89..d652f75 100644
--- a/roles/MSA/files/etc/systemd/system/postfix-sender-login.service
+++ b/roles/MSA/files/etc/systemd/system/postfix-sender-login.service
@@ -4,8 +4,7 @@ After=mail-transport-agent.target
 Requires=postfix-sender-login.socket
 
 [Service]
-User=postfix
-Group=postfix
+User=_postfix-sender-login
 StandardInput=null
 SyslogFacility=mail
 ExecStart=/usr/local/bin/postfix-sender-login.pl
@@ -13,10 +12,9 @@ ExecStart=/usr/local/bin/postfix-sender-login.pl
 # Hardening
 NoNewPrivileges=yes
 PrivateDevices=yes
+PrivateNetwork=yes
 ProtectHome=yes
 ProtectSystem=strict
-PrivateDevices=yes
-PrivateNetwork=yes
 ProtectControlGroups=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
diff --git a/roles/MSA/files/usr/local/bin/postfix-sender-login.pl b/roles/MSA/files/usr/local/bin/postfix-sender-login.pl
index 374cc70..a37f872 100755
--- a/roles/MSA/files/usr/local/bin/postfix-sender-login.pl
+++ b/roles/MSA/files/usr/local/bin/postfix-sender-login.pl
@@ -3,7 +3,7 @@
 #----------------------------------------------------------------------
 # socketmap lookup table returning the SASL login name(s) owning a given
 # sender address
-# Copyright © 2017 Guilhem Moulin <guilhem@fripost.org>
+# Copyright © 2017,2020 Guilhem Moulin <guilhem@fripost.org>
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -33,12 +33,13 @@ use Authen::SASL ();
 $ENV{PATH} = join ':', qw{/usr/bin /bin};
 delete @ENV{qw/IFS CDPATH ENV BASH_ENV/};
 
-my $nProc      = 2;                        # number of pre-forked servers
-my $POSTMASTER = 'postmaster@fripost.org'; # returned for forbidden envelope sender addresses
+my $nProc       = 2;                        # number of pre-forked servers
+my $maxRequests = 32;                       # maximum number of requests per worker
+my $POSTMASTER  = 'postmaster@fripost.org'; # returned for forbidden envelope sender addresses
 
-my $BASEDN  = 'ou=virtual,dc=fripost,dc=org';
+my $BASEDN  = "ou=virtual,dc=fripost,dc=org";
 my $BUFSIZE = 65536; # try to read that many bytes at the time
-my $LDAPI   = 'ldapi://%2Fvar%2Fspool%2Fpostfix-msa%2Fprivate%2Fldapi/';
+my $LDAPI   = "ldapi://";
 sub server();
 
 
@@ -66,7 +67,7 @@ exit $?;
 #############################################################################
 
 sub server() {
-    for (my $n = 0; $n < 32; $n++) {
+    for (my $n = 0; $n < $maxRequests; $n++) {
         accept(my $conn, $S) or do {
             next if $! == EINTR;
             die "accept: $!";
diff --git a/roles/MSA/tasks/main.yml b/roles/MSA/tasks/main.yml
index c78139a..bf17702 100644
--- a/roles/MSA/tasks/main.yml
+++ b/roles/MSA/tasks/main.yml
@@ -3,15 +3,32 @@
   vars:
     packages:
     - postfix
+    - postfix-lmdb
     - postfix-pcre
     - postfix-policyd-spf-python
 
+- name: Install Net::LDAP and Authen::SASL
+  apt: pkg={{ packages }}
+  vars:
+    packages:
+    - libnet-ldap-perl
+    - libauthen-sasl-perl
+
 - name: Copy Postfix sender login socketmap
   copy: src=usr/local/bin/postfix-sender-login.pl
         dest=/usr/local/bin/postfix-sender-login.pl
         owner=root group=staff
         mode=0755
 
+- name: Create '_postfix-sender-login' user
+  user: name=_postfix-sender-login system=yes
+        group=nogroup
+        createhome=no
+        home=/nonexistent
+        shell=/usr/sbin/nologin
+        password=!
+        state=present
+
 - name: Copy Postfix sender login socketmap systemd unit files
   copy: src=etc/systemd/system/{{ item }}
         dest=/etc/systemd/system/{{ item }}
@@ -23,6 +40,19 @@
   notify:
     - systemctl daemon-reload
 
+- name: Copy the SMTP TLS policy maps
+  template: src=etc/postfix/smtp_tls_policy.j2
+            dest=/etc/postfix-{{ postfix_instance[inst].name }}/smtp_tls_policy
+            owner=root group=root
+            mode=0644
+
+- name: Compile the SMTP TLS policy maps
+  postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/smtp_tls_policy db=lmdb
+           owner=root group=root
+           mode=0644
+  notify:
+    - Reload Postfix
+
 - meta: flush_handlers
 
 - name: Enable Postfix sender login socketmap
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index 65a0339..bc98d9e 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -20,7 +20,7 @@ append_dot_mydomain = no
 
 mynetworks = 127.0.0.0/8, [::1]/128
 {%- for h in groups.webmail | difference([inventory_hostname]) | sort -%}
-           , {{ ipsec[ hostvars[h].inventory_hostname_short ] | ipaddr }}
+           , {{ ipsec[ hostvars[h].inventory_hostname_short ] | ansible.utils.ipaddr }}
 {% endfor %}
 
 queue_directory       = /var/spool/postfix-{{ postfix_instance[inst].name }}
@@ -40,7 +40,7 @@ message_size_limit  = 67108864
 recipient_delimiter = +
 
 # Forward everything to our internal outgoing proxy
-relayhost     = [{{ postfix_instance.out.addr | ipaddr }}]:{{ postfix_instance.out.port }}
+relayhost     = [{{ postfix_instance.out.addr | ansible.utils.ipaddr }}]:{{ postfix_instance.out.port }}
 relay_domains =
 
 
@@ -60,14 +60,14 @@ header_checks  = pcre:$config_directory/anonymize_sender.pcre
 # TLS
 smtp_tls_security_level         = none
 smtpd_tls_security_level        = encrypt
-smtpd_tls_ciphers               = high
-smtpd_tls_protocols             = !SSLv2, !SSLv3
-smtpd_tls_exclude_ciphers       = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
+smtpd_tls_mandatory_ciphers     = high
+smtpd_tls_mandatory_protocols   = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 smtpd_tls_cert_file             = $config_directory/ssl/smtp.fripost.org.pem
 smtpd_tls_key_file              = $config_directory/ssl/smtp.fripost.org.key
 smtpd_tls_dh1024_param_file     = /etc/ssl/dhparams.pem
 smtpd_tls_session_cache_database=
 smtpd_tls_received_header       = yes
+tls_high_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 
 # SASL
 smtpd_sasl_auth_enable          = yes
diff --git a/roles/MSA/templates/etc/postfix/smtp_tls_policy.j2 b/roles/MSA/templates/etc/postfix/smtp_tls_policy.j2
new file mode 120000
index 0000000..b40876f
--- /dev/null
+++ b/roles/MSA/templates/etc/postfix/smtp_tls_policy.j2
@@ -0,0 +1 @@
+../../../../out/templates/etc/postfix/smtp_tls_policy.j2
\ No newline at end of file