diff --git a/host_vars/redisdead.adm.crans.org.yml b/host_vars/redisdead.adm.crans.org.yml index ffb8ec04..18fe7488 100644 --- a/host_vars/redisdead.adm.crans.org.yml +++ b/host_vars/redisdead.adm.crans.org.yml @@ -33,3 +33,104 @@ loc_service_certbot: name: certbot_adm_challenge. secret: "{{ vault.certbot_adm_dns_secret }}" algorithm: HMAC-SHA512 + +postfix: + hostname: redisdead.crans.org + shortname: redisdead + domain: crans.org + origin: crans.org + my_networks: "185.230.79.0/26, 172.16.3.0/24, 172.16.10.0/24, 185.230.78.0/24, 100.64.0.0/16, [2a0c:700:2::]/64, [2a0c:700:3::]/64, [fd00:0:0:10::]/64, [2a0c:700:12::]/64, [2a0c:700:13::]/64" + destination: "$mydomain, crans.ens-cachan.fr, clubs.ens-cachan.fr, install-party.ens-cachan.fr, crans.fr, crans.eu" + relay: "lists.$mydomain" + transport: + - method: smtp + comment: "Les mailing-listes sont délivrées localement" + params: "[172.16.10.110]" + targets: [lists.crans.org] + - method: smtp + comment: "Les mails sont délivrés par le serveur des adhérents" + params: "[172.16.10.31]" + targets: [crans.org, crans.eu, crans.fr, crans.ens-cachan.fr, clubs.ens-cachan.fr, install-party.ens-cachan.fr] + - method: slow + comment: "Microsoft nique ta mère :'(" + params: "[172.16.10.32]" + targets: [hotmail.com, hotmail.fr, outlook.com, outlook.fr, live.com, live.fr, live.it] + - method: slow + comment: "SMTP relous" + targets: [wanadoo.com, wanadoo.fr, orange.com, orange.fr, ens-cachan.fr, ens-paris-saclay.fr, free.fr, laposte.net] + aliases: /var/local/services/mail/generated/aliases + virtual: /var/local/services/mail/generated/virtual + tls: + cert: /etc/letsencrypt/live/crans.org/fullchain.pem + key: /etc/letsencrypt/live/crans.org/privkey.pem + sasl: true + smtp: + sender_login_maps: + - {entry: "@crans.org", owner: root} + - {entry: "@crans.fr", owner: root} + - {entry: "@crans.eu", owner: root} + submission: + sasl: + path: inet:172.16.10.126:4242 + sender_login_maps: hash:/var/local/services/mail/generated/loginmap + policy: true + mime_header_checks: + - regex: '/^[ ]*(Content-Type:.*)?(Content-Disposition:.*)?(filename|name)=\"?(.*)\.(exe|com|pif|bat|scr|vbs|chm|cpl)\"?[ ]*$/' + action: 'REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.' + # - regex: '[ ]*(Content-Type:.*)?(Content-Disposition:.*)?(filename|name)=\"?(.*)\.(com|pif|bat|scr|vbs|chm)\"?[ ]*$/' + action: 'REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.' + milter: true + postscreen: + - comment: "Nice peoples" + verdict: permit + targets: ["127.0.0.1","185.230.76.0/22","185.230.79.40","172.16.10.0/24","82.225.39.54","91.121.179.40","46.105.102.188","fd00:0:0:10::/64","fd00:0:0:11::/64","2a0c:700:0:2::/64","2a0c:700:0:3::/64","2a0c:700:0:12::/64","2a0c:700:0:13::/64","2a0c:700:0:21::/64","2a0c:700:0:22::/64","2a0c:700:0:23::/64","2a0c:700:0:24::/64","2a0c:700:2::ff:fe01:1002"] + - comment: "ecommercant qui remplace offrespourlespros, qui spammait le 29/05/2015" + verdict: reject + targets: ["149.202.29.192/28","37.187.141.230","2001:41d0:a:4ce6::/64"] + - comment: "gboxyw.net (reverse wasnh.net) le 05/11/2015, devenu vorange.net, vous le sentez le spam qui vient ?" + verdict: reject + targets: ["37.187.132.105","92.222.109.0/27"] + - comment: "mail.alkar.net spam le 26/06/2016" + verdict: reject + targets: ["195.248.191.95"] + - comment: "mail.testfast.eu spam en juin 2016" + verdict: reject + targets: ["176.20.27.0/24"] + - comment: "Spam depuis des adresses