7 files changed, 201 insertions, 7 deletions

diff --git a/roles/MX/files/etc/opendmarc.conf b/roles/MX/files/etc/opendmarc.conf
new file mode 100644
index 0000000..575d02d
--- /dev/null
+++ b/roles/MX/files/etc/opendmarc.conf
@@ -0,0 +1,116 @@
+# This is a basic configuration that can easily be adapted to suit a standard
+# installation. For more advanced options, see openmarc.conf(5) and/or
+# /usr/share/doc/opendmarc/examples/opendmarc.conf.sample.
+
+##  AuthservID (string)
+##  	defaults to MTA name
+##
+##  Sets the "authserv-id" to use when generating the Authentication-Results:
+##  header field after verifying a message.  If the string "HOSTNAME" is
+##  provided, the name of the host running the filter (as returned by the
+##  gethostname(3) function) will be used.
+#
+# AuthservID name
+
+##  FailureReports { true | false }
+##  	default "false"
+##
+##  Enables generation of failure reports when the DMARC test fails and the
+##  purported sender of the message has requested such reports.  Reports are
+##  formatted per RFC6591.
+#
+# FailureReports false
+
+##  PublicSuffixList path
+##  	default (none)
+##
+##  Specifies the path to a file that contains top-level domains (TLDs) that
+##  will be used to compute the Organizational Domain for a given domain name,
+##  as described in the DMARC specification.  If not provided, the filter will
+##  not be able to determine the Organizational Domain and only the presented
+##  domain will be evaluated.
+#
+PublicSuffixList /usr/share/publicsuffix
+
+##  RejectFailures { true | false }
+##  	default "false"
+##
+##  If set, messages will be rejected if they fail the DMARC evaluation, or
+##  temp-failed if evaluation could not be completed.  By default, no message
+##  will be rejected or temp-failed regardless of the outcome of the DMARC
+##  evaluation of the message.  Instead, an Authentication-Results header
+##  field will be added.
+#
+RejectFailures false
+
+##  Socket socketspec
+##  	default (none)
+##
+##  Specifies the socket that should be established by the filter to receive
+##  connections from sendmail(8) in order to provide service.  socketspec is
+##  in one of two forms: local:path, which creates a UNIX domain socket at
+##  the specified path, or inet:port[@host] or inet6:port[@host] which creates
+##  a TCP socket on the specified port for the appropriate protocol family.
+##  If the host is not given as either a hostname or an IP address, the
+##  socket will be listening on all interfaces.  This option is mandatory
+##  either in the configuration file or on the command line.  If an IP
+##  address is used, it must be enclosed in square brackets.
+#
+Socket local:/var/run/opendmarc/opendmarc.sock
+
+##  Syslog { true | false }
+##  	default "false"
+##
+##  Log via calls to syslog(3) any interesting activity.
+#
+Syslog true
+
+##  SyslogFacility facility-name
+##  	default "mail"
+##
+##  Log via calls to syslog(3) using the named facility.  The facility names
+##  are the same as the ones allowed in syslog.conf(5).
+#
+# SyslogFacility mail
+
+##  TrustedAuthservIDs string
+##  	default HOSTNAME
+##
+##  Specifies one or more "authserv-id" values to trust as relaying true
+##  upstream DKIM and SPF results.  The default is to use the name of
+##  the MTA processing the message.  To specify a list, separate each entry
+##  with a comma.  The key word "HOSTNAME" will be replaced by the name of
+##  the host running the filter as reported by the gethostname(3) function.
+#
+# TrustedAuthservIDs HOSTNAME
+
+##  SPFIgnoreResults { true | false }
+##  	default "false"
+##
+##  Causes the filter to ignore any SPF results in the header of the message.
+##  This is useful if you want the filter to perfrom SPF checks itself, or
+##  because you don't trust the arriving header.
+#
+SPFIgnoreResults true
+
+##  SPFSelfValidate { true | false }
+##  	default "false"
+##
+##  Causes the filter to perform a fallback SPF check itself when it can
+##  find no SPF results in the message header.  If SPFIgnoreResults is also
+##  set, it never looks for SPF results in headers and always performs the
+##  SPF check itself when this is set.
+#
+SPFSelfValidate true
+
+##  UMask mask
+##  	default (none)
+##
+##  Requests a specific permissions mask to be used for file creation.  This
+##  only really applies to creation of the socket when Socket specifies a
+##  UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary
+##  files are normally created by the mkstemp(3) function that enforces a
+##  specific file mode on creation regardless of the process umask.  See
+##  umask(2) for more information.
+#
+UMask 0007
diff --git a/roles/MX/files/etc/systemd/system/opendmarc.service.d/override.conf b/roles/MX/files/etc/systemd/system/opendmarc.service.d/override.conf
new file mode 100644
index 0000000..1fb5567
--- /dev/null
+++ b/roles/MX/files/etc/systemd/system/opendmarc.service.d/override.conf
@@ -0,0 +1,17 @@
+[Service]
+Type=simple
+User=opendmarc
+ExecStart=
+ExecStart=/usr/sbin/opendmarc -f -p fd:3
+StandardOutput=journal
+SyslogFacility=mail
+RuntimeDirectory=opendmarc
+
+# Hardening
+NoNewPrivileges=yes
+PrivateDevices=yes
+ProtectHome=yes
+ProtectSystem=strict
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
diff --git a/roles/MX/files/etc/systemd/system/opendmarc.socket b/roles/MX/files/etc/systemd/system/opendmarc.socket
new file mode 100644
index 0000000..483ef60
--- /dev/null
+++ b/roles/MX/files/etc/systemd/system/opendmarc.socket
@@ -0,0 +1,10 @@
+[Unit]
+Description=OpenDMARC Milter activation socket
+
+[Socket]
+ListenStream=/var/spool/postfix-mx/public/opendmarc
+SocketUser=postfix
+SocketMode=0666
+
+[Install]
+WantedBy=sockets.target
diff --git a/roles/MX/handlers/main.yml b/roles/MX/handlers/main.yml
index 9edf610..00223a5 100644
--- a/roles/MX/handlers/main.yml
+++ b/roles/MX/handlers/main.yml
@@ -1,6 +1,15 @@
 ---
+- name: systemctl daemon-reload
+  command: /bin/systemctl daemon-reload
+
 - name: Reload Postfix
   service: name=postfix state=reloaded
 
 - name: Restart munin-node
   service: name=munin-node state=restarted
+
+- name: Stop OpenDMARC
+  service: name=opendmarc.service state=stopped
+
+- name: Restart OpenDMARC
+  service: name=opendmarc.socket state=restarted
diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml
index 507a4f2..57f17f8 100644
--- a/roles/MX/tasks/main.yml
+++ b/roles/MX/tasks/main.yml
@@ -137,3 +137,48 @@
     - munin-node
   notify:
     - Restart munin-node
+
+# XXX we probaly want SPF verification for domains without DMARC
+# policies
+- name: Install OpenDMARC
+  apt: pkg=opendmarc
+
+- name: Copy OpenDMARC configuration
+  copy: src=etc/opendmarc.conf
+        dest=/etc/opendmarc.conf
+        owner=root group=root
+        mode=0644
+  notify:
+    - Stop OpenDMARC
+
+- name: Create directory /etc/systemd/system/opendmarc.service.d
+  file: path=/etc/systemd/system/opendmarc.service.d
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Harden OpenDMARC service unit
+  copy: src=etc/systemd/system/opendmarc.service.d/override.conf
+        dest=/etc/systemd/system/opendmarc.service.d/override.conf
+        owner=root group=root
+        mode=0644
+  notify:
+    - systemctl daemon-reload
+    - Stop OpenDMARC
+
+- meta: flush_handlers
+
+- name: Copy OpenDMARC socket unit
+  copy: src=etc/systemd/system/opendmarc.socket
+        dest=/etc/systemd/system/opendmarc.socket
+        owner=root group=root
+        mode=0644
+  notify:
+    - systemctl daemon-reload
+    - Restart OpenDMARC
+
+- name: Disable OpenDMARC service
+  service: name=opendmarc.service enabled=false
+
+- name: Start OpenDMARC socket
+  service: name=opendmarc.socket state=started enabled=true
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index a2cc2a8..d10f901 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -37,7 +37,7 @@ message_size_limit  = 67108864
 recipient_delimiter = +
 
 # Forward everything to our internal outgoing proxy
-relayhost     = [{{ postfix_instance.out.addr | ipaddr }}]:{{ postfix_instance.out.port }}
+relayhost     = [{{ postfix_instance.out.addr | ansible.utils.ipaddr }}]:{{ postfix_instance.out.port }}
 relay_domains =
 
 
@@ -123,6 +123,7 @@ postscreen_dnsbl_sites      =
 postscreen_greet_action         = enforce
 postscreen_whitelist_interfaces = static:all
 
+smtpd_milters = { unix:public/opendmarc, protocol=6, default_action=accept }
 
 smtpd_client_restrictions =
     permit_mynetworks
@@ -148,10 +149,6 @@ smtpd_recipient_restrictions =
     check_recipient_access ldap:$config_directory/reject-unknown-client-hostname.cf
     reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99]
     reject_rhsbl_sender         dbl.spamhaus.org=127.0.1.[2..99]
-    # defer if "abused legit": DBL return code in the 127.0.1.100+ range
-    defer_if_reject
-    reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[100..254]
-    reject_rhsbl_sender         dbl.spamhaus.org=127.0.1.[100..254]
 
 smtpd_data_restrictions =
     reject_unauth_pipelining
diff --git a/roles/MX/templates/etc/postfix/virtual/transport.j2 b/roles/MX/templates/etc/postfix/virtual/transport.j2
index 126cb72..536748a 100644
--- a/roles/MX/templates/etc/postfix/virtual/transport.j2
+++ b/roles/MX/templates/etc/postfix/virtual/transport.j2
@@ -17,5 +17,5 @@
 reserved.fripost.org    reserved-alias:
 discard.fripost.org     discard:
 
-mda.fripost.org   smtp:[{{ postfix_instance.IMAP.addr  | ipaddr }}]:{{ postfix_instance.IMAP.port  }}
-sympa.fripost.org smtp:[{{ postfix_instance.lists.addr | ipaddr }}]:{{ postfix_instance.lists.port }}
+mda.fripost.org   smtp:[{{ postfix_instance.IMAP.addr  | ansible.utils.ipaddr }}]:{{ postfix_instance.IMAP.port  }}
+sympa.fripost.org smtp:[{{ postfix_instance.lists.addr | ansible.utils.ipaddr }}]:{{ postfix_instance.lists.port }}