Commit 2475e025 authored by Lars Beckers's avatar Lars Beckers
Browse files

Merge branch 'ext-4' into 'master'

Additional Services and Configurablity for Postfix

Postfix:
- Adds optional SPF validation
- Adds optional SRS rewriting
- Adds optional relay for non existing local users
- Allows to selectively enable SMTPS and Submission services
- Allows to selectively enable dovecot integration
- Fixes Transport Maps usage
- Fixes SMTPD TLS Security Level selection

Dovecot:
- Fixes issue with authed usernames for system users

See merge request !13
parents eca98869 594e66d0
Pipeline #2711 passed with stage
in 32 seconds
......@@ -48,7 +48,11 @@ disable_plaintext_auth = yes
# the standard variables here, eg. %Lu would lowercase the username, %n would
# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
# "-AT-". This translation is done after auth_username_translation changes.
{% if dovecot_auth_system and not dovecot_auth_virtual %}
auth_username_format = %Ln
{% else %}
#auth_username_format = %Lu
{% endif %}
# If you want to allow master users to log in by specifying the master
# username within the normal username string (ie. not using SASL mechanism's
......
......@@ -12,10 +12,14 @@ postfix_tls_key: /etc/ssl/private/privkey.pem
postfix_tls_configuration: 'previous'
postfix_prefer_lmtp: false
postfix_enable_dovecot: true
postfix_enable_submission: true
postfix_enable_smtps: false
postfix_enable_postscreen: true
postfix_enable_memcached: false
postfix_login_suffix: ''
postfix_luser_relay: ''
postfix_dnsbl_sites:
- name: zen.spamhaus.org
- name: bl.spamcop.net
......@@ -43,6 +47,9 @@ postfix_transport_maps: []
# protocol: smtp
# use_mx: true
postfix_verify_spf: false
postfix_verify_spf_testmode: true
postfix_enable_srs: false
# Note: This requires at least buster-backports or newer.
postfix_enable_mta_sts: false
......
......@@ -79,6 +79,8 @@
- mail
- import_tasks: mta-sts.yml
- import_tasks: spf.yml
- import_tasks: srs.yml
- name: install rt-mailgate if needed
apt:
......@@ -125,7 +127,7 @@
dest: /etc/postfix/transport
notify:
- postmap transport
when: postfix_transport_maps|bool
when: postfix_transport_maps|count > 0
tags:
- postfix
- mail
---
- name: ensure we got the SPF policy daemon installed
apt:
state: "{{ 'present' if postfix_verify_spf else 'absent' }}"
name: postfix-policyd-spf-python
notify:
- restart postfix
- name: ensure the SPF policy daemon is configured
template:
src: policyd-spf.conf.j2
dest: /etc/postfix-policyd-spf-python/policyd-spf.conf
owner: root
group: root
mode: '0644'
when: postfix_verify_spf
notify:
- restart postfix
---
- name: ensure we got the SRS daemon installed
apt:
state: "{{ 'present' if postfix_enable_srs else 'absent' }}"
name: postsrsd
- name: ensure there is an (Debian-generated) secrets file
file:
path: /etc/postsrsd.secret
state: file
owner: root
group: root
mode: '0600'
when: postfix_enable_srs
- name: ensure the SRS daemon is configured
template:
src: postsrsd.j2
dest: /etc/default/postsrsd
owner: root
group: root
mode: '0644'
when: postfix_enable_srs
notify:
- restart postsrsd
- name: ensure the SRS daemon is up and running
service:
name: postsrsd
enabled: "{{ postfix_enable_srs|string }}"
state: "{{ 'started' if postfix_enable_srs else 'stopped' }}"
when: postfix_enable_srs
......@@ -7,12 +7,15 @@ myorigin = /etc/mailname
mydestination = $myhostname localhost {{ postfix_domains | join(" ") }}
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ postfix_my_networks|join(" ") }}
relayhost = {{ postfix_relay_host }}
{% if postfix_transport_maps|bool %}
{% if postfix_transport_maps|count > 0 %}
transport_maps = cdb:/etc/postfix/transport
{% endif %}
{% if postfix_luser_relay != "" %}
luser_relay = {{ postfix_luser_relay }}
local_recipient_maps =
{% endif %}
{% if not postfix_satellite_only %}
{% if not postfix_satellite_only and postfix_enable_dovecot %}
{% if postfix_domains|count > 0 %}
{% if postfix_prefer_lmtp %}
mailbox_transport = lmtp:unix:private/dovecot-lmtp
......@@ -25,7 +28,6 @@ smtpd_sender_login_maps = proxy:pcre:/etc/postfix/login_maps.pcre
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
{% endif %}
append_dot_mydomain = no
......@@ -45,8 +47,20 @@ smtpd_relay_restrictions =
