From a0d439f832721ab1b4bdcf9ab844ee20d4dc1682 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 11 Dec 2018 21:13:19 +0100 Subject: submission: Prospective SPF checking. Cf. http://www.openspf.org/Best_Practices/Outbound . --- roles/MSA/tasks/main.yml | 10 ++++++++++ .../etc/postfix-policyd-spf-python/policyd-spf.conf.j2 | 18 ++++++++++++++++++ roles/MSA/templates/etc/postfix/main.cf.j2 | 2 ++ roles/common/templates/etc/postfix/main.cf.j2 | 2 +- roles/common/templates/etc/postfix/master.cf.j2 | 4 ++++ 5 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 roles/MSA/templates/etc/postfix-policyd-spf-python/policyd-spf.conf.j2 (limited to 'roles') diff --git a/roles/MSA/tasks/main.yml b/roles/MSA/tasks/main.yml index 65d1dae..c78139a 100644 --- a/roles/MSA/tasks/main.yml +++ b/roles/MSA/tasks/main.yml @@ -4,6 +4,7 @@ packages: - postfix - postfix-pcre + - postfix-policyd-spf-python - name: Copy Postfix sender login socketmap copy: src=usr/local/bin/postfix-sender-login.pl @@ -59,6 +60,15 @@ notify: - Reload Postfix +- name: Configure policyd-spf + template: src=etc/postfix-policyd-spf-python/policyd-spf.conf.j2 + dest=/etc/postfix-policyd-spf-python/policyd-spf.conf + owner=root group=root + mode=0644 + # Reload Postifx to terminate spawn(8) daemon children + notify: + - Reload Postfix + - name: Create directory /etc/postfix/ssl file: path=/etc/postfix-{{ postfix_instance[inst].name }}/ssl state=directory diff --git a/roles/MSA/templates/etc/postfix-policyd-spf-python/policyd-spf.conf.j2 b/roles/MSA/templates/etc/postfix-policyd-spf-python/policyd-spf.conf.j2 new file mode 100644 index 0000000..2cc1074 --- /dev/null +++ b/roles/MSA/templates/etc/postfix-policyd-spf-python/policyd-spf.conf.j2 @@ -0,0 +1,18 @@ +# {{ ansible_managed }} +# Do NOT edit this file directly! + +debugLevel = 1 +TestOnly = 1 + +HELO_reject = Softfail +Mail_From_reject = Softfail + +PermError_reject = False +TempError_Defer = False + +# We're just trying to keep our outgoing IPs clean of SPF violations, +# not seeking 100% accurate reports. While it's possible that the +# message is routed through a different IP (eg, IPv4 vs v6), giving a +# potentially inaccurate prospective report, it's quite unlikely in +# practice. +Prospective = {{ lookup('pipe', 'dig outgoing.fripost.org A +short | sort | head -n1') }} diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2 index a48a327..65a0339 100644 --- a/roles/MSA/templates/etc/postfix/main.cf.j2 +++ b/roles/MSA/templates/etc/postfix/main.cf.j2 @@ -50,6 +50,7 @@ local_header_rewrite_clients = smtp_destination_recipient_limit = 1000 # Tolerate occasional high latency smtp_data_done_timeout = 1200s +policyd-spf_time_limit = $ipc_timeout # Anonymize the (authenticated) sender; pass the mail to the antivirus header_checks = pcre:$config_directory/anonymize_sender.pcre @@ -107,6 +108,7 @@ smtpd_sender_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain check_sender_access lmdb:$config_directory/check_sender_access + check_policy_service unix:private/policyd-spf reject_known_sender_login_mismatch smtpd_relay_restrictions = diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2 index 279611b..b369d43 100644 --- a/roles/common/templates/etc/postfix/main.cf.j2 +++ b/roles/common/templates/etc/postfix/main.cf.j2 @@ -39,7 +39,7 @@ smtpd_tls_security_level = none {% set instances = postfix_instance.keys() | intersect(group_names) | list %} {%- if instances | length > 0 -%} -## Other postfix instances +# Other postfix instances multi_instance_wrapper = $command_directory/postmulti -p -- multi_instance_enable = yes multi_instance_directories ={% for i in instances | sort %} /etc/postfix-{{ postfix_instance[i].name }}{% endfor %} diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2 index 905c82e..d9cb5d3 100644 --- a/roles/common/templates/etc/postfix/master.cf.j2 +++ b/roles/common/templates/etc/postfix/master.cf.j2 @@ -65,6 +65,10 @@ virtual unix - n n - - virtual lmtp unix - - y - - lmtp anvil unix - - y - 1 anvil scache unix - - y - 1 scache +{% if inst is defined and inst == 'MSA' %} +policyd-spf unix - n n - 0 spawn + user=policyd-spf argv=/usr/bin/policyd-spf +{% endif %} {% if inst is defined and inst == 'MX' %} reserved-alias unix - n n - - pipe flags=Rhu user=nobody argv=/usr/local/bin/reserved-alias.pl ${sender} ${original_recipient} @fripost.org -- cgit v1.2.3