postfix: implement SPF validation

994ef517 · Lars Beckers · eca98869 · 994ef517 · 994ef517 · 994ef517
Commit 994ef517 authored 5 years ago by Lars Beckers
--- a/postfix/defaults/main.yml
+++ b/postfix/defaults/main.yml
@@ -43,6 +43,8 @@ postfix_transport_maps: []
 #    protocol: smtp
 #    use_mx: true
+postfix_verify_spf: false
+postfix_verify_spf_testmode: true
 # Note: This requires at least buster-backports or newer.
 postfix_enable_mta_sts: false

--- a/postfix/tasks/main.yml
+++ b/postfix/tasks/main.yml
@@ -79,6 +79,7 @@
    - mail
 - import_tasks: mta-sts.yml
+- import_tasks: spf.yml
 - name: install rt-mailgate if needed
  apt:

--- a/postfix/tasks/spf.yml
+++ b/postfix/tasks/spf.yml
+---
+- name: ensure we got the SPF policy daemon installed
+  apt:
+    state: "{{ 'present' if postfix_verify_spf else 'absent' }}"
+    name: postfix-policyd-spf-python
+  notify:
+    - restart postfix
+- name: ensure the SPF policy daemon is configured
+  template:
+    src: policyd-spf.conf.j2
+    dest: /etc/postfix-policyd-spf-python/policyd-spf.conf
+    owner: root
+    group: root
+    mode: '0644'
+  when: postfix_verify_spf
+  notify:
+    - restart postfix
--- a/postfix/templates/main.cf.j2
+++ b/postfix/templates/main.cf.j2
@@ -45,6 +45,13 @@ smtpd_relay_restrictions =
 	permit_mynetworks
 	permit_sasl_authenticated
 	defer_unauth_destination
+{% if postfix_verify_spf %}
+smtpd_recipient_restrictions=
+     permit_mynetworks
+     permit_sasl_authenticated
+     reject_unauth_destination
+     check_policy_service unix:private/policy-spf
+{% endif %}
 smtpd_use_tls = yes
 smtp_tls_security_level = may

--- a/postfix/templates/master.cf.j2
+++ b/postfix/templates/master.cf.j2
@@ -94,6 +94,11 @@ postlog   unix-dgram n  -       n       -       1       postlogd
 # maildrop. See the Postfix MAILDROP_README file for details.
 # Also specify in main.cf: maildrop_destination_recipient_limit=1
+{% if postfix_verify_spf %}
+policy-spf unix -       n       n       -       0       spawn
+  user=nobody argv=/usr/bin/policyd-spf
+{% endif %}
 {% if not postfix_satellite_only %}
 dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=5001:5000 argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -a ${original_recipient} -d ${user}@${nexthop}

--- a/postfix/templates/policyd-spf.conf.j2
+++ b/postfix/templates/policyd-spf.conf.j2
+#  For a fully commented sample config file see policyd-spf.conf.commented
+debugLevel = 1
+TestOnly = {{ '1' if postfix_verify_spf_testmode else '0' }}
+HELO_reject = Fail
+Mail_From_reject = Fail
+PermError_reject = False
+TempError_Defer = False
+skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1