summaryrefslogtreecommitdiffstats
path: root/roles/MX
diff options
context:
space:
mode:
Diffstat (limited to 'roles/MX')
-rw-r--r--roles/MX/handlers/main.yml3
-rw-r--r--roles/MX/tasks/main.yml20
-rw-r--r--roles/MX/templates/etc/postfix/main.cf.j220
-rw-r--r--roles/MX/templates/etc/postfix/virtual/alias.cf.j22
-rw-r--r--roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j22
-rw-r--r--roles/MX/templates/etc/postfix/virtual/catchall.cf.j22
-rw-r--r--roles/MX/templates/etc/postfix/virtual/domains.cf.j22
-rw-r--r--roles/MX/templates/etc/postfix/virtual/list.cf.j22
-rw-r--r--roles/MX/templates/etc/postfix/virtual/mailbox.cf.j22
9 files changed, 26 insertions, 29 deletions
diff --git a/roles/MX/handlers/main.yml b/roles/MX/handlers/main.yml
index 0482a49..99a5db2 100644
--- a/roles/MX/handlers/main.yml
+++ b/roles/MX/handlers/main.yml
@@ -1,6 +1,3 @@
---
-- name: Restart Postgrey
- service: name=postgrey state=restarted
-
- name: Reload Postfix
service: name=postfix state=reloaded
diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml
index db4bb58..8cd5106 100644
--- a/roles/MX/tasks/main.yml
+++ b/roles/MX/tasks/main.yml
@@ -1,47 +1,31 @@
-- name: Install Postfix & Postgrey
+- name: Install Postfix
apt: pkg={{ item }}
with_items:
- postfix
- postfix-pcre
- postfix-ldap
- postfix-cdb
- - postgrey
+ # The following is for reserved-alias.pl
- libnet-ldap-perl
- libauthen-sasl-perl
-- name: Configure Postgrey
- lineinfile: dest=/etc/default/postgrey
- regexp='^POSTGREY_OPTS='
- line='POSTGREY_OPTS="--privacy --unix=/var/spool/postfix-{{ postfix_instance[inst].name }}/private/postgrey"'
- owner=root group=root
- mode=0644
- register: r
- notify:
- - Restart Postgrey
-
-- name: Start Postgrey
- service: name=postgrey state=started
- when: not r.changed
-
-- meta: flush_handlers
-
- name: Configure Postfix
template: src=etc/postfix/main.cf.j2
dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf
owner=root group=root
mode=0644
notify:
- Reload Postfix
- name: Create directory /etc/postfix-.../virtual
file: path=/etc/postfix-{{ postfix_instance[inst].name }}/virtual
state=directory
owner=root group=root
mode=0755
- name: Copy lookup tables
template: src=etc/postfix/virtual/{{ item }}.j2
dest=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/{{ item }}
owner=root group=root
mode=0644
with_items:
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 476178a..181066a 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -106,47 +106,61 @@ smtpd_tls_ask_ccert = yes
strict_rfc821_envelopes = yes
smtpd_delay_reject = yes
disable_vrfy_command = yes
# UCE control
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554
+postscreen_blacklist_action = drop
+postscreen_dnsbl_threshold = 3
+postscreen_dnsbl_action = enforce
+postscreen_dnsbl_sites =
+ zen.spamhaus.org*3
+ swl.spamhaus.org*-4
+ b.barracudacentral.org*2
+ bl.spameatingmonkey.net*2
+ bl.spamcop.net
+ dnsbl.sorbs.net
+ list.dnswl.org=127.[0..255].[0..255].0*-2
+ list.dnswl.org=127.[0..255].[0..255].1*-3
+ list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
+
+postscreen_greet_action = enforce
+postscreen_whitelist_interfaces = !88.80.11.28 static:all
smtpd_client_restrictions =
permit_mynetworks
- reject_rbl_client zen.spamhaus.org
- reject_rbl_client bl.spamcop.net
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks
reject_non_fqdn_helo_hostname
reject_invalid_helo_hostname
smtpd_sender_restrictions =
reject_non_fqdn_sender
smtpd_recipient_restrictions =
# RFC requirements
reject_non_fqdn_recipient
permit_mynetworks
reject_unauth_destination
reject_unlisted_recipient
- check_policy_service unix:private/postgrey
+ permit_dnswl_client list.dnswl.org
smtpd_data_restrictions =
reject_unauth_pipelining
# vim: set filetype=pfmain :
diff --git a/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2
index c0ab405..1710376 100644
--- a/roles/MX/templates/etc/postfix/virtual/alias.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2
@@ -1,10 +1,10 @@