permit_mynetworks
permit_sasl_authenticated
defer_unauth_destination
{% if postfix_verify_spf %}
smtpd_recipient_restrictions=
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_policy_service unix:private/policy-spf
{% endif %}
{% if postfix_enable_srs %}
sender_canonical_maps = tcp:127.0.0.1:10001
sender_canonical_classes = envelope_sender
recipient_canonical_maps = tcp:127.0.0.1:10002
recipient_canonical_classes= envelope_recipient,header_recipient
{% endif %}
smtpd_use_tls = yes
smtp_tls_security_level = may
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_security_level = may
......@@ -86,7 +100,7 @@ alias_maps = cdb:/etc/aliases
alias_database = cdb:/etc/aliases
virtual_alias_maps = cdb:/etc/postfix/virtual
{% if postfix_virtual_domains|count > 0 %}
{% if postfix_virtual_domains|count > 0 and postfix_enable_dovecot %}
virtual_mailbox_domains = {{ postfix_virtual_domains | join(", ") }}
virtual_mailbox_base = /var/vmail/
virtual_mailbox_limit = 512000000
......
......@@ -21,6 +21,7 @@ smtpd pass - - y - - smtpd
{% endif %}
dnsblog unix - - y - 0 dnsblog
tlsproxy unix - - y - 0 tlsproxy
{% if postfix_enable_submission %}
submission inet n - y - - smtpd
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$myhostname
......@@ -40,17 +41,17 @@ submission inet n - y - - smtpd
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - y - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
{% endif %}
{% if postfix_enable_smtps %}
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
{% endif %}
#628 inet n - y - - qmqpd
{% endif %}
pickup unix n - y 60 1 pickup
......@@ -94,7 +95,12 @@ postlog unix-dgram n - n - 1 postlogd
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
{% if not postfix_satellite_only %}
{% if postfix_verify_spf %}
policy-spf unix - n n - 0 spawn
user=nobody argv=/usr/bin/policyd-spf
{% endif %}
{% if not postfix_satellite_only and postfix_enable_dovecot %}
dovecot unix - n n - - pipe
flags=DRhu user=5001:5000 argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -a ${original_recipient} -d ${user}@${nexthop}
......
# For a fully commented sample config file see policyd-spf.conf.commented
debugLevel = 1
TestOnly = {{ '1' if postfix_verify_spf_testmode else '0' }}
HELO_reject = Fail
Mail_From_reject = Fail
PermError_reject = False
TempError_Defer = False
skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
# Default settings for postsrsd
# Local domain name.
# Addresses are rewritten to originate from this domain. The default value
# is taken from `postconf -h mydomain` and probably okay.
#
SRS_DOMAIN={{ ansible_fqdn.split(".")[1:]|join(".") }}
# Exclude additional domains.
# You may list domains which shall not be subjected to address rewriting.
# If a domain name starts with a dot, it matches all subdomains, but not
# the domain itself. Separate multiple domains by space or comma.
#
#SRS_EXCLUDE_DOMAINS=.example.com,example.org
# First separator character after SRS0 or SRS1.
# Can be one of: -+=
SRS_SEPARATOR==
# Secret key to sign rewritten addresses.
# When postsrsd is installed for the first time, a random secret is generated
# and stored in /etc/postsrsd.secret. For most installations, that's just fine.
#
SRS_SECRET=/etc/postsrsd.secret
# Length of hash to be used in rewritten addresses
SRS_HASHLENGTH=4
# Minimum length of hash to accept when validating return addresses.
# When increasing SRS_HASHLENGTH, set this to its previous value and
# wait for the duration of SRS return address validity (21 days) before
# increading this value as well.
SRS_HASHMIN=4
# Local ports for TCP list.
# These ports are used to bind the TCP list for postfix. If you change
# these, you have to modify the postfix settings accordingly. The ports
# are bound to the loopback interface, and should never be exposed on
# the internet.
#
SRS_FORWARD_PORT=10001
SRS_REVERSE_PORT=10002
# Drop root privileges and run as another user after initialization.
# This is highly recommended as postsrsd handles untrusted input.
#
RUN_AS=postsrsd
# Bind to this address
#
SRS_LISTEN_ADDR=127.0.0.1
# Jail daemon in chroot environment
CHROOT=/var/lib/postsrsd
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment