summaryrefslogtreecommitdiffstats
path: root/roles/MX/files
diff options
context:
space:
mode:
Diffstat (limited to 'roles/MX/files')
-rw-r--r--roles/MX/files/etc/opendmarc.conf116
-rw-r--r--roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf10
-rw-r--r--roles/MX/files/etc/postfix/virtual/alias.cf2
-rw-r--r--roles/MX/files/etc/postfix/virtual/alias_domains.cf2
-rw-r--r--roles/MX/files/etc/postfix/virtual/catchall.cf2
-rw-r--r--roles/MX/files/etc/postfix/virtual/domains.cf2
-rw-r--r--roles/MX/files/etc/postfix/virtual/list.cf2
-rw-r--r--roles/MX/files/etc/postfix/virtual/mailbox.cf2
-rw-r--r--roles/MX/files/etc/postfix/virtual/reserved_alias.pcre3
-rw-r--r--roles/MX/files/etc/systemd/system/opendmarc.service.d/override.conf17
-rw-r--r--roles/MX/files/etc/systemd/system/opendmarc.socket10
11 files changed, 159 insertions, 9 deletions
diff --git a/roles/MX/files/etc/opendmarc.conf b/roles/MX/files/etc/opendmarc.conf
new file mode 100644
index 0000000..ebbc850
--- /dev/null
+++ b/roles/MX/files/etc/opendmarc.conf
@@ -0,0 +1,116 @@
+# This is a basic configuration that can easily be adapted to suit a standard
+# installation. For more advanced options, see openmarc.conf(5) and/or
+# /usr/share/doc/opendmarc/examples/opendmarc.conf.sample.
+
+## AuthservID (string)
+## defaults to MTA name
+##
+## Sets the "authserv-id" to use when generating the Authentication-Results:
+## header field after verifying a message. If the string "HOSTNAME" is
+## provided, the name of the host running the filter (as returned by the
+## gethostname(3) function) will be used.
+#
+# AuthservID name
+
+## FailureReports { true | false }
+## default "false"
+##
+## Enables generation of failure reports when the DMARC test fails and the
+## purported sender of the message has requested such reports. Reports are
+## formatted per RFC6591.
+#
+# FailureReports false
+
+## PublicSuffixList path
+## default (none)
+##
+## Specifies the path to a file that contains top-level domains (TLDs) that
+## will be used to compute the Organizational Domain for a given domain name,
+## as described in the DMARC specification. If not provided, the filter will
+## not be able to determine the Organizational Domain and only the presented
+## domain will be evaluated.
+#
+PublicSuffixList /usr/share/publicsuffix/public_suffix_list.dat
+
+## RejectFailures { true | false }
+## default "false"
+##
+## If set, messages will be rejected if they fail the DMARC evaluation, or
+## temp-failed if evaluation could not be completed. By default, no message
+## will be rejected or temp-failed regardless of the outcome of the DMARC
+## evaluation of the message. Instead, an Authentication-Results header
+## field will be added.
+#
+RejectFailures false
+
+## Socket socketspec
+## default (none)
+##
+## Specifies the socket that should be established by the filter to receive
+## connections from sendmail(8) in order to provide service. socketspec is
+## in one of two forms: local:path, which creates a UNIX domain socket at
+## the specified path, or inet:port[@host] or inet6:port[@host] which creates
+## a TCP socket on the specified port for the appropriate protocol family.
+## If the host is not given as either a hostname or an IP address, the
+## socket will be listening on all interfaces. This option is mandatory
+## either in the configuration file or on the command line. If an IP
+## address is used, it must be enclosed in square brackets.
+#
+Socket local:/run/opendmarc/opendmarc.sock
+
+## Syslog { true | false }
+## default "false"
+##
+## Log via calls to syslog(3) any interesting activity.
+#
+Syslog true
+
+## SyslogFacility facility-name
+## default "mail"
+##
+## Log via calls to syslog(3) using the named facility. The facility names
+## are the same as the ones allowed in syslog.conf(5).
+#
+# SyslogFacility mail
+
+## TrustedAuthservIDs string
+## default HOSTNAME
+##
+## Specifies one or more "authserv-id" values to trust as relaying true
+## upstream DKIM and SPF results. The default is to use the name of
+## the MTA processing the message. To specify a list, separate each entry
+## with a comma. The key word "HOSTNAME" will be replaced by the name of
+## the host running the filter as reported by the gethostname(3) function.
+#
+# TrustedAuthservIDs HOSTNAME
+
+## SPFIgnoreResults { true | false }
+## default "false"
+##
+## Causes the filter to ignore any SPF results in the header of the message.
+## This is useful if you want the filter to perfrom SPF checks itself, or
+## because you don't trust the arriving header.
+#
+SPFIgnoreResults true
+
+## SPFSelfValidate { true | false }
+## default "false"
+##
+## Causes the filter to perform a fallback SPF check itself when it can
+## find no SPF results in the message header. If SPFIgnoreResults is also
+## set, it never looks for SPF results in headers and always performs the
+## SPF check itself when this is set.
+#
+SPFSelfValidate true
+
+## UMask mask
+## default (none)
+##
+## Requests a specific permissions mask to be used for file creation. This
+## only really applies to creation of the socket when Socket specifies a
+## UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary
+## files are normally created by the mkstemp(3) function that enforces a
+## specific file mode on creation regardless of the process umask. See
+## umask(2) for more information.
+#
+UMask 0007
diff --git a/roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf b/roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf
new file mode 100644
index 0000000..1f61f4b
--- /dev/null
+++ b/roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf
@@ -0,0 +1,10 @@
+server_host = ldapi://%2Fprivate%2Fldapi/
+version = 3
+search_base = fvd=%d,ou=virtual,dc=fripost,dc=org
+domain = static:all
+scope = one
+bind = sasl
+sasl_mechs = EXTERNAL
+query_filter = (&(objectClass=FripostVirtualList)(!(objectClass=FripostPendingEntry))(fvl=%u)(fripostIsStatusActive=TRUE))
+result_attribute = fvl
+result_format = reject_unknown_client_hostname
diff --git a/roles/MX/files/etc/postfix/virtual/alias.cf b/roles/MX/files/etc/postfix/virtual/alias.cf
index 1c104a9..2e846ca 100644
--- a/roles/MX/files/etc/postfix/virtual/alias.cf
+++ b/roles/MX/files/etc/postfix/virtual/alias.cf
@@ -1,9 +1,9 @@
-server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
search_base = fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
scope = one
bind = sasl
sasl_mechs = EXTERNAL
query_filter = (&(objectClass=FripostVirtualAlias)(fvl=%u)(fripostIsStatusActive=TRUE))
result_attribute = fripostMaildrop
diff --git a/roles/MX/files/etc/postfix/virtual/alias_domains.cf b/roles/MX/files/etc/postfix/virtual/alias_domains.cf
index 907166f..1108ea1 100644
--- a/roles/MX/files/etc/postfix/virtual/alias_domains.cf
+++ b/roles/MX/files/etc/postfix/virtual/alias_domains.cf
@@ -1,11 +1,11 @@
-server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
search_base = ou=virtual,dc=fripost,dc=org
domain = static:all
scope = one
bind = sasl
sasl_mechs = EXTERNAL
# The domain has already been validated (it's active and not pending)
query_filter = (&(objectClass=FripostVirtualAliasDomain)(fvd=%d))
result_attribute = fripostMaildrop
result_format = %U@%s
diff --git a/roles/MX/files/etc/postfix/virtual/catchall.cf b/roles/MX/files/etc/postfix/virtual/catchall.cf
index e0e6350..a67d39c 100644
--- a/roles/MX/files/etc/postfix/virtual/catchall.cf
+++ b/roles/MX/files/etc/postfix/virtual/catchall.cf
@@ -1,10 +1,10 @@
-server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
search_base = ou=virtual,dc=fripost,dc=org
domain = static:all
scope = one
bind = sasl
sasl_mechs = EXTERNAL
# The domain has already been validated (it's active and not pending)
query_filter = (&(objectClass=FripostVirtualDomain)(!(objectClass=FripostVirtualAliasDomain))(fvd=%d)(fripostOptionalMaildrop=*))
result_attribute = fripostOptionalMaildrop
diff --git a/roles/MX/files/etc/postfix/virtual/domains.cf b/roles/MX/files/etc/postfix/virtual/domains.cf
index f5a7f25..88e17e2 100644
--- a/roles/MX/files/etc/postfix/virtual/domains.cf
+++ b/roles/MX/files/etc/postfix/virtual/domains.cf
@@ -1,11 +1,9 @@
-# XXX: How come we use a socked relative to the chroot here? smtpd(8) is
-# not (can't be) chrooted...
server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
search_base = ou=virtual,dc=fripost,dc=org
scope = one
bind = sasl
sasl_mechs = EXTERNAL
query_filter = (&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(fvd=%s)(fripostIsStatusActive=TRUE))
result_attribute = fvd
result_format = OK
diff --git a/roles/MX/files/etc/postfix/virtual/list.cf b/roles/MX/files/etc/postfix/virtual/list.cf
index 99e2147..e2df119 100644
--- a/roles/MX/files/etc/postfix/virtual/list.cf
+++ b/roles/MX/files/etc/postfix/virtual/list.cf
@@ -1,12 +1,12 @@
-server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
search_base = fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
scope = one
bind = sasl
sasl_mechs = EXTERNAL
query_filter = (&(objectClass=FripostVirtualList)(!(objectClass=FripostPendingEntry))(fvl=%u)(fripostIsStatusActive=TRUE))
result_attribute = fripostListManager
# Use a dedicated "virtual" domain to decongestion potential bottlenecks
# on trivial_rewrite(8) due to slow LDAP lookups in tranport_maps.
result_format = %D/%U@%s.fripost.org
diff --git a/roles/MX/files/etc/postfix/virtual/mailbox.cf b/roles/MX/files/etc/postfix/virtual/mailbox.cf
index 7289670..36862db 100644
--- a/roles/MX/files/etc/postfix/virtual/mailbox.cf
+++ b/roles/MX/files/etc/postfix/virtual/mailbox.cf
@@ -1,12 +1,12 @@
-server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
search_base = fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
scope = one
bind = sasl
sasl_mechs = EXTERNAL
query_filter = (&(objectClass=FripostVirtualUser)(fvl=%u)(fripostIsStatusActive=TRUE))
result_attribute = fvl
# Use a dedicated "virtual" domain to decongestion potential bottlenecks
# on trivial_rewrite(8) due to slow LDAP lookups in tranport_maps.
result_format = %D/%U@mda.fripost.org
diff --git a/roles/MX/files/etc/postfix/virtual/reserved_alias.pcre b/roles/MX/files/etc/postfix/virtual/reserved_alias.pcre
index 9fe60c8..eb17d65 100644
--- a/roles/MX/files/etc/postfix/virtual/reserved_alias.pcre
+++ b/roles/MX/files/etc/postfix/virtual/reserved_alias.pcre
@@ -1,6 +1,5 @@
/^(?:postmaster|abuse)(?:\+.*)?@fripost\.org$/ admin@fripost.org
# For other domains, RFC 822 section 6.3 and RFC 2142 section 4
# mandatory aliases are forwarded to OUR admin team and to the domain
# owner or postmaster, if there are any.
-/^(postmaster|abuse)(?:\+.*)?@(.*)/ $2/$1@reserved.fripost.org
-/^(double-bounce)(?:\+.*)?@(.*)/ $2/$1@discard.fripost.org
+/^(postmaster|abuse)(?:\+.*)?@(.*)/ $2/$1@reserved.fripost.org
diff --git a/roles/MX/files/etc/systemd/system/opendmarc.service.d/override.conf b/roles/MX/files/etc/systemd/system/opendmarc.service.d/override.conf
new file mode 100644
index 0000000..1fb5567
--- /dev/null
+++ b/roles/MX/files/etc/systemd/system/opendmarc.service.d/override.conf
@@ -0,0 +1,17 @@
+[Service]
+Type=simple
+User=opendmarc
+ExecStart=
+ExecStart=/usr/sbin/opendmarc -f -p fd:3
+StandardOutput=journal
+SyslogFacility=mail
+RuntimeDirectory=opendmarc
+
+# Hardening
+NoNewPrivileges=yes
+PrivateDevices=yes
+ProtectHome=yes
+ProtectSystem=strict
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
diff --git a/roles/MX/files/etc/systemd/system/opendmarc.socket b/roles/MX/files/etc/systemd/system/opendmarc.socket
new file mode 100644
index 0000000..483ef60
--- /dev/null
+++ b/roles/MX/files/etc/systemd/system/opendmarc.socket
@@ -0,0 +1,10 @@
+[Unit]
+Description=OpenDMARC Milter activation socket
+
+[Socket]
+ListenStream=/var/spool/postfix-mx/public/opendmarc
+SocketUser=postfix
+SocketMode=0666
+
+[Install]
+WantedBy=sockets.target
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-29 15:55:07 +0000