-server_host = ldapi://%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
version = 3
search_base = fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
scope = one
bind = yes
bind_dn = cn=postfix,ou=services,dc=fripost,dc=org
bind_pw = FIXME
query_filter = (&(objectClass=FripostVirtualAlias)(fvl=%u)(fripostIsStatusActive=TRUE))
result_attribute = fripostMaildrop
diff --git a/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2
index 7679a9c..119b8b2 100644
--- a/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2
@@ -1,12 +1,12 @@
-server_host = ldapi://%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
version = 3
search_base = ou=virtual,dc=fripost,dc=org
domain = static:all
scope = one
bind = yes
bind_dn = cn=postfix,ou=services,dc=fripost,dc=org
bind_pw = FIXME
# The domain has already been validated (it's active and not pending)
query_filter = (&(objectClass=FripostVirtualAliasDomain)(fvd=%d))
result_attribute = fripostMaildrop
result_format = %U@%s
diff --git a/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2
index 818ad02..66053c8 100644
--- a/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2
@@ -1,11 +1,11 @@
-server_host = ldapi://%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
version = 3
search_base = ou=virtual,dc=fripost,dc=org
domain = static:all
scope = one
bind = yes
bind_dn = cn=postfix,ou=services,dc=fripost,dc=org
bind_pw = FIXME
# The domain has already been validated (it's active and not pending)
query_filter = (&(objectClass=FripostVirtualDomain)(!(objectClass=FripostVirtualAliasDomain))(fvd=%d)(fripostOptionalMaildrop=*))
result_attribute = fripostOptionalMaildrop
diff --git a/roles/MX/templates/etc/postfix/virtual/domains.cf.j2 b/roles/MX/templates/etc/postfix/virtual/domains.cf.j2
index 1cb8add..4ec247d 100644
--- a/roles/MX/templates/etc/postfix/virtual/domains.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/domains.cf.j2
@@ -1,10 +1,12 @@
+# XXX: How come we use a socked relative to the chroot here? smtpd(8) is
+# not (can't be) chrooted...
server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
search_base = ou=virtual,dc=fripost,dc=org
scope = one
bind = yes
bind_dn = cn=postfix,ou=services,dc=fripost,dc=org
bind_pw = FIXME
query_filter = (&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(fvd=%s)(fripostIsStatusActive=TRUE))
result_attribute = fvd
result_format = OK
diff --git a/roles/MX/templates/etc/postfix/virtual/list.cf.j2 b/roles/MX/templates/etc/postfix/virtual/list.cf.j2
index 80c7b7f..3b364c0 100644
--- a/roles/MX/templates/etc/postfix/virtual/list.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/list.cf.j2
@@ -1,13 +1,13 @@
-server_host = ldapi://%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
version = 3
search_base = fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
scope = one
bind = yes
bind_dn = cn=postfix,ou=services,dc=fripost,dc=org
bind_pw = FIXME
query_filter = (&(objectClass=FripostVirtualList)(!(objectClass=FripostPendingEntry))(fvl=%u)(fripostIsStatusActive=TRUE))
result_attribute = fripostListManager
# Use a dedicated "virtual" domain to decongestion potential bottlenecks
# on trivial_rewrite(8) due to slow LDAP lookups in tranport_maps.
result_format = %D/%U@%s.fripost.org
diff --git a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2
index 9b584c9..4654607 100644
--- a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2
@@ -1,13 +1,13 @@
-server_host = ldapi://%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
version = 3
search_base = fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
scope = one
bind = yes
bind_dn = cn=postfix,ou=services,dc=fripost,dc=org
bind_pw = FIXME
query_filter = (&(objectClass=FripostVirtualUser)(fvl=%u)(fripostIsStatusActive=TRUE))
result_attribute = fvl
# Use a dedicated "virtual" domain to decongestion potential bottlenecks
# on trivial_rewrite(8) due to slow LDAP lookups in tranport_maps.
result_format = %D/%U@mda.fripost.org
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-05 22:50:22 +0000