summaryrefslogtreecommitdiffstats
path: root/roles/MX/files/etc
Commit message (Collapse)AuthorAgeFiles
* OpenDMARC: Adjust configuration to bullseye.Guilhem Moulin2024-09-081
|
* MX: Port to Debian 10.Guilhem Moulin2020-05-161
| | | | | | | | For postfix, don't defer if "abused legit". (I.e., DBL return code in the 127.0.1.100+ range.) This used to work for Postfix 3.1.14 (Stretch) but for 3.4.8 (Buster) the 'defer_if_reject' also applies to $smtpd_relay_restrictions, to reject_unauth_destination & reject_unlisted_recipient in particular.
* MX: Install OpenDMARC to add Authentication-Results headers.Guilhem Moulin2020-05-163
| | | | | | | | On the infrastructure boundary. We don't reject/quarantine as it would affect members who forward their mail sent to <user@example.com> to <user@fripost.org>. Members can install Sieve rules to send any messages with failed Authentication-Results headers directly in their spambox.
* MX: chroot postscreen(8), smtpd(8) and cleanup(8) daemons.Guilhem Moulin2018-12-097
| | | | | | Unlike what we wrote in 2014 (cf. 4fb4be4d279dd94cab33fc778cfa318b93d6926f) the postscreen(8) server can run chrooted, meaning we can also chroot the smtpd(8), tlsproxy(8), dnsblog(8) and cleanup(8) daemons.
* Harden anti spam on the MX:es.Guilhem Moulin2018-06-091
|
* Use blackhole subdomain for sender addresses of verify probes.Guilhem Moulin2017-05-161
| | | | | | | | | | | These addresses need to be accepted on the MX:es, as recipients sometimes phone back during the SMTP session to check whether the sender exists. Since a time-dependent suffix is added to the local part (cf. http://www.postfix.org/postconf.5.html#address_verify_sender_ttl) it's not enough to drop incoming mails to ‘double-bounce@fripost.org’, and it's impractical to do the same for /^double-bounce.*@fripost\.org$/.
* Add a reserved domain 'discard.fripost.org' to discard messages.Guilhem Moulin2015-06-071
| | | | | ‘noreply@’ aliases can be added by routing them to ‘@discard.fripost.org’.
* Upgrade the MX configuration from Wheezy to Jessie.Guilhem Moulin2015-06-076
| | | | | | In particular, since Postfix is now able to perform LDAP lookups using SASL, previous hacks with simble binds on cn=postfix,ou=services,… can now be removed.
* Split templates / files in lookup tables.Guilhem Moulin2015-06-077
|
* Fix catchall resolution.Guilhem Moulin2015-06-077
| | | | | | | | It has to be performed last, to give a chance to be accepted as a regular mailbox. We introduce a new, dedicated, smtpd daemon whose only purpose is to resolve catch-alls.
* Remove the 'fripostLocalAlias' attribute.Guilhem Moulin2015-06-072
| | | | | | | | | | | | | Instead, we pretend that lists are valid users (via a match in the mailbox_transport_maps) but choose a different transport (with the same request in transport_maps). The advantage is that we get rid of the ugly hack for list transport… A minor drawback is that we now have two LDAP lookups instead of one for non local addresses (ie, everything but reserved addresses). Hopefully the requests are cached; but even if they aren't, querying a local LDAP server is supposed to be cheap.
* wibbleGuilhem Moulin2015-06-076
|
* Rename the role 'mx' into 'MX'.Guilhem Moulin2015-06-078
Other abreviations are upper case.