postfix: configure postscreen

2c74f3c8 · Hinrikus Wolf · a9d45c31 · 2c74f3c8 · 2c74f3c8 · 2c74f3c8
Commit 2c74f3c8 authored 7 years ago by Hinrikus Wolf
--- a/postfix/files/master.cf
+++ b/postfix/files/master.cf
@@ -11,11 +11,11 @@ dovecot   unix  -       n       n       -       -       pipe
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (no)    (never) (100)
 # ==========================================================================
-smtp      inet  n       -       y       -       -       smtpd
+#smtp      inet  n       -       y       -       -       smtpd
-#smtp      inet  n       -       y       -       1       postscreen
+smtp      inet  n       -       y       -       1       postscreen
-#smtpd     pass  -       -       y       -       -       smtpd
+smtpd     pass  -       -       y       -       -       smtpd
-#dnsblog   unix  -       -       y       -       0       dnsblog
+dnsblog   unix  -       -       y       -       0       dnsblog
-#tlsproxy  unix  -       -       y       -       0       tlsproxy
+tlsproxy  unix  -       -       y       -       0       tlsproxy
 submission inet n       -       y       -       -       smtpd 
 #  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_security_options=noanonymous

--- a/postfix/files/postscreen_whitelist
+++ b/postfix/files/postscreen_whitelist
+# Django : 2014-10-29
+# access-Tabelle: Wer wird von postscreen ausgenommen und wer nicht?
+# Tabelle zum black- und whitelisten einzelner Hosts auf Basis ihrer 
+# IP-Adressen. In der rechten Tabellenspalte können die AKtionen 
+# "permit", "reject" und "dunno" gesetzt werden.
+# Nach dem Ändern und/oder Erweitern der Tabelle, muß ein
+# laufender Postfix über die Änderungen mit einem reload informiert 
+# werden: 
+#             $ systemctl reload postfix.service
+#
+# Es muss hier keine Datenbank mit postmap erzeugt werden, da 
+# Postfix die ASCII-Konfigurationsdatei direkt auswertet!
+#
+# roughly the RWTH network for the e-mail servers 
+134.130.5.32/27               permit                                                                                                                                                                                                                                   
--- a/postfix/tasks/main.yml
+++ b/postfix/tasks/main.yml
@@ -16,6 +16,7 @@
    - login_maps.pcre
    - master.cf
    - sender_login_map.hash
+    - postscreen_whitelist
  notify: 
    - restart postfix
  tags:

--- a/postfix/templates/main.cf.j2
+++ b/postfix/templates/main.cf.j2
@@ -61,3 +61,60 @@ virtual_gid_maps = static:5000
 virtual_alias_maps = hash:/etc/postfix/virtual
 #smtpd_sender_login_maps = hash:/etc/postfix/sender_login_map
 smtpd_sender_login_maps = proxy:pcre:/etc/postfix/login_maps.pcre
+################################################################################
+## POSTSCREEN - ERSTE STUFE DER SPAM/UCE/VIREN-ABWEHRMECHANISMEN
+#
+# Django : 2014-10-29 - PERMANENT WHITE/BLACKLIST TEST
+# default: postscreen_access_list = permit_mynetworks
+postscreen_access_list = permit_mynetworks
+                         cidr:/etc/postfix/postscreen_whitelist
+#
+# default: postscreen_blacklist_action = ignore
+postscreen_blacklist_action = drop
+# Django : 2014-10-29 - MAIL EXCHANGER POLICY TESTS
+# default: postscreen_whitelist_interfaces = static:all
+# Django : 2014-10-29 - PRE 220 GREETING TESTS
+#
+# default: postscreen_greet_banner = $smtpd_banner
+#
+# default: postscreen_greet_action = ignore
+postscreen_greet_action = enforce
+# default: postscreen_dnsbl_threshold = 1
+postscreen_dnsbl_threshold = 2
+#
+# default: postscreen_dnsbl_sites =
+postscreen_dnsbl_sites = zen.spamhaus.org*1
+                         bl.spamcop.net*1
+                         b.barracudacentral.org*1
+                         #swl.spamhaus.org*2
+			 list.dnswl.org*-5
+#                        
+# default: postscreen_dnsbl_action = ignore
+postscreen_dnsbl_action = enforce
+# Django : 2014-10-29 - POST 220 GREETING TESTS
+#
+# default: postscreen_dnsbl_whitelist_threshold = 0
+postscreen_dnsbl_whitelist_threshold = -1
+#
+# default: postscreen_pipelining_enable = no
+postscreen_pipelining_enable = yes
+#
+# default: postscreen_pipelining_action = enforce
+#
+# default: postscreen_non_smtp_command_enable = no
+postscreen_non_smtp_command_enable = yes
+# default: postscreen_non_smtp_command_action = drop
+#
+# default: postscreen_bare_newline_enable = no
+postscreen_bare_newline_enable = yes
+#
+# default: postscreen_bare_newline_action = ignore
+postscreen_bare_newline_action = drop
+#