summaryrefslogtreecommitdiffstats
path: root/roles/MX/templates/etc
diff options
context:
space:
mode:
Diffstat (limited to 'roles/MX/templates/etc')
-rw-r--r--roles/MX/templates/etc/postfix/access-list.cidr.j216
-rw-r--r--roles/MX/templates/etc/postfix/main.cf.j251
2 files changed, 48 insertions, 19 deletions
diff --git a/roles/MX/templates/etc/postfix/access-list.cidr.j2 b/roles/MX/templates/etc/postfix/access-list.cidr.j2
new file mode 100644
index 0000000..bd6e3d8
--- /dev/null
+++ b/roles/MX/templates/etc/postfix/access-list.cidr.j2
@@ -0,0 +1,16 @@
+########################################################################
+# Access list, see cidr_table(5)
+#
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+{% if ipsec_subnet is defined %}
+{{ ipsec_subnet }} permit
+{% endif %}
+
+{% for ip in lookup('pipe', 'dig +short outgoing.fripost.org A').splitlines() | sort -%}
+{{ ip }}/32 permit
+{% endfor %}
+{% for ip in lookup('pipe', 'dig +short outgoing.fripost.org AAAA').splitlines() | sort -%}
+{{ ip }}/128 permit
+{% endfor %}
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 8e6040f..e5792c4 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -93,40 +93,44 @@ invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
-unknown_address_reject_code = 554
-unknown_client_reject_code = 554
-unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
+postscreen_access_list =
+ permit_mynetworks
+ cidr:$config_directory/access-list.cidr
postscreen_dnsbl_whitelist_threshold = -1
+
postscreen_blacklist_action = drop
-postscreen_dnsbl_threshold = 3
+postscreen_dnsbl_threshold = 8
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites =
- zen.spamhaus.org*2
+ zen.spamhaus.org=127.0.0.[10;11]*8
+ zen.spamhaus.org=127.0.0.[4..7]*6
+ zen.spamhaus.org=127.0.0.3*4
+ zen.spamhaus.org=127.0.0.2*3
#swl.spamhaus.org*-4
- b.barracudacentral.org*2
- bl.spameatingmonkey.net*2
- bl.spamcop.net
- dnsbl.sorbs.net
- psbl.surriel.com
- bl.mailspike.net
+ b.barracudacentral.org=127.0.0.2*7
+ bl.mailspike.net=127.0.0.2*5
+ bl.mailspike.net=127.0.0.[10..12]*4
+ wl.mailspike.net=127.0.0.[18..20]*-2
+ bl.spameatingmonkey.net=127.0.0.2*4
+ bl.spamcop.net=127.0.0.2*2
+ dnsbl.sorbs.net=127.0.0.10*8
+ dnsbl.sorbs.net=127.0.0.5*6
+ dnsbl.sorbs.net=127.0.0.7*3
+ dnsbl.sorbs.net=127.0.0.8*2
+ dnsbl.sorbs.net=127.0.0.6*2
+ dnsbl.sorbs.net=127.0.0.9*2
list.dnswl.org=127.0.[0..255].0*-2
list.dnswl.org=127.0.[0..255].1*-3
list.dnswl.org=127.0.[0..255].[2..3]*-4
postscreen_greet_action = enforce
-postscreen_whitelist_interfaces =
-{%- for ip in lookup('pipe', 'dig +short '+ postfix_instance.MX.backup +' A').splitlines() %}
- !{{ ip }}
-{%- endfor %}
-{%- for ip in lookup('pipe', 'dig +short '+ postfix_instance.MX.backup +' AAAA').splitlines() %}
- ![{{ ip }}]
-{%- endfor %}
- static:all
+postscreen_whitelist_interfaces = static:all
+
smtpd_client_restrictions =
permit_mynetworks
@@ -139,6 +143,7 @@ smtpd_helo_restrictions =
smtpd_sender_restrictions =
reject_non_fqdn_sender
+ reject_unknown_sender_domain
smtpd_relay_restrictions =
reject_non_fqdn_recipient
@@ -146,6 +151,14 @@ smtpd_relay_restrictions =
reject_unauth_destination
reject_unlisted_recipient
+smtpd_recipient_restrictions =
+ check_client_access cidr:$config_directory/access-list.cidr
+ check_recipient_access ldap:$config_directory/reject-unknown-client-hostname.cf
+ reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99]
+ reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99]
+ defer_if_reject reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[100..254]
+ defer_if_reject reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[100..254]
+
smtpd_data_restrictions =
reject_unauth_pipelining