summaryrefslogtreecommitdiffstats
path: root/roles/MX
diff options
context:
space:
mode:
Diffstat (limited to 'roles/MX')
-rw-r--r--roles/MX/files/etc/postfix/virtual/alias.cf5
-rw-r--r--roles/MX/files/etc/postfix/virtual/alias_domains.cf5
-rw-r--r--roles/MX/files/etc/postfix/virtual/catchall.cf5
-rw-r--r--roles/MX/files/etc/postfix/virtual/domains.cf5
-rw-r--r--roles/MX/files/etc/postfix/virtual/list.cf5
-rw-r--r--roles/MX/files/etc/postfix/virtual/mailbox.cf5
-rwxr-xr-xroles/MX/files/usr/local/bin/reserved-alias.pl (renamed from roles/MX/files/usr/local/sbin/reserved-alias.pl)0
-rw-r--r--roles/MX/tasks/main.yml18
-rw-r--r--roles/MX/templates/etc/postfix/main.cf.j219
9 files changed, 37 insertions, 30 deletions
diff --git a/roles/MX/files/etc/postfix/virtual/alias.cf b/roles/MX/files/etc/postfix/virtual/alias.cf
index 1710376..1c104a9 100644
--- a/roles/MX/files/etc/postfix/virtual/alias.cf
+++ b/roles/MX/files/etc/postfix/virtual/alias.cf
@@ -1,10 +1,9 @@
server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
version = 3
search_base = fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
scope = one
-bind = yes
-bind_dn = cn=postfix,ou=services,dc=fripost,dc=org
-bind_pw = FIXME
+bind = sasl
+sasl_mechs = EXTERNAL
query_filter = (&(objectClass=FripostVirtualAlias)(fvl=%u)(fripostIsStatusActive=TRUE))
result_attribute = fripostMaildrop
diff --git a/roles/MX/files/etc/postfix/virtual/alias_domains.cf b/roles/MX/files/etc/postfix/virtual/alias_domains.cf
index 119b8b2..907166f 100644
--- a/roles/MX/files/etc/postfix/virtual/alias_domains.cf
+++ b/roles/MX/files/etc/postfix/virtual/alias_domains.cf
@@ -1,12 +1,11 @@
server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
version = 3
search_base = ou=virtual,dc=fripost,dc=org
domain = static:all
scope = one
-bind = yes
-bind_dn = cn=postfix,ou=services,dc=fripost,dc=org
-bind_pw = FIXME
+bind = sasl
+sasl_mechs = EXTERNAL
# The domain has already been validated (it's active and not pending)
query_filter = (&(objectClass=FripostVirtualAliasDomain)(fvd=%d))
result_attribute = fripostMaildrop
result_format = %U@%s
diff --git a/roles/MX/files/etc/postfix/virtual/catchall.cf b/roles/MX/files/etc/postfix/virtual/catchall.cf
index 66053c8..e0e6350 100644
--- a/roles/MX/files/etc/postfix/virtual/catchall.cf
+++ b/roles/MX/files/etc/postfix/virtual/catchall.cf
@@ -1,11 +1,10 @@
server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
version = 3
search_base = ou=virtual,dc=fripost,dc=org
domain = static:all
scope = one
-bind = yes
-bind_dn = cn=postfix,ou=services,dc=fripost,dc=org
-bind_pw = FIXME
+bind = sasl
+sasl_mechs = EXTERNAL
# The domain has already been validated (it's active and not pending)
query_filter = (&(objectClass=FripostVirtualDomain)(!(objectClass=FripostVirtualAliasDomain))(fvd=%d)(fripostOptionalMaildrop=*))
result_attribute = fripostOptionalMaildrop
diff --git a/roles/MX/files/etc/postfix/virtual/domains.cf b/roles/MX/files/etc/postfix/virtual/domains.cf
index 4ec247d..f5a7f25 100644
--- a/roles/MX/files/etc/postfix/virtual/domains.cf
+++ b/roles/MX/files/etc/postfix/virtual/domains.cf
@@ -1,12 +1,11 @@
# XXX: How come we use a socked relative to the chroot here? smtpd(8) is
# not (can't be) chrooted...
server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
search_base = ou=virtual,dc=fripost,dc=org
scope = one
-bind = yes
-bind_dn = cn=postfix,ou=services,dc=fripost,dc=org
-bind_pw = FIXME
+bind = sasl
+sasl_mechs = EXTERNAL
query_filter = (&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(fvd=%s)(fripostIsStatusActive=TRUE))
result_attribute = fvd
result_format = OK
diff --git a/roles/MX/files/etc/postfix/virtual/list.cf b/roles/MX/files/etc/postfix/virtual/list.cf
index 3b364c0..99e2147 100644
--- a/roles/MX/files/etc/postfix/virtual/list.cf
+++ b/roles/MX/files/etc/postfix/virtual/list.cf
@@ -1,13 +1,12 @@
server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
version = 3
search_base = fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
scope = one
-bind = yes
-bind_dn = cn=postfix,ou=services,dc=fripost,dc=org
-bind_pw = FIXME
+bind = sasl
+sasl_mechs = EXTERNAL
query_filter = (&(objectClass=FripostVirtualList)(!(objectClass=FripostPendingEntry))(fvl=%u)(fripostIsStatusActive=TRUE))
result_attribute = fripostListManager
# Use a dedicated "virtual" domain to decongestion potential bottlenecks
# on trivial_rewrite(8) due to slow LDAP lookups in tranport_maps.
result_format = %D/%U@%s.fripost.org
diff --git a/roles/MX/files/etc/postfix/virtual/mailbox.cf b/roles/MX/files/etc/postfix/virtual/mailbox.cf
index 4654607..7289670 100644
--- a/roles/MX/files/etc/postfix/virtual/mailbox.cf
+++ b/roles/MX/files/etc/postfix/virtual/mailbox.cf
@@ -1,13 +1,12 @@
server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
version = 3
search_base = fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
scope = one
-bind = yes
-bind_dn = cn=postfix,ou=services,dc=fripost,dc=org
-bind_pw = FIXME
+bind = sasl
+sasl_mechs = EXTERNAL
query_filter = (&(objectClass=FripostVirtualUser)(fvl=%u)(fripostIsStatusActive=TRUE))
result_attribute = fvl
# Use a dedicated "virtual" domain to decongestion potential bottlenecks
# on trivial_rewrite(8) due to slow LDAP lookups in tranport_maps.
result_format = %D/%U@mda.fripost.org
diff --git a/roles/MX/files/usr/local/sbin/reserved-alias.pl b/roles/MX/files/usr/local/bin/reserved-alias.pl
index e19492e..e19492e 100755
--- a/roles/MX/files/usr/local/sbin/reserved-alias.pl
+++ b/roles/MX/files/usr/local/bin/reserved-alias.pl
diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml
index 361e379..3c96fad 100644
--- a/roles/MX/tasks/main.yml
+++ b/roles/MX/tasks/main.yml
@@ -6,60 +6,74 @@
- postfix-ldap
- postfix-cdb
# The following is for reserved-alias.pl
- libnet-ldap-perl
- libauthen-sasl-perl
- name: Configure Postfix
template: src=etc/postfix/main.cf.j2
dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf
owner=root group=root
mode=0644
notify:
- Reload Postfix
- name: Create directory /etc/postfix-.../virtual
file: path=/etc/postfix-{{ postfix_instance[inst].name }}/virtual
state=directory
owner=root group=root
mode=0755
+# trivial-rewrite(8) runs in a chroot. We create an empty
+# /usr/lib/sasl2 to avoid "No such file or directory" warnings.
+# Cf. also #738989.
+- name: Create directory /usr/lib/sasl2
+ file: path=/var/spool/postfix-{{ postfix_instance[inst].name }}/{{ item }}
+ state=directory
+ owner=root group=root
+ mode=0755
+ with_items:
+ - /usr/lib/sasl2
+ - /usr/lib/{{ ansible_architecture }}-linux-gnu/sasl2
+ notify:
+ - Reload Postfix
+
- name: Copy lookup tables (1)
copy: src=etc/postfix/virtual/{{ item }}
dest=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/{{ item }}
owner=root group=root
mode=0644
with_items:
- domains.cf
# no need to reload upon change, as cleanup(8) is short-running
- reserved_alias.pcre
- alias.cf
- mailbox.cf
- list.cf
- alias_domains.cf
- catchall.cf
- name: Copy lookup tables (2)
template: src=etc/postfix/virtual/transport.j2
dest=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/transport
owner=root group=root
mode=0644
- name: Compile the Postfix transport maps
# trivial-rewrite(8) is a long-running process, so it's safer to reload
postmap: instance={{ postfix_instance[inst].name }}
src=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/transport db=cdb
owner=root group=root
mode=0644
notify:
- Reload Postfix
- name: Copy reserved-alias.pl
- copy: src=usr/local/sbin/reserved-alias.pl
- dest=/usr/local/sbin/reserved-alias.pl
+ copy: src=usr/local/bin/reserved-alias.pl
+ dest=/usr/local/bin/reserved-alias.pl
owner=root group=root
mode=0755
- meta: flush_handlers
- name: Start Postfix
service: name=postfix state=started
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 09a5ce7..11c8199 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -52,62 +52,61 @@ relay_domains =
# Virtual transport
# We use a dedicated "virtual" domain to decongestion potential
# bottlenecks on trivial_rewrite(8) due to slow LDAP lookups in
# tranport_maps.
virtual_transport = error:5.1.1 Virtual transport unavailable
virtual_alias_domains = !cdb:$config_directory/virtual/transport
ldap:$config_directory/virtual/domains.cf
virtual_alias_maps = pcre:$config_directory/virtual/reserved_alias.pcre
# unless there is a matching user/alias/list...
ldap:$config_directory/virtual/mailbox.cf
ldap:$config_directory/virtual/alias.cf
ldap:$config_directory/virtual/list.cf
# ...we resolve alias domains and catch alls
ldap:$config_directory/virtual/alias_domains.cf
ldap:$config_directory/virtual/catchall.cf
transport_maps = cdb:$config_directory/virtual/transport
# Don't rewrite remote headers
-local_header_rewrite_clients =
+local_header_rewrite_clients =
# Pass the client information along to the content filter
-smtp_send_xforward_command = yes
+smtp_send_xforward_command = yes
# Avoid splitting the envelope and scanning messages multiple times
-smtp_destination_recipient_limit = 1000
-reserved-alias_recipient_limit = 1
+smtp_destination_recipient_limit = 1000
+reserved-alias_destination_recipient_limit = 1
# Tolerate occasional high latency
smtp_data_done_timeout = 1200s
{% if 'out' in group_names %}
smtp_tls_security_level = none
smtp_bind_address = 127.0.0.1
{% else %}
smtp_tls_security_level = encrypt
smtp_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
smtp_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy
smtp_tls_fingerprint_digest = sha256
{% endif %}
-smtpd_tls_security_level = none
smtpd_tls_security_level = may
smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem
smtpd_tls_CApath = /etc/ssl/certs/
smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
# http://en.linuxreviews.org/HOWTO_Stop_spam_using_Postfix
# http://www.howtoforge.com/block_spam_at_mta_level_postfix
strict_rfc821_envelopes = yes
smtpd_delay_reject = yes
disable_vrfy_command = yes
# UCE control
@@ -123,46 +122,46 @@ unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554
postscreen_blacklist_action = drop
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites =
zen.spamhaus.org*3
swl.spamhaus.org*-4
b.barracudacentral.org*2
bl.spameatingmonkey.net*2
bl.spamcop.net
dnsbl.sorbs.net
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_greet_action = enforce
-postscreen_whitelist_interfaces = !88.80.11.28 static:all
+postscreen_whitelist_interfaces = !88.80.11.28 ![2a00:16b0:242:13::de30] static:all
smtpd_client_restrictions =
permit_mynetworks
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks
reject_non_fqdn_helo_hostname
reject_invalid_helo_hostname
smtpd_sender_restrictions =
reject_non_fqdn_sender
-smtpd_recipient_restrictions =
- # RFC requirements
- reject_non_fqdn_recipient
+smtpd_relay_restrictions =
permit_mynetworks
reject_unauth_destination
reject_unlisted_recipient
- permit_dnswl_client list.dnswl.org
+
+smtpd_recipient_restrictions =
+ reject_non_fqdn_recipient
smtpd_data_restrictions =
reject_unauth_pipelining
# vim: set filetype=pfmain :
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-25 23:42:20 +0000