4 files changed, 73 insertions, 72 deletions

diff --git a/roles/MX/templates/etc/postfix/access-list.cidr.j2 b/roles/MX/templates/etc/postfix/access-list.cidr.j2
new file mode 100644
index 0000000..bd6e3d8
--- /dev/null
+++ b/roles/MX/templates/etc/postfix/access-list.cidr.j2
@@ -0,0 +1,16 @@
+########################################################################
+# Access list, see cidr_table(5)
+#
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+{% if ipsec_subnet is defined %}
+{{ ipsec_subnet }} permit
+{% endif %}
+
+{% for ip in lookup('pipe', 'dig +short outgoing.fripost.org A').splitlines() | sort -%}
+{{ ip }}/32 permit
+{% endfor %}
+{% for ip in lookup('pipe', 'dig +short outgoing.fripost.org AAAA').splitlines() | sort -%}
+{{ ip }}/128 permit
+{% endfor %}
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index b9f7c09..d10f901 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -1,163 +1,156 @@
 ########################################################################
-# MX configuration
+# Mail eXchange (MX) configuration
 #
 # {{ ansible_managed }}
 # Do NOT edit this file directly!
 
-smtpd_banner     = $myhostname ESMTP $mail_name (Debian/GNU)
-biff             = no
-readme_directory = no
-mail_owner       = postfix
+smtpd_banner        = $myhostname ESMTP $mail_name (Debian/GNU)
+biff                = no
+readme_directory    = no
+compatibility_level = 2
+smtputf8_enable     = no
 
 delay_warning_time     = 4h
 maximal_queue_lifetime = 5d
 
 myorigin            = /etc/mailname
 myhostname          = mx{{ mxno | default('') }}.$mydomain
 mydomain            = fripost.org
 append_dot_mydomain = no
 
-# Turn off all TCP/IP listener ports except that necessary for the mail
-# exchange.
-master_service_disable = !smtp.inet inet
+mynetworks_style = host
 
 queue_directory       = /var/spool/postfix-{{ postfix_instance[inst].name }}
 data_directory        = /var/lib/postfix-{{ postfix_instance[inst].name }}
 multi_instance_group  = {{ postfix_instance[inst].group | default('') }}
 multi_instance_name   = postfix-{{ postfix_instance[inst].name }}
 multi_instance_enable = yes
 
-# This server is a Mail eXchange
-mynetworks_style = host
-inet_interfaces  = all
-
 # No local delivery
 mydestination        =
 local_transport      = error:5.1.1 Mailbox unavailable
 alias_maps           =
 alias_database       =
 local_recipient_maps =
 
 message_size_limit  = 67108864
 recipient_delimiter = +
 
 # Forward everything to our internal outgoing proxy
-{% if 'out' in group_names %}
-relayhost     = [127.0.0.1]:{{ postfix_instance.out.port }}
-{% else %}
-relayhost     = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
-{% endif %}
+relayhost     = [{{ postfix_instance.out.addr | ansible.utils.ipaddr }}]:{{ postfix_instance.out.port }}
 relay_domains =
 
 
 # Virtual transport
 # We use a dedicated "virtual" domain to decongestion potential
 # bottlenecks on trivial_rewrite(8) due to slow LDAP lookups in
 # tranport_maps.
 virtual_transport     = error:5.1.1 Virtual transport unavailable
-virtual_alias_domains = !cdb:$config_directory/virtual/transport
+virtual_alias_domains = !lmdb:$config_directory/virtual/transport
                         ldap:$config_directory/virtual/domains.cf
 virtual_alias_maps    = pcre:$config_directory/virtual/reserved_alias.pcre
                         # unless there is a matching user/alias/list...
                         ldap:$config_directory/virtual/mailbox.cf
                         ldap:$config_directory/virtual/alias.cf
                         ldap:$config_directory/virtual/list.cf
                         # ...we resolve alias domains and catch alls
                         ldap:$config_directory/virtual/alias_domains.cf
                         ldap:$config_directory/virtual/catchall.cf
-transport_maps        = cdb:$config_directory/virtual/transport
+transport_maps        = lmdb:$config_directory/virtual/transport
 
 
 # Don't rewrite remote headers
 local_header_rewrite_clients               =
 # Pass the client information along to the content filter
 smtp_send_xforward_command                 = yes
 # Avoid splitting the envelope and scanning messages multiple times
 smtp_destination_recipient_limit           = 1000
 reserved-alias_destination_recipient_limit = 1
 # Tolerate occasional high latency
 smtp_data_done_timeout           = 1200s
 
 
-{% if 'out' in group_names %}
 smtp_tls_security_level         = none
-smtp_bind_address               = 127.0.0.1
-{% else %}
-smtp_tls_security_level         = encrypt
-smtp_tls_cert_file              = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
-smtp_tls_key_file               = /etc/postfix/ssl/{{ ansible_fqdn }}.key
-smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
-smtp_tls_policy_maps            = cdb:/etc/postfix/tls_policy
-smtp_tls_fingerprint_digest     = sha256
-{% endif %}
-
 smtpd_tls_security_level        = may
-smtpd_tls_exclude_ciphers       = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
-smtpd_tls_cert_file             = /etc/ssl/certs/ssl-cert-snakeoil.pem
-smtpd_tls_key_file              = /etc/ssl/private/ssl-cert-snakeoil.key
-smtpd_tls_dh1024_param_file     = /etc/ssl/private/dhparams.pem
+smtpd_tls_ciphers               = medium
+smtpd_tls_protocols             = !SSLv2, !SSLv3
+smtpd_tls_cert_file             = $config_directory/ssl/mx.fripost.org.pem
+smtpd_tls_key_file              = $config_directory/ssl/mx.fripost.org.key
+smtpd_tls_dh1024_param_file     = /etc/ssl/dhparams.pem
 smtpd_tls_CApath                = /etc/ssl/certs/
-smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
+smtpd_tls_session_cache_database=
 smtpd_tls_received_header       = yes
-smtpd_tls_ask_ccert             = yes
 
 
 # http://en.linuxreviews.org/HOWTO_Stop_spam_using_Postfix
 # http://www.howtoforge.com/block_spam_at_mta_level_postfix
 
 strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
 
-# UCE control
-invalid_hostname_reject_code        = 554
-multi_recipient_bounce_reject_code  = 554
-non_fqdn_reject_code                = 554
-relay_domains_reject_code           = 554
-unknown_address_reject_code         = 554
-unknown_client_reject_code          = 554
-unknown_hostname_reject_code        = 554
-unknown_local_recipient_reject_code = 554
-unknown_relay_recipient_reject_code = 554
-unknown_virtual_alias_reject_code   = 554
-unknown_virtual_mailbox_reject_code = 554
+postscreen_access_list =
+    permit_mynetworks
+    cidr:$config_directory/access-list.cidr
+postscreen_dnsbl_whitelist_threshold = -1
+postscreen_cache_map = lmdb:$data_directory/postscreen_cache
 
 postscreen_blacklist_action = drop
-postscreen_dnsbl_threshold  = 3
+postscreen_dnsbl_threshold  = 8
 postscreen_dnsbl_action     = enforce
 postscreen_dnsbl_sites      =
-    zen.spamhaus.org*3
-    swl.spamhaus.org*-4
-    b.barracudacentral.org*2
-    bl.spameatingmonkey.net*2
-    bl.spamcop.net
-    dnsbl.sorbs.net
-    list.dnswl.org=127.[0..255].[0..255].0*-2
-    list.dnswl.org=127.[0..255].[0..255].1*-3
-    list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
-
-postscreen_greet_action          = enforce
-postscreen_whitelist_interfaces = !88.80.11.28 ![2a00:16b0:242:13::de30] static:all
+    zen.spamhaus.org=127.0.0.[10;11]*8
+    zen.spamhaus.org=127.0.0.[4..7]*6
+    zen.spamhaus.org=127.0.0.3*4
+    zen.spamhaus.org=127.0.0.2*3
+    #swl.spamhaus.org*-4
+    b.barracudacentral.org=127.0.0.2*7
+    bl.mailspike.net=127.0.0.2*5
+    bl.mailspike.net=127.0.0.[10..12]*4
+    wl.mailspike.net=127.0.0.[18..20]*-2
+    bl.spameatingmonkey.net=127.0.0.2*4
+    bl.spamcop.net=127.0.0.2*2
+    dnsbl.sorbs.net=127.0.0.10*8
+    dnsbl.sorbs.net=127.0.0.5*6
+    dnsbl.sorbs.net=127.0.0.7*3
+    dnsbl.sorbs.net=127.0.0.8*2
+    dnsbl.sorbs.net=127.0.0.6*2
+    dnsbl.sorbs.net=127.0.0.9*2
+    list.dnswl.org=127.0.[0..255].0*-2
+    list.dnswl.org=127.0.[0..255].1*-3
+    list.dnswl.org=127.0.[0..255].[2..3]*-4
+
+postscreen_greet_action         = enforce
+postscreen_whitelist_interfaces = static:all
+
+smtpd_milters = { unix:public/opendmarc, protocol=6, default_action=accept }
 
 smtpd_client_restrictions =
     permit_mynetworks
 
 smtpd_helo_required     = yes
 smtpd_helo_restrictions =
     permit_mynetworks
     reject_non_fqdn_helo_hostname
     reject_invalid_helo_hostname
 
 smtpd_sender_restrictions =
     reject_non_fqdn_sender
+    reject_unknown_sender_domain
 
 smtpd_relay_restrictions =
     reject_non_fqdn_recipient
     permit_mynetworks
     reject_unauth_destination
     reject_unlisted_recipient
 
+smtpd_recipient_restrictions =
+    check_client_access cidr:$config_directory/access-list.cidr
+    check_recipient_access ldap:$config_directory/reject-unknown-client-hostname.cf
+    reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99]
+    reject_rhsbl_sender         dbl.spamhaus.org=127.0.1.[2..99]
+
 smtpd_data_restrictions =
     reject_unauth_pipelining
 
 # vim: set filetype=pfmain :
diff --git a/roles/MX/templates/etc/postfix/master.cf.j2 b/roles/MX/templates/etc/postfix/master.cf.j2
new file mode 120000
index 0000000..011f8e0
--- /dev/null
+++ b/roles/MX/templates/etc/postfix/master.cf.j2
@@ -0,0 +1 @@
+../../../../common/templates/etc/postfix/master.cf.j2
\ No newline at end of file
diff --git a/roles/MX/templates/etc/postfix/virtual/transport.j2 b/roles/MX/templates/etc/postfix/virtual/transport.j2
index 49f3696..536748a 100644
--- a/roles/MX/templates/etc/postfix/virtual/transport.j2
+++ b/roles/MX/templates/etc/postfix/virtual/transport.j2
@@ -1,30 +1,21 @@
 # Each valid address user@example.org is aliased (on the MX) into some
 # example.org/user@xxx.fripost.org, and non-defaults next-hop:port are
 # chosen here in that table, depending on 'xxx'.  The reason for such
 # indirection is that there is only one qmgr(8) daemon, which delegate
 # the routing strategy to the trivial-rewrite(8), which in turns queries
 # transport_maps.  Hence high latency maps such as LDAP or SQL would
 # congestion the queue manager.  On the other hand, virtual aliasing is
 # performed by cleanup(8), multiples instances of which can run in
 # parallel. See http://www.postfix.org/ADDRESS_REWRITING_README.html .
 #
 # /!\ WARNING: xxx.fripost.org should NOT be in the list of valid
 # domains ($virtual_alias_domains)!  Otherwise at the next iteration of
 # the alias resolution loop the domain will be validated but not the
 # address, and the MTA will reply with "Recipient address rejected: User
 # unknown in virtual alias table".
 
 reserved.fripost.org    reserved-alias:
 discard.fripost.org     discard:
 
-{% if 'LDA' in group_names %}
-mda.fripost.org smtpl:[127.0.0.1]:{{ postfix_instance.IMAP.port }}
-{% else %}
-mda.fripost.org smtp:[mda.fripost.org]:{{ postfix_instance.IMAP.port }}
-{% endif %}
-
-{% if 'lists' in group_names %}
-sympa.fripost.org smtpl:[127.0.0.1]:{{ postfix_instance.lists.port }}
-{% else %}
-sympa.fripost.org smtp:[lists.fripost.org]:{{ postfix_instance.lists.port }}
-{% endif %}
+mda.fripost.org   smtp:[{{ postfix_instance.IMAP.addr  | ansible.utils.ipaddr }}]:{{ postfix_instance.IMAP.port  }}
+sympa.fripost.org smtp:[{{ postfix_instance.lists.addr | ansible.utils.ipaddr }}]:{{ postfix_instance.lists.port }}