en .ua" + verdict: reject + targets: ["91.194.84.10","213.186.200.70","185.117.89.15","62.141.42.44"] + - comment: "installio.co.ua" + verdict: reject + targets: ["217.79.181.5"] + - comment: Scam + verdict: reject + targets: ["180.137.106.59","169.255.7.5","110.159.122.90","37.104.198.10","46.62.146.206"] + - comment: "Spam alcoolisme 16/09/2018" + verdict: reject + targets: ["46.249.59.89"] + - comment: 'Spam "Pastoral shit"' + verdict: reject + targets: ["198.84.107.98","198.84.74.66","104.168.178.132","104.168.178.156","158.69.253.33"] + - comment: "Spam overdue payment" + verdict: reject + targets: ["193.56.28.114"] + - comment: "Non, nous ne voulons pas traiter l'alcoolisme à l'insu du patient." + verdict: reject + targets: ["94.242.206.15","91.188.222.33"] + - comment: "Et les russes ils dégagent aussi" + verdict: reject + targets: ["185.50.149.0/24"] + - comment: "2021/11/13: vague de spam" + verdict: reject + targets: ["139.162.150.93","130.255.78.23","85.171.248.149","37.59.38.218"] + recipient_access: + - {entry: "crans@crans.fr", action: "REJECT Le Crans se fiche du basket. Veuillez supprimer l'adresse crans@crans.fr de votre carnet."} + - {entry: "crans.org", action: OK} + - {entry: "crans.fr", action: OK} + - {entry: "crans.eu", action: OK} + client_checks: + - {entry: 185.50.149.0/24, action: REJECT Spammers are not welcome here!} + - {entry: 74.201.31.175, action: REJECT Spammers are not welcome here!} + - {entry: 109.237.103.41, action: REJECT Spammers are not welcome here!} + - {entry: 185.230.79.0/24, action: ACCEPT Coucou les serveurs du crans} + client_event_limit_exceptions: "172.16.10.0/24, [fd00:0:0:10::]/64, 185.230.79.0/26, [2a0c:700:2::]/64" diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml index 7239b9fb..972141b4 100644 --- a/roles/postfix/tasks/main.yml +++ b/roles/postfix/tasks/main.yml @@ -21,9 +21,7 @@ - transport - mime_header_checks - recipient_access - - sender_login_maps - postscreen_access.cidr - - sasl/smtpd.conf - client_checks notify: - generate postmaps @@ -36,8 +34,8 @@ - name: Reload postfix after certificate renewal template: - src: letsencrypt/renewal-hooks/deploy/reload-postfix.sh.j2 - dest: /etc/letsencrypt/renewal-hooks/deploy/reload-postfix.sh + src: letsencrypt/renewal-hooks/post/postfix.j2 + dest: /etc/letsencrypt/renewal-hooks/post/postfix mode: 0755 - name: Indicate role in motd diff --git a/roles/postfix/templates/letsencrypt/renewal-hooks/deploy/reload-postfix.sh.j2 b/roles/postfix/templates/letsencrypt/renewal-hooks/deploy/reload-postfix.sh.j2 deleted file mode 100644 index 5dc4bd46..00000000 --- a/roles/postfix/templates/letsencrypt/renewal-hooks/deploy/reload-postfix.sh.j2 +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -{{ ansible_header | comment }} -systemctl reload postfix diff --git a/roles/postfix/templates/letsencrypt/renewal-hooks/post/postfix.j2 b/roles/postfix/templates/letsencrypt/renewal-hooks/post/postfix.j2 new file mode 100644 index 00000000..5d16865f --- /dev/null +++ b/roles/postfix/templates/letsencrypt/renewal-hooks/post/postfix.j2 @@ -0,0 +1,2 @@ +#!/bin/bash +service postfix reload diff --git a/roles/postfix/templates/postfix/client_checks.j2 b/roles/postfix/templates/postfix/client_checks.j2 index 7b4fced4..49f2d068 100644 --- a/roles/postfix/templates/postfix/client_checks.j2 +++ b/roles/postfix/templates/postfix/client_checks.j2 @@ -1,3 +1,5 @@ {{ ansible_header | comment }} -185.50.149.0/24 REJECT Spammers are not welcome here! +{% for item in postfix.client_checks %} +{{ item.entry }} {{ item.action }} +{% endfor %} diff --git a/roles/postfix/templates/postfix/main.cf.j2 b/roles/postfix/templates/postfix/main.cf.j2 index 74dd64d6..3afefdbd 100644 --- a/roles/postfix/templates/postfix/main.cf.j2 +++ b/roles/postfix/templates/postfix/main.cf.j2 @@ -6,44 +6,37 @@ # +------------------+ # Definition par securite (sinon il utilise gethostname) -myhostname = {{ ansible_hostname }}.crans.org -mydomain = crans.org +myhostname = {{ postfix.hostname }} +mydomain = {{ postfix.domain }} # Origine des mails -myorigin = crans.org +myorigin = {{ postfix.origin }} # Reseaux locaux mynetworks = 127.0.0.0/8, [::1]/128 -{% if postfix.primary or postfix.secondary %} - 138.231.136.0/21, 185.230.79.0/24, 185.230.77.0/24, 185.230.76.0/24, 185.230.78.0/24, 10.53.0.0/19, 10.54.0.0/19, [2a0c:700:0:1::]/64, [2a0c:700:0:22::]/64, [2a0c:700:0:21::]/64, [2a0c:700:0:23::]/64, [2a0c:700:0:24::]/64, 10.231.136.0/24, [2a0c:700:0:2::]/64 -{% else %} - 10.231.136.0/24, [2a0c:700:0:2::]/64 -{% endif %} + {{ postfix.my_networks }} # Destinations acceptees -mydestination = {{ ansible_hostname }}, $myhostname, localhost, localhost.$mydomain -{% if postfix.primary or not postfix.secondary %} - $mydomain, crans.fr, crans.eu +{% if postfix.destination is defined %} +mydestination = {{ postfix.shortname }}, $myhostname, localhost, localhost.$mydomain + {{ postfix.destination }} {% endif %} # Domaine relaye par ce MX +{% if postfix.relay is defined %} relay_domains = $mydestination - lists.$mydomain -{% if postfix.secondary %} - $mydomain, crans.fr, crans.eu + {{ postfix.relay }} {% endif %} # Etre notifie ou non de l'arrive de nouveaux mails -{% if postfix.primary or postfix.secondary %} -biff = no -{% else %} -biff = yes +biff = {% if postfix.biff is defined and postfix.biff %}yes{% else %}no{% endif %} +{% if postfix.deliver is defined %} +# On delivre dans des maildir +mail_spool_directory = {{ postfix.deliver.spool }} {% endif %} + # Pour pouvoir tester sans tout casser, on active les soft bounces. # Ca permet aux mails de ne pas etre bounces en cas d'erreur, mais # a la place, de renvoyer une erreur non permanente. En production # il faut enlever ca. soft_bounce = no -{% if not postfix.primary and not postfix.secondary %} -# On delivre dans des maildir -mail_spool_directory = /home/mail/ -{% endif %} +# smtpd_reject_unlisted_sender = yes # +--------+ # | Divers | # +--------+ @@ -51,21 +44,24 @@ mail_spool_directory = /home/mail/ delay_warning_time = 24h # Esthetisme smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +{% if postfix.transport is defined %} # Par ou passer (notement pour la distrtibution des adresse # locales par le serveur des adherents) transport_maps = hash:/etc/postfix/transport +{% endif %} # Une infinite d'adresses mail par personne recipient_delimiter = + # +-----------------+ # | Bases d'adresse | # +-----------------+ # Les fichiers d'alias (pour newaliases) -alias_database = hash:/var/local/re2o-services/mail-server/generated/aliases +alias_database = hash:{{ postfix.aliases }} alias_maps = $alias_database # On prend aussi en compte les utilisateurs de /etc/passwd -local_recipient_maps = $alias_maps unix:passwd.byname +local_recipient_maps = $alias_maps +# unix:passwd.byname # Les anciennes ML @crans.org, @crans.ens-cachan.fr -> @lists.crans.org -virtual_alias_maps = hash:/var/local/re2o-services/mail-server/generated/virtual +virtual_alias_maps = hash:{{ postfix.virtual }} # +-------------+ # | TLS et SASL | @@ -74,8 +70,8 @@ virtual_alias_maps = hash:/var/local/re2o-services/mail-server/generated/virtual # TLS pour la reception smtpd_use_tls=yes smtpd_tls_security_level=may -smtpd_tls_cert_file=/etc/letsencrypt/live/crans.org/fullchain.pem -smtpd_tls_key_file=/etc/letsencrypt/live/crans.org/privkey.pem +smtpd_tls_cert_file={{ postfix.tls.cert }} +smtpd_tls_key_file={{ postfix.tls.key }} smtpd_tls_loglevel=0 smtpd_tls_received_header=yes @@ -94,55 +90,79 @@ smtp_tls_session_cache_database=btree:/var/lib/postfix/smtp_tls_session_cache tls_random_source=dev:/dev/urandom +{% if postfix.submission is defined %} # Auth que si tls pour eviter des pass en clair sur le reseau smtpd_tls_auth_only=yes # Authentification SASL pour relayer du mail smtpd_sasl_auth_enable=yes +{% endif %} # +--------------------------+ # | Filtrages et limitations | # +--------------------------+ -{% if postfix.public %} smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks +{% if postfix.submission %} + permit_sasl_authenticated +{% endif %} reject_invalid_helo_hostname - reject_non_fqdn_helo_hostname +# reject_non_fqdn_helo_hostname +{% if postfix.client_checks is defined %} # Vérifie que le client n'est pas dans un / d'ips blacklistées check_client_access cidr:/etc/postfix/client_checks {% endif %} -{% if postfix.primary %} +{% if postfix.submission is defined %} submission_client_restrictions = - check_client_access cidr:/etc/postfix/client_checks -submission_relay_restrictions = - permit_sasl_authenticated - reject - +{% if postfix.client_checks is defined %} + check_client_access cidr:/etc/postfix/client_checks {% endif %} +submission_relay_restrictions = permit_sasl_authenticated + reject +{% endif %} + ## Limitation des messages envoyés par minute # On n'ignore que les messages venant d'adresses "protégées" smtpd_client_event_limit_exceptions = local_networks - 10.231.136.0/24, [2a0c:700:0:2::]/64 - # we remove the smtpd_access_maps, so that crans.org in the recipient_access does not capture subdomains -parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains + {{ postfix.client_event_limit_exceptions }} +# we remove the smtpd_access_maps, so that crans.org in the recipient_access does not capture subdomains +parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains#,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,mynetworks # On limite à 10 messages par minute smtpd_client_message_rate_limit = 10 -{% if postfix.public %} +{% if postfix.smtp.sender_login_maps is defined %} smtpd_sender_login_maps = hash:/etc/postfix/sender_login_maps {% endif %} ## Filtrage au MAIL FROM smtpd_sender_restrictions = permit_mynetworks -{% if postfix.public %} +{% if postfix.smtp.sender_login_maps is defined %} # Si pas authentifié pour un domaine de smtpd_sender_login_maps # on dégage. Si authentifié, on envoit même si c'est du spoof # interne. - reject_unauthenticated_sender_login_mismatch +# Option commentée le 28 octobre 2021 par shirenn suite à un mail sur +# nounou@lists.crans.org. Dans le cas des mails externes qui redirige vers le +# crans (au niveau du MTA), le serveur renvoit une erreur disant que +# l'utilisateur n'est pas authentifiée ce qui n'est pas le comportement +# attendu. +# reject_unauthenticated_sender_login_mismatch {% endif %} reject_non_fqdn_sender reject_unknown_sender_domain reject_unlisted_sender +{% if postfix.submission.sender_login_maps is defined %} + +submission_sender_login_maps = {{ postfix.submission.sender_login_maps }} +{% endif %} +{% if postfix.submission is defined %} +submission_sender_restrictions = permit_mynetworks +# Pareil que plus haut: des redirections posent problème +# reject_unauthenticated_sender_login_mismatch + reject_non_fqdn_sender + reject_unknown_sender_domain + reject_unlisted_sender +# reject_sender_login_mismatch +{% endif %} ## Dit à postfix de jeter toute socket vers un serveur de policy après une ## utilisation. Il en recrée donc une nouvelle, ce qui permet d'éviter @@ -151,7 +171,7 @@ smtpd_sender_restrictions = permit_mynetworks smtpd_policy_service_request_limit = 1 ## Filtrage au RCPT TO smtpd_recipient_restrictions = -{% if postfix.primary %} +{% if postfix.policy %} # Test avec policyd-rate-limit pour limiter le nombre de mails par utilisateur SASL check_policy_service { unix:ratelimit/policy, default_action=DUNNO } {% endif %} @@ -159,52 +179,47 @@ smtpd_recipient_restrictions = permit_mynetworks # rejette les recipients sans nom de domaine totalement qualifie reject_non_fqdn_recipient -{% if postfix.public %} +{% if postfix.submission %} # permet si le client est authentifie permit_sasl_authenticated {% endif %} # rejette les destinations non locales reject_unauth_destination -{% if postfix.public %} +{% if postfix.recipient_access is defined %} # accepte si on est sur un destinaire en @crans check_recipient_access hash:/etc/postfix/recipient_access -# pour les @lists.crans.org, accepte si la greylist est d'accord - check_policy_service inet:127.0.0.1:2501 {% endif %} +# pour les @lists.crans.org, accepte si la greylist est d'accord +# check_policy_service inet:127.0.0.1:2501 # jette le reste -{% if postfix.primary %} #smtpd_end_of_data_restrictions=check_policy_service inet:127.0.0.1:10031 -{% endif %} # Tailles maximales : 20Mo pour les msgs et 75 pour les mbox message_size_limit = 20971520 mailbox_size_limit = 78643000 -# Obligation de specifier le nom de domaine complet -{% if postfix.secondary %} +{% if postfix.append_dot is defined and postfix.append_dot %} append_dot_mydomain = yes {% else %} +# Obligation de specifier le nom de domaine complet append_dot_mydomain = no {% endif %} -#Ajout de cyrus pour l'authentification SMTP -smtpd_sasl_type = cyrus +{% if postfix.mime_header_checks is defined %} # Pieces jointes mime_header_checks = regexp:/etc/postfix/mime_header_checks +{% endif %} # Transport slow slow_destination_recipient_limit = 20 slow_destination_concurrency_limit = 2 -{% if postfix.dkim %} +{% if postfix.milter is defined and postfix.milter %} # Filtrage mail milter_protocol = 2 milter_default_action = accept smtpd_milters = inet:localhost:12301 non_smtpd_milters = inet:localhost:12301 +{% endif %} +{% if postfix.postscreen is defined and postfix.postscreen %} -{% endif %} -{% if postfix.titanic %} -relayhost = [soyouz.adm.crans.org]:25 -{% endif %} -{% if postfix.primary or postfix.secondary %} # PostScreen configuration # Access List postscreen_access_list = cidr:/etc/postfix/postscreen_access.cidr @@ -238,12 +253,12 @@ postscreen_dnsbl_action = enforce ## Désactivé, pour éviter le fake greylisting de postscreen. ## Décommenter en cas de spam trop important. ## Filtre utilisé par postfix, mis en amont via postscreen -#postscreen_non_smtp_command_enable = yes -#postscreen_non_smtp_command_action = enforce -# -#postscreen_bare_newline_enable = yes -#postscreen_bare_newline_action = enforce -# -#postscreen_pipelining_enable = yes -#postscreen_pipelining_action = enforce +postscreen_non_smtp_command_enable = no +# postscreen_non_smtp_command_action = enforce + +postscreen_bare_newline_enable = no +# postscreen_bare_newline_action = enforce + +postscreen_pipelining_enable = no +# postscreen_pipelining_action = enforce {% endif %} diff --git a/roles/postfix/templates/postfix/master.cf.j2 b/roles/postfix/templates/postfix/master.cf.j2 index 04ddafd7..3ab1b91a 100644 --- a/roles/postfix/templates/postfix/master.cf.j2 +++ b/roles/postfix/templates/postfix/master.cf.j2 @@ -74,29 +74,46 @@ # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (50) # ========================================================================== -{% if postfix.primary or postfix.secondary %} +{% if postfix.postscreen %} smtp inet n - - - 1 postscreen smtpd pass - - - - - smtpd {% else %} smtp inet n - - - - smtpd {% endif %} -{% if postfix.primary or postfix.secondary %} +{% if postfix.postscreen %} dnsblog unix - - - - 0 dnsblog {% endif %} -{% if postfix.primary %} +{% if postfix.sasl %} submission inet n - - - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes + -o smtpd_sasl_type=dovecot + -o smtpd_sasl_path={{ postfix.submission.sasl.path }} -o smtpd_delay_reject=no -o smtpd_client_restrictions=$submission_client_restrictions -o smtpd_relay_restrictions=$submission_relay_restrictions +{% if postfix.smtp.sender_login_maps %} + -o smtpd_sender_restrictions=$submission_sender_restrictions + -o smtpd_sender_login_maps=$submission_sender_login_maps +{% endif %} +{% if postfix.milter is defined and postfix.milter %} -o milter_macro_daemon_name=ORIGINATING +{% endif %} smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes + -o smtpd_sasl_type=dovecot + -o smtpd_sasl_path={{ postfix.submission.sasl.path }} -o smtpd_delay_reject=no -o smtpd_client_restrictions=$submission_client_restrictions -o smtpd_relay_restrictions=$submission_relay_restrictions +{% if postfix.smtp.sender_login_maps %} + -o smtpd_sender_restrictions=$submission_sender_restrictions + -o smtpd_sender_login_maps=$submission_sender_login_maps +{% endif %} +{% if postfix.milter is defined and postfix.milter %} + -o milter_macro_daemon_name=ORIGINATING +{% endif %} {% endif %} pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup @@ -110,9 +127,6 @@ flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - - - - smtp relay unix - - - - - smtp -{% if postfix.primary %} - -o fallback_relay= -{% endif %} showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error @@ -128,8 +142,6 @@ slow unix - - n - 1 smtp # pages of the non-Postfix software to find out what options it wants. # The Cyrus deliver program has changed incompatibly. # -cyrus unix - n n - - pipe - flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m $${extension} $${user} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$$sender - $$nexthop!rmail ($$recipient) ifmail unix - n n - - pipe diff --git a/roles/postfix/templates/postfix/mime_header_checks.j2 b/roles/postfix/templates/postfix/mime_header_checks.j2 index 2195544e..e752610b 100644 --- a/roles/postfix/templates/postfix/mime_header_checks.j2 +++ b/roles/postfix/templates/postfix/mime_header_checks.j2 @@ -1,8 +1,6 @@ {{ ansible_header | comment }} # Filtrage des fichiers envoyes en piece jointe. -# La version hard (s'il n'y a pas d'antivirus, ou pour le dernier virus a la mode) -/^[ ]*(Content-Type:.*)?(Content-Disposition:.*)?(filename|name)=\"?(.*)\.(exe|com|pif|bat|scr|vbs|chm|cpl)\"?[ ]*$/ REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail. - -# La version soft : -#/^[ ]*(Content-Type:.*)?(Content-Disposition:.*)?(filename|name)=\"?(.*)\.(com|pif|bat|scr|vbs|chm)\"?[ ]*$/ REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail. +{% for item in postfix.mime_header_checks %} +{{ item.regex }} {{ item.action }} +{% endfor %} diff --git a/roles/postfix/templates/postfix/postscreen_access.cidr.j2 b/roles/postfix/templates/postfix/postscreen_access.cidr.j2 index 14dde5ec..24788a83 100644 --- a/roles/postfix/templates/postfix/postscreen_access.cidr.j2 +++ b/roles/postfix/templates/postfix/postscreen_access.cidr.j2 @@ -1,64 +1,9 @@ {{ ansible_header | comment }} -127.0.0.1 permit -138.231.0.0/16 permit -185.230.76.0/22 permit -10.231.136.0/24 permit -82.225.39.54 permit -91.121.179.40 permit -46.105.102.188 permit -2a0c:700:0:1::/64 permit -2a0c:700:0:2::/64 permit -2a0c:700:0:21::/64 permit -2a0c:700:0:22::/64 permit -2a0c:700:0:23::/64 permit -2a0c:700:0:24::/64 permit +{% for block in postfix.postscreen %} +# {{ block.comment }} +{% for target in block.targets %} +{{ '{:<42}{}'.format(target,block.verdict) }} +{% endfor %} -# ecommercant qui repmplace offrespourlespros, qui spammait le le 29/05/2015 -149.202.29.192/28 reject -37.187.141.230 reject -2001:41d0:a:4ce6::/64 reject -# gboxyw.net (reverse wasnh.net) le 05/11/2015, devenu vorange.net, vous le sentez le spam qui vient ? -37.187.132.105 reject -92.222.109.0/27 reject - -# mail.alkar.net spam le 26/06/2016 -195.248.191.95 reject - -# mail.testfast.eu spam en juin 2016 -176.20.27.0/24 reject - -# Spam depuis des adresses en .ua -91.194.84.10 reject -213.186.200.70 reject -185.117.89.15 reject -62.141.42.44 reject -# installio.co.ua -217.79.181.5 reject - -# Scam -180.137.106.59 reject -169.255.7.5 reject -110.159.122.90 reject -37.104.198.10 reject -46.62.146.206 reject - -# Spam alcoolisme 16/09/2018 -46.249.59.89 reject - -# Spam "Pastoral shit" -198.84.107.98 reject -198.84.74.66 reject -104.168.178.132 reject -104.168.178.156 reject -158.69.253.33 reject - -# Spam overdue payment -193.56.28.114 reject - -# Non, nous ne voulons pas traiter l'alcoolisme à l'insu du patient. -94.242.206.15 reject -91.188.222.33 reject - -# Et les russes ils dégagent aussi -185.50.149.0/24 reject +{% endfor %} diff --git a/roles/postfix/templates/postfix/recipient_access.j2 b/roles/postfix/templates/postfix/recipient_access.j2 index 90613c97..2d9003cd 100644 --- a/roles/postfix/templates/postfix/recipient_access.j2 +++ b/roles/postfix/templates/postfix/recipient_access.j2 @@ -1,4 +1,5 @@ -crans@crans.fr REJECT Le Crans se fiche du basket. Veuillez supprimer l'adresse crans@crans.fr de votre carnet. -crans.org OK -crans.fr OK -crans.eu OK +{{ ansible_header | comment }} + +{% for item in postfix.recipient_access %} +{{ item.entry }} {{ item.action }} +{% endfor %} diff --git a/roles/postfix/templates/postfix/transport.j2 b/roles/postfix/templates/postfix/transport.j2 index a2830e07..2e6ced0a 100644 --- a/roles/postfix/templates/postfix/transport.j2 +++ b/roles/postfix/templates/postfix/transport.j2 @@ -1,19 +1,14 @@ {{ ansible_header | comment }} # Transport des mails -{% if postfix.primary or postfix.secondary %} -# Les mailing