From d82e85eea2485925481bf12b052acede9d9ae0f8 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 16 May 2020 23:45:55 +0200 Subject: MX: Port to Debian 10. For postfix, don't defer if "abused legit". (I.e., DBL return code in the 127.0.1.100+ range.) This used to work for Postfix 3.1.14 (Stretch) but for 3.4.8 (Buster) the 'defer_if_reject' also applies to $smtpd_relay_restrictions, to reject_unauth_destination & reject_unlisted_recipient in particular. --- roles/MX/files/etc/opendmarc.conf | 41 ++++++++++++++++++++----------- roles/MX/templates/etc/postfix/main.cf.j2 | 4 --- 2 files changed, 27 insertions(+), 18 deletions(-) diff --git a/roles/MX/files/etc/opendmarc.conf b/roles/MX/files/etc/opendmarc.conf index 4a0b89c..575d02d 100644 --- a/roles/MX/files/etc/opendmarc.conf +++ b/roles/MX/files/etc/opendmarc.conf @@ -1,20 +1,46 @@ # This is a basic configuration that can easily be adapted to suit a standard -# installation. For more advanced options, see opendkim.conf(5) and/or +# installation. For more advanced options, see openmarc.conf(5) and/or # /usr/share/doc/opendmarc/examples/opendmarc.conf.sample. ## AuthservID (string) ## defaults to MTA name +## +## Sets the "authserv-id" to use when generating the Authentication-Results: +## header field after verifying a message. If the string "HOSTNAME" is +## provided, the name of the host running the filter (as returned by the +## gethostname(3) function) will be used. # # AuthservID name ## FailureReports { true | false } ## default "false" ## +## Enables generation of failure reports when the DMARC test fails and the +## purported sender of the message has requested such reports. Reports are +## formatted per RFC6591. +# # FailureReports false +## PublicSuffixList path +## default (none) +## +## Specifies the path to a file that contains top-level domains (TLDs) that +## will be used to compute the Organizational Domain for a given domain name, +## as described in the DMARC specification. If not provided, the filter will +## not be able to determine the Organizational Domain and only the presented +## domain will be evaluated. +# +PublicSuffixList /usr/share/publicsuffix + ## RejectFailures { true | false } ## default "false" ## +## If set, messages will be rejected if they fail the DMARC evaluation, or +## temp-failed if evaluation could not be completed. By default, no message +## will be rejected or temp-failed regardless of the outcome of the DMARC +## evaluation of the message. Instead, an Authentication-Results header +## field will be added. +# RejectFailures false ## Socket socketspec @@ -88,16 +114,3 @@ SPFSelfValidate true ## umask(2) for more information. # UMask 0007 - -## UserID user[:group] -## default (none) -## -## Attempts to become the specified userid before starting operations. -## The process will be assigned all of the groups and primary group ID of -## the named userid unless an alternate group is specified. -# -# UserID opendmarc - -## Path to system copy of PSL (needed to determine organizational domain) -# -PublicSuffixList /usr/share/publicsuffix/ diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 index 5c2f97b..36315d1 100644 --- a/roles/MX/templates/etc/postfix/main.cf.j2 +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -149,10 +149,6 @@ smtpd_recipient_restrictions = check_recipient_access ldap:$config_directory/reject-unknown-client-hostname.cf reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99] reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99] - # defer if "abused legit": DBL return code in the 127.0.1.100+ range - defer_if_reject - reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[100..254] - reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[100..254] smtpd_data_restrictions = reject_unauth_pipelining -- cgit v1.2.3