From 2f9574850b356a746ee3ff9a8a311c450784b53c Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sat, 16 May 2020 18:26:53 +0200
Subject: MX: Install OpenDMARC to add Authentication-Results headers.

On the infrastructure boundary.  We don't reject/quarantine as it would
affect members who forward their mail sent to <user@example.com> to
<user@fripost.org>.  Members can install Sieve rules to send any
messages with failed Authentication-Results headers directly in their
spambox.
---
 .../systemd/system/opendmarc.service.d/override.conf    | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 roles/MX/files/etc/systemd/system/opendmarc.service.d/override.conf

(limited to 'roles/MX/files/etc/systemd/system/opendmarc.service.d/override.conf')

diff --git a/roles/MX/files/etc/systemd/system/opendmarc.service.d/override.conf b/roles/MX/files/etc/systemd/system/opendmarc.service.d/override.conf
new file mode 100644
index 0000000..1fb5567
--- /dev/null
+++ b/roles/MX/files/etc/systemd/system/opendmarc.service.d/override.conf
@@ -0,0 +1,17 @@
+[Service]
+Type=simple
+User=opendmarc
+ExecStart=
+ExecStart=/usr/sbin/opendmarc -f -p fd:3
+StandardOutput=journal
+SyslogFacility=mail
+RuntimeDirectory=opendmarc
+
+# Hardening
+NoNewPrivileges=yes
+PrivateDevices=yes
+ProtectHome=yes
+ProtectSystem=strict
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
-- 
cgit v1.2.3