Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
infra
ansible-shared
communication
Commits
bf8cf986
Commit
bf8cf986
authored
Feb 04, 2020
by
Lars Beckers
Browse files
postfix: implement SPF validation
parent
e1a2ad7e
Changes
6
Hide whitespace changes
Inline
Side-by-side
postfix/defaults/main.yml
View file @
bf8cf986
...
...
@@ -43,6 +43,8 @@ postfix_transport_maps: []
# protocol: smtp
# use_mx: true
postfix_verify_spf
:
false
postfix_verify_spf_testmode
:
true
# Note: This requires at least buster-backports or newer.
postfix_enable_mta_sts
:
false
...
...
postfix/tasks/main.yml
View file @
bf8cf986
...
...
@@ -79,6 +79,7 @@
-
mail
-
import_tasks
:
mta-sts.yml
-
import_tasks
:
spf.yml
-
name
:
install rt-mailgate if needed
apt
:
...
...
postfix/tasks/spf.yml
0 → 100644
View file @
bf8cf986
---
-
name
:
ensure we got the SPF policy daemon installed
apt
:
state
:
"
{{
'present'
if
postfix_verify_spf
else
'absent'
}}"
name
:
postfix-policyd-spf-python
notify
:
-
restart postfix
-
name
:
ensure the SPF policy daemon is configured
template
:
src
:
policyd-spf.conf.j2
dest
:
/etc/postfix-policyd-spf-python/policyd-spf.conf
owner
:
root
group
:
root
mode
:
'
0644'
when
:
postfix_verify_spf
notify
:
-
restart postfix
postfix/templates/main.cf.j2
View file @
bf8cf986
...
...
@@ -45,6 +45,13 @@ smtpd_relay_restrictions =
permit_mynetworks
permit_sasl_authenticated
defer_unauth_destination
{% if postfix_verify_spf %}
smtpd_recipient_restrictions=
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_policy_service unix:private/policy-spf
{% endif %}
smtpd_use_tls = yes
smtp_tls_security_level = may
...
...
postfix/templates/master.cf.j2
View file @
bf8cf986
...
...
@@ -94,6 +94,11 @@ postlog unix-dgram n - n - 1 postlogd
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
{% if postfix_verify_spf %}
policy-spf unix - n n - 0 spawn
user=nobody argv=/usr/bin/policyd-spf
{% endif %}
{% if not postfix_satellite_only %}
dovecot unix - n n - - pipe
flags=DRhu user=5001:5000 argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -a ${original_recipient} -d ${user}@${nexthop}
...
...
postfix/templates/policyd-spf.conf.j2
0 → 100644
View file @
bf8cf986
# For a fully commented sample config file see policyd-spf.conf.commented
debugLevel = 1
TestOnly = {{ '1' if postfix_verify_spf_testmode else '0' }}
HELO_reject = Fail
Mail_From_reject = Fail
PermError_reject = False
TempError_Defer = False
skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment