diff --git a/dovecot/templates/conf.d/10-ssl.conf.j2 b/dovecot/templates/conf.d/10-ssl.conf.j2 index a46162095dd4b9774872b6305012efa02a492566..baa1b401f20ca087249746f4ff0a8ef9cfb48b40 100644 --- a/dovecot/templates/conf.d/10-ssl.conf.j2 +++ b/dovecot/templates/conf.d/10-ssl.conf.j2 @@ -81,4 +81,4 @@ ssl_prefer_server_ciphers = {{ 'yes' if dovecot_tls_prefer_server_ciphers else ' # SSL extra options. Currently supported options are: # no_compression - Disable compression. -#ssl_options = +ssl_options = no_compression diff --git a/postfix/defaults/main.yml b/postfix/defaults/main.yml index 7d3cd45a29beb50b945ef5b94502b7bed351bcc1..1b8e12d5b15303db5f7f33f104ebc547cbbc61dc 100644 --- a/postfix/defaults/main.yml +++ b/postfix/defaults/main.yml @@ -43,6 +43,9 @@ postfix_transport_maps: [] # protocol: smtp # use_mx: true +# Note: This requires at least buster-backports or newer. +postfix_enable_mta_sts: false + postfix_my_networks: [] postfix_notify_classes: [] postfix_satellite_only: false diff --git a/postfix/files/mta-sts-daemon.yml b/postfix/files/mta-sts-daemon.yml new file mode 100644 index 0000000000000000000000000000000000000000..1e79d6b33d886c955623fa6cbd782d94b3776d9a --- /dev/null +++ b/postfix/files/mta-sts-daemon.yml @@ -0,0 +1,20 @@ +--- +path: "/var/spool/postfix/mta-sts/mta-sts.sock" +# yamllint disable-line rule:octal-values +mode: 0666 +# host: 127.0.0.1 +# port: 8461 +reuse_port: true +cache_grace: 60 +shutdown_timeout: 5 +cache: + type: sqlite + options: + filename: "/var/lib/mta-sts/cache.db" +default_zone: + strict_testing: false + timeout: 4 +# zones: +# myzone: +# strict_testing: false +# timeout: 4 diff --git a/postfix/files/mta-sts-override.conf b/postfix/files/mta-sts-override.conf new file mode 100644 index 0000000000000000000000000000000000000000..80ca794ab85a912ea8eb2fb9d3979d258f2e1fed --- /dev/null +++ b/postfix/files/mta-sts-override.conf @@ -0,0 +1,2 @@ +[Service] +ReadWritePaths=/var/spool/postfix/mta-sts diff --git a/postfix/files/mta-sts-tmpfiles.conf b/postfix/files/mta-sts-tmpfiles.conf new file mode 100644 index 0000000000000000000000000000000000000000..919c4149bd10bc7648942e22174ac348b810ab6c --- /dev/null +++ b/postfix/files/mta-sts-tmpfiles.conf @@ -0,0 +1 @@ +d /var/spool/postfix/mta-sts 0770 postfix _mta-sts - - diff --git a/postfix/handlers/main.yml b/postfix/handlers/main.yml index 5421edf3c84b367b23a0a1262ee7765fe058a7bb..3e156d74a5f75dcb92afbbb8c65488197d014a05 100644 --- a/postfix/handlers/main.yml +++ b/postfix/handlers/main.yml @@ -1,11 +1,20 @@ --- +- name: create tmpfiles + command: systemd-tmpfiles --create + +- name: reload systemd service files + systemd: daemon_reload=true + - name: restart postfix service: name=postfix state=restarted - name: restart memcached service: name=memcached state=restarted +- name: restart mta-sts resolver + service: name=postfix-mta-sts-resolver state=restarted + - name: postmap system command: postalias cdb:/etc/aliases diff --git a/postfix/tasks/main.yml b/postfix/tasks/main.yml index e9a0386c171c27433e068fda509371258fcd1d43..fb14d196e91a5effd8c98a40ebe7b12b84b18a3f 100644 --- a/postfix/tasks/main.yml +++ b/postfix/tasks/main.yml @@ -78,6 +78,8 @@ - postfix - mail +- import_tasks: mta-sts.yml + - name: install rt-mailgate if needed apt: name: rt4-clients diff --git a/postfix/tasks/mta-sts.yml b/postfix/tasks/mta-sts.yml new file mode 100644 index 0000000000000000000000000000000000000000..7f87546125fa26afaa4fdc235de507a8b3a105c1 --- /dev/null +++ b/postfix/tasks/mta-sts.yml @@ -0,0 +1,74 @@ +--- + +- name: ensure we got the MTA-STS resolver software installed + apt: + state: "{{ 'present' if postfix_enable_mta_sts else 'absent' }}" + name: postfix-mta-sts-resolver + +# yamllint disable-line rule:line-length +- name: ensure the MTA-STS resolver can put its socket somewhere reachable (tmpfiles) + copy: + src: mta-sts-tmpfiles.conf + dest: /etc/tmpfiles.d/mta-sts.conf + owner: root + group: root + mode: '0644' + when: postfix_enable_mta_sts + notify: + - create tmpfiles + - restart mta-sts resolver + +# yamllint disable-line rule:line-length +- name: ensure the MTA-STS resolver can put its socket somewhere reachable (overrideable) + file: + state: directory + path: /etc/systemd/system/postfix-mta-sts-resolver.service.d/ + owner: root + group: root + mode: '0755' + when: postfix_enable_mta_sts + notify: + - reload systemd service files + - restart mta-sts resolver + +# yamllint disable-line rule:line-length +- name: ensure the MTA-STS resolver can put its socket somewhere reachable (service) + copy: + src: mta-sts-override.conf + dest: /etc/systemd/system/postfix-mta-sts-resolver.service.d/rw-paths.conf + owner: root + group: root + mode: '0644' + when: postfix_enable_mta_sts + notify: + - reload systemd service files + - restart mta-sts resolver + +- name: ensure MTA-STS resolver overrides are deconfigured when disabled + file: + path: "{{ item }}" + state: absent + with_items: + - /etc/systemd/system/postfix-mta-sts-resolver.service.d/rw-paths.conf + - /etc/systemd/system/postfix-mta-sts-resolver.service.d/ + - /etc/tmpfiles.d/mta-sts.conf + when: not postfix_enable_mta_sts + notify: + - reload systemd service files + +- name: ensure the MTA-STS resolver is configured + copy: + src: mta-sts-daemon.yml + dest: /etc/mta-sts-daemon.yml + owner: root + group: root + mode: '0644' + when: postfix_enable_mta_sts + notify: + - restart mta-sts resolver + +- name: ensure the MTA-STS resolver is up and running + service: + name: postfix-mta-sts-resolver + enabled: "{{ postfix_enable_mta_sts|string }}" + state: "{{ 'started' if postfix_enable_mta_sts else 'stopped' }}" diff --git a/postfix/templates/main.cf.j2 b/postfix/templates/main.cf.j2 index 6afd5c31c2d7b31427a1ba24c39a6bf45479298c..784102c9d1c32818ba0de246546d2276ab01ed75 100644 --- a/postfix/templates/main.cf.j2 +++ b/postfix/templates/main.cf.j2 @@ -47,12 +47,17 @@ smtpd_relay_restrictions = defer_unauth_destination smtpd_use_tls = yes +smtp_tls_security_level = may +smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_cert_file = {{ postfix_tls_cert }} smtpd_tls_key_file = {{ postfix_tls_key }} smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +{% if postfix_enable_mta_sts %} +smtp_tls_policy_maps = socketmap:unix:mta-sts/mta-sts.sock:postfix +{% endif %} {% if not postfix_satellite_only %} smtpd_tls_protocols = {{ postfix_tls_protocols }} smtpd_tls_mandatory_protocols = {{ postfix_tls_protocols }} @@ -74,6 +79,7 @@ tls_medium_cipherlist = {{ postfix_tls_medium_cipherlist }} {% if postfix_tls_dh_file %} smtpd_tls_dh1024_param_file = /etc/postfix/dh.pem {% endif %} +tls_ssl_options = NO_COMPRESSION {% endif %} alias_maps = cdb:/etc/aliases diff --git a/postfix/templates/postscreen_access.cidr.j2 b/postfix/templates/postscreen_access.cidr.j2 index fda2bec12e8079b660b6eb428bde723530a7300b..e0b48caef75c8c89e00000dd00546dbb3de8056e 100644 --- a/postfix/templates/postscreen_access.cidr.j2 +++ b/postfix/templates/postscreen_access.cidr.j2 @@ -20,11 +20,11 @@ {% endif %} {% if 'mx' in net %} {{ net.mx|comment('plain', prefix='', postfix='') }} -{% for mx in q('dig', net.mx, 'qtype=MX') %} -{% for addr in q('dig', mx.split(' ', maxsplit=1)[-1], 'qtype=A') %} +{% for mx in q('dig', net.mx, 'qtype=MX')|sort %} +{% for addr in q('dig', mx.split(' ', maxsplit=1)[-1], 'qtype=A')|sort %} {{ addr }} {{ net.action|default('dunno') }} {% endfor %} -{% for addr in q('dig', mx.split(' ', maxsplit=1)[-1], 'qtype=AAAA') %} +{% for addr in q('dig', mx.split(' ', maxsplit=1)[-1], 'qtype=AAAA')|sort %} {{ addr }} {{ net.action|default('dunno') }} {% endfor %} {% endfor %}