From a0d439f832721ab1b4bdcf9ab844ee20d4dc1682 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Tue, 11 Dec 2018 21:13:19 +0100
Subject: submission: Prospective SPF checking.

Cf. http://www.openspf.org/Best_Practices/Outbound .
---
 roles/MSA/tasks/main.yml                               | 10 ++++++++++
 .../etc/postfix-policyd-spf-python/policyd-spf.conf.j2 | 18 ++++++++++++++++++
 roles/MSA/templates/etc/postfix/main.cf.j2             |  2 ++
 roles/common/templates/etc/postfix/main.cf.j2          |  2 +-
 roles/common/templates/etc/postfix/master.cf.j2        |  4 ++++
 5 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 roles/MSA/templates/etc/postfix-policyd-spf-python/policyd-spf.conf.j2

diff --git a/roles/MSA/tasks/main.yml b/roles/MSA/tasks/main.yml
index 65d1dae..c78139a 100644
--- a/roles/MSA/tasks/main.yml
+++ b/roles/MSA/tasks/main.yml
@@ -4,6 +4,7 @@
     packages:
     - postfix
     - postfix-pcre
+    - postfix-policyd-spf-python
 
 - name: Copy Postfix sender login socketmap
   copy: src=usr/local/bin/postfix-sender-login.pl
@@ -59,6 +60,15 @@
   notify:
     - Reload Postfix
 
+- name: Configure policyd-spf
+  template: src=etc/postfix-policyd-spf-python/policyd-spf.conf.j2
+            dest=/etc/postfix-policyd-spf-python/policyd-spf.conf
+            owner=root group=root
+            mode=0644
+  # Reload Postifx to terminate spawn(8) daemon children
+  notify:
+    - Reload Postfix
+
 - name: Create directory /etc/postfix/ssl
   file: path=/etc/postfix-{{ postfix_instance[inst].name }}/ssl
         state=directory
diff --git a/roles/MSA/templates/etc/postfix-policyd-spf-python/policyd-spf.conf.j2 b/roles/MSA/templates/etc/postfix-policyd-spf-python/policyd-spf.conf.j2
new file mode 100644
index 0000000..2cc1074
--- /dev/null
+++ b/roles/MSA/templates/etc/postfix-policyd-spf-python/policyd-spf.conf.j2
@@ -0,0 +1,18 @@
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+debugLevel = 1
+TestOnly = 1
+
+HELO_reject = Softfail
+Mail_From_reject = Softfail
+
+PermError_reject = False
+TempError_Defer = False
+
+# We're just trying to keep our outgoing IPs clean of SPF violations,
+# not seeking 100% accurate reports.  While it's possible that the
+# message is routed through a different IP (eg, IPv4 vs v6), giving a
+# potentially inaccurate prospective report, it's quite unlikely in
+# practice.
+Prospective = {{ lookup('pipe', 'dig outgoing.fripost.org A +short | sort | head -n1') }}
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index a48a327..65a0339 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -50,6 +50,7 @@ local_header_rewrite_clients     =
 smtp_destination_recipient_limit = 1000
 # Tolerate occasional high latency
 smtp_data_done_timeout           = 1200s
+policyd-spf_time_limit           = $ipc_timeout
 
 # Anonymize the (authenticated) sender; pass the mail to the antivirus
 header_checks  = pcre:$config_directory/anonymize_sender.pcre
@@ -107,6 +108,7 @@ smtpd_sender_restrictions =
     reject_non_fqdn_sender
     reject_unknown_sender_domain
     check_sender_access lmdb:$config_directory/check_sender_access
+    check_policy_service unix:private/policyd-spf
     reject_known_sender_login_mismatch
 
 smtpd_relay_restrictions =
diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2
index 279611b..b369d43 100644
--- a/roles/common/templates/etc/postfix/main.cf.j2
+++ b/roles/common/templates/etc/postfix/main.cf.j2
@@ -39,7 +39,7 @@ smtpd_tls_security_level = none
 
 {% set instances = postfix_instance.keys() | intersect(group_names) | list %}
 {%- if instances | length > 0 -%}
-## Other postfix instances
+# Other postfix instances
 multi_instance_wrapper     = $command_directory/postmulti -p --
 multi_instance_enable      = yes
 multi_instance_directories ={% for i in instances | sort %} /etc/postfix-{{ postfix_instance[i].name }}{% endfor %}
diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2
index 905c82e..d9cb5d3 100644
--- a/roles/common/templates/etc/postfix/master.cf.j2
+++ b/roles/common/templates/etc/postfix/master.cf.j2
@@ -65,6 +65,10 @@ virtual   unix  -       n       n       -       -       virtual
 lmtp      unix  -       -       y       -       -       lmtp
 anvil     unix  -       -       y       -       1       anvil
 scache    unix  -       -       y       -       1       scache
+{% if inst is defined and inst == 'MSA' %}
+policyd-spf unix -      n       n       -       0       spawn
+    user=policyd-spf argv=/usr/bin/policyd-spf
+{% endif %}
 {% if inst is defined and inst == 'MX' %}
 reserved-alias unix  -  n       n       -       -       pipe
   flags=Rhu user=nobody argv=/usr/local/bin/reserved-alias.pl ${sender} ${original_recipient} @fripost.org
-- 
cgit v1.2.3