diff --git a/postfix/files/master.cf b/postfix/files/master.cf index 541b4429afefbc98673e6df237365fe969b79c9f..82c310bd34c9f341eae7416395b7f67ceb168150 100644 --- a/postfix/files/master.cf +++ b/postfix/files/master.cf @@ -11,11 +11,11 @@ dovecot unix - n n - - pipe # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no) (never) (100) # ========================================================================== -smtp inet n - y - - smtpd -#smtp inet n - y - 1 postscreen -#smtpd pass - - y - - smtpd -#dnsblog unix - - y - 0 dnsblog -#tlsproxy unix - - y - 0 tlsproxy +#smtp inet n - y - - smtpd +smtp inet n - y - 1 postscreen +smtpd pass - - y - - smtpd +dnsblog unix - - y - 0 dnsblog +tlsproxy unix - - y - 0 tlsproxy submission inet n - y - - smtpd # -o smtpd_tls_security_level=encrypt -o smtpd_sasl_security_options=noanonymous diff --git a/postfix/files/postscreen_whitelist b/postfix/files/postscreen_whitelist new file mode 100644 index 0000000000000000000000000000000000000000..887c952d74ae36452737bd4e1986745d42f85dce --- /dev/null +++ b/postfix/files/postscreen_whitelist @@ -0,0 +1,16 @@ +# Django : 2014-10-29 +# access-Tabelle: Wer wird von postscreen ausgenommen und wer nicht? +# Tabelle zum black- und whitelisten einzelner Hosts auf Basis ihrer +# IP-Adressen. In der rechten Tabellenspalte können die AKtionen +# "permit", "reject" und "dunno" gesetzt werden. +# Nach dem Ändern und/oder Erweitern der Tabelle, muß ein +# laufender Postfix über die Änderungen mit einem reload informiert +# werden: +# $ systemctl reload postfix.service +# +# Es muss hier keine Datenbank mit postmap erzeugt werden, da +# Postfix die ASCII-Konfigurationsdatei direkt auswertet! +# + +# roughly the RWTH network for the e-mail servers +134.130.5.32/27 permit diff --git a/postfix/tasks/main.yml b/postfix/tasks/main.yml index e209ea52fab4a42d4d7a9b19de27c9e1f76a7204..c884334d14ad88ad1a5ddd10ee304a39aec0080a 100644 --- a/postfix/tasks/main.yml +++ b/postfix/tasks/main.yml @@ -16,6 +16,7 @@ - login_maps.pcre - master.cf - sender_login_map.hash + - postscreen_whitelist notify: - restart postfix tags: diff --git a/postfix/templates/main.cf.j2 b/postfix/templates/main.cf.j2 index ffec55eaf8edfa54c3a781e786731e353e2a23c9..ad580a7c1a5e5a574a8e3becfc80e3fa7a9b1a21 100644 --- a/postfix/templates/main.cf.j2 +++ b/postfix/templates/main.cf.j2 @@ -61,3 +61,60 @@ virtual_gid_maps = static:5000 virtual_alias_maps = hash:/etc/postfix/virtual #smtpd_sender_login_maps = hash:/etc/postfix/sender_login_map smtpd_sender_login_maps = proxy:pcre:/etc/postfix/login_maps.pcre + +################################################################################ +## POSTSCREEN - ERSTE STUFE DER SPAM/UCE/VIREN-ABWEHRMECHANISMEN +# +# Django : 2014-10-29 - PERMANENT WHITE/BLACKLIST TEST +# default: postscreen_access_list = permit_mynetworks +postscreen_access_list = permit_mynetworks + cidr:/etc/postfix/postscreen_whitelist +# +# default: postscreen_blacklist_action = ignore +postscreen_blacklist_action = drop + + +# Django : 2014-10-29 - MAIL EXCHANGER POLICY TESTS +# default: postscreen_whitelist_interfaces = static:all + +# Django : 2014-10-29 - PRE 220 GREETING TESTS +# +# default: postscreen_greet_banner = $smtpd_banner +# +# default: postscreen_greet_action = ignore +postscreen_greet_action = enforce + +# default: postscreen_dnsbl_threshold = 1 +postscreen_dnsbl_threshold = 2 +# +# default: postscreen_dnsbl_sites = +postscreen_dnsbl_sites = zen.spamhaus.org*1 + bl.spamcop.net*1 + b.barracudacentral.org*1 + #swl.spamhaus.org*2 + list.dnswl.org*-5 +# +# default: postscreen_dnsbl_action = ignore +postscreen_dnsbl_action = enforce + + +# Django : 2014-10-29 - POST 220 GREETING TESTS +# +# default: postscreen_dnsbl_whitelist_threshold = 0 +postscreen_dnsbl_whitelist_threshold = -1 +# +# default: postscreen_pipelining_enable = no +postscreen_pipelining_enable = yes +# +# default: postscreen_pipelining_action = enforce +# +# default: postscreen_non_smtp_command_enable = no +postscreen_non_smtp_command_enable = yes +# default: postscreen_non_smtp_command_action = drop +# +# default: postscreen_bare_newline_enable = no +postscreen_bare_newline_enable = yes +# +# default: postscreen_bare_newline_action = ignore +postscreen_bare_newline_action = drop +#