diff options
Diffstat (limited to 'roles/MX')
| -rw-r--r-- | roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf | 10 | ||||
| -rw-r--r-- | roles/MX/tasks/main.yml | 9 | ||||
| -rw-r--r-- | roles/MX/templates/etc/postfix/access-list.cidr.j2 | 16 | ||||
| -rw-r--r-- | roles/MX/templates/etc/postfix/main.cf.j2 | 51 |
4 files changed, 67 insertions, 19 deletions
diff --git a/roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf b/roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf new file mode 100644 index 0000000..6969f75 --- /dev/null +++ b/roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf @@ -0,0 +1,10 @@ +server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/ +version = 3 +search_base = fvd=%d,ou=virtual,dc=fripost,dc=org +domain = static:all +scope = one +bind = sasl +sasl_mechs = EXTERNAL +query_filter = (&(objectClass=FripostVirtualList)(!(objectClass=FripostPendingEntry))(fvl=%u)(fripostIsStatusActive=TRUE)) +result_attribute = fvl +result_format = reject_unknown_client_hostname diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml index bd6f088..78362ca 100644 --- a/roles/MX/tasks/main.yml +++ b/roles/MX/tasks/main.yml @@ -1,39 +1,40 @@ - name: Install Postfix apt: pkg={{ item }} with_items: - postfix - postfix-pcre - postfix-ldap - postfix-cdb # The following is for reserved-alias.pl - libnet-ldap-perl - libauthen-sasl-perl - name: Configure Postfix template: src=etc/postfix/{{ item }}.j2 dest=/etc/postfix-{{ postfix_instance[inst].name }}/{{ item }} owner=root group=root mode=0644 with_items: - main.cf - master.cf + - access-list.cidr notify: - Reload Postfix - name: Create directory /etc/postfix-.../virtual file: path=/etc/postfix-{{ postfix_instance[inst].name }}/virtual state=directory owner=root group=root mode=0755 # trivial-rewrite(8) runs in a chroot. We create an empty # /usr/lib/sasl2 to avoid "No such file or directory" warnings. # Cf. also #738989. - name: Create directory /usr/lib/sasl2 file: path=/var/spool/postfix-{{ postfix_instance[inst].name }}/{{ item }} state=directory owner=root group=root mode=0755 with_items: - /usr/lib/sasl2 - /usr/lib/{{ ansible_architecture }}-linux-gnu/sasl2 @@ -44,40 +45,48 @@ copy: src=etc/postfix/virtual/{{ item }} dest=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/{{ item }} owner=root group=root mode=0644 with_items: - domains.cf # no need to reload upon change, as cleanup(8) is short-running - reserved_alias.pcre - alias.cf - mailbox.cf - list.cf - alias_domains.cf - catchall.cf - name: Copy lookup tables (2) template: src=etc/postfix/virtual/transport.j2 dest=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/transport owner=root group=root mode=0644 +- name: Copy recipient access(5) map + copy: src=etc/postfix/reject-unknown-client-hostname.cf + dest=/etc/postfix-{{ postfix_instance[inst].name }}/reject-unknown-client-hostname.cf + owner=root group=root + mode=0644 + notify: + - Reload Postfix + - name: Compile the Postfix transport maps # trivial-rewrite(8) is a long-running process, so it's safer to reload postmap: instance={{ postfix_instance[inst].name }} src=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/transport db=cdb owner=root group=root mode=0644 notify: - Reload Postfix - name: Copy reserved-alias.pl copy: src=usr/local/bin/reserved-alias.pl dest=/usr/local/bin/reserved-alias.pl owner=root group=staff mode=0755 - name: Create directory /etc/postfix/ssl file: path=/etc/postfix-{{ postfix_instance[inst].name }}/ssl state=directory owner=root group=root mode=0755 diff --git a/roles/MX/templates/etc/postfix/access-list.cidr.j2 b/roles/MX/templates/etc/postfix/access-list.cidr.j2 new file mode 100644 index 0000000..bd6e3d8 --- /dev/null +++ b/roles/MX/templates/etc/postfix/access-list.cidr.j2 @@ -0,0 +1,16 @@ +######################################################################## +# Access list, see cidr_table(5) +# +# {{ ansible_managed }} +# Do NOT edit this file directly! + +{% if ipsec_subnet is defined %} +{{ ipsec_subnet }} permit +{% endif %} + +{% for ip in lookup('pipe', 'dig +short outgoing.fripost.org A').splitlines() | sort -%} +{{ ip }}/32 permit +{% endfor %} +{% for ip in lookup('pipe', 'dig +short outgoing.fripost.org AAAA').splitlines() | sort -%} +{{ ip }}/128 permit +{% endfor %} diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 index 8e6040f..e5792c4 100644 --- a/roles/MX/templates/etc/postfix/main.cf.j2 +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -76,77 +76,90 @@ smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_cert_file = $config_directory/ssl/mx.fripost.org.pem smtpd_tls_key_file = $config_directory/ssl/mx.fripost.org.key smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem smtpd_tls_CApath = /etc/ssl/certs/ smtpd_tls_session_cache_database= smtpd_tls_received_header = yes # http://en.linuxreviews.org/HOWTO_Stop_spam_using_Postfix # http://www.howtoforge.com/block_spam_at_mta_level_postfix strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes # UCE control invalid_hostname_reject_code = 554 multi_recipient_bounce_reject_code = 554 non_fqdn_reject_code = 554 relay_domains_reject_code = 554 -unknown_address_reject_code = 554 -unknown_client_reject_code = 554 -unknown_hostname_reject_code = 554 unknown_local_recipient_reject_code = 554 unknown_relay_recipient_reject_code = 554 unknown_virtual_alias_reject_code = 554 unknown_virtual_mailbox_reject_code = 554 +postscreen_access_list = + permit_mynetworks + cidr:$config_directory/access-list.cidr postscreen_dnsbl_whitelist_threshold = -1 + postscreen_blacklist_action = drop -postscreen_dnsbl_threshold = 3 +postscreen_dnsbl_threshold = 8 postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = - zen.spamhaus.org*2 + zen.spamhaus.org=127.0.0.[10;11]*8 + zen.spamhaus.org=127.0.0.[4..7]*6 + zen.spamhaus.org=127.0.0.3*4 + zen.spamhaus.org=127.0.0.2*3 #swl.spamhaus.org*-4 - b.barracudacentral.org*2 - bl.spameatingmonkey.net*2 - bl.spamcop.net - dnsbl.sorbs.net - psbl.surriel.com - bl.mailspike.net + b.barracudacentral.org=127.0.0.2*7 + bl.mailspike.net=127.0.0.2*5 + bl.mailspike.net=127.0.0.[10..12]*4 + wl.mailspike.net=127.0.0.[18..20]*-2 + bl.spameatingmonkey.net=127.0.0.2*4 + bl.spamcop.net=127.0.0.2*2 + dnsbl.sorbs.net=127.0.0.10*8 + dnsbl.sorbs.net=127.0.0.5*6 + dnsbl.sorbs.net=127.0.0.7*3 + dnsbl.sorbs.net=127.0.0.8*2 + dnsbl.sorbs.net=127.0.0.6*2 + dnsbl.sorbs.net=127.0.0.9*2 list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].[2..3]*-4 postscreen_greet_action = enforce -postscreen_whitelist_interfaces = -{%- for ip in lookup('pipe', 'dig +short '+ postfix_instance.MX.backup +' A').splitlines() %} - !{{ ip }} -{%- endfor %} -{%- for ip in lookup('pipe', 'dig +short '+ postfix_instance.MX.backup +' AAAA').splitlines() %} - ![{{ ip }}] -{%- endfor %} - static:all +postscreen_whitelist_interfaces = static:all + smtpd_client_restrictions = permit_mynetworks smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_non_fqdn_helo_hostname reject_invalid_helo_hostname smtpd_sender_restrictions = reject_non_fqdn_sender + reject_unknown_sender_domain smtpd_relay_restrictions = reject_non_fqdn_recipient permit_mynetworks reject_unauth_destination reject_unlisted_recipient +smtpd_recipient_restrictions = + check_client_access cidr:$config_directory/access-list.cidr + check_recipient_access ldap:$config_directory/reject-unknown-client-hostname.cf + reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99] + reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99] + defer_if_reject reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[100..254] + defer_if_reject reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[100..254] + smtpd_data_restrictions = reject_unauth_pipelining # vim: set filetype=pfmain : |