From 2f9574850b356a746ee3ff9a8a311c450784b53c Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 16 May 2020 18:26:53 +0200 Subject: MX: Install OpenDMARC to add Authentication-Results headers. On the infrastructure boundary. We don't reject/quarantine as it would affect members who forward their mail sent to to . Members can install Sieve rules to send any messages with failed Authentication-Results headers directly in their spambox. --- roles/MX/tasks/main.yml | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) (limited to 'roles/MX/tasks/main.yml') diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml index 507a4f2..300dbfb 100644 --- a/roles/MX/tasks/main.yml +++ b/roles/MX/tasks/main.yml @@ -137,3 +137,49 @@ - munin-node notify: - Restart munin-node + +# XXX we probaly want SPF verification for domains without DMARC +# policies +- name: Install OpenDMARC + apt: pkg=opendmarc + +- name: Copy OpenDMARC configuration + copy: src=etc/opendmarc.conf + dest=/etc/opendmarc.conf + owner=root group=root + mode=0644 + notify: + - Stop OpenDMARC + +- name: Create directory /etc/systemd/system/opendmarc.service.d + file: path=/etc/systemd/system/opendmarc.service.d + state=directory + owner=root group=root + mode=0755 + +- name: Harden OpenDMARC service unit + copy: src=etc/systemd/system/opendmarc.service.d/override.conf + dest=/etc/systemd/system/opendmarc.service.d/override.conf + owner=root group=root + mode=0644 + notify: + - systemctl daemon-reload + - Stop OpenDMARC + +- meta: flush_handlers + +- name: Copy OpenDMARC socket unit + copy: src=etc/systemd/system/opendmarc.socket + dest=/etc/systemd/system/opendmarc.socket + owner=root group=root + mode=0644 + register: r + notify: + - systemctl daemon-reload + - Restart OpenDMARC + +- name: Disable OpenDMARC service + service: name=opendmarc.service enabled=false + +- name: Start OpenDMARC socket + service: name=opendmarc.socket state=started enabled=true -- cgit v1.2.3