Commit bf8cf986 authored by Lars Beckers's avatar Lars Beckers
Browse files

postfix: implement SPF validation

parent e1a2ad7e
......@@ -43,6 +43,8 @@ postfix_transport_maps: []
# protocol: smtp
# use_mx: true
postfix_verify_spf: false
postfix_verify_spf_testmode: true
# Note: This requires at least buster-backports or newer.
postfix_enable_mta_sts: false
......
......@@ -79,6 +79,7 @@
- mail
- import_tasks: mta-sts.yml
- import_tasks: spf.yml
- name: install rt-mailgate if needed
apt:
......
---
- name: ensure we got the SPF policy daemon installed
apt:
state: "{{ 'present' if postfix_verify_spf else 'absent' }}"
name: postfix-policyd-spf-python
notify:
- restart postfix
- name: ensure the SPF policy daemon is configured
template:
src: policyd-spf.conf.j2
dest: /etc/postfix-policyd-spf-python/policyd-spf.conf
owner: root
group: root
mode: '0644'
when: postfix_verify_spf
notify:
- restart postfix
......@@ -45,6 +45,13 @@ smtpd_relay_restrictions =
permit_mynetworks
permit_sasl_authenticated
defer_unauth_destination
{% if postfix_verify_spf %}
smtpd_recipient_restrictions=
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_policy_service unix:private/policy-spf
{% endif %}
smtpd_use_tls = yes
smtp_tls_security_level = may
......
......@@ -94,6 +94,11 @@ postlog unix-dgram n - n - 1 postlogd
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
{% if postfix_verify_spf %}
policy-spf unix - n n - 0 spawn
user=nobody argv=/usr/bin/policyd-spf
{% endif %}
{% if not postfix_satellite_only %}
dovecot unix - n n - - pipe
flags=DRhu user=5001:5000 argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -a ${original_recipient} -d ${user}@${nexthop}
......
# For a fully commented sample config file see policyd-spf.conf.commented
debugLevel = 1
TestOnly = {{ '1' if postfix_verify_spf_testmode else '0' }}
HELO_reject = Fail
Mail_From_reject = Fail
PermError_reject = False
TempError_Defer = False
skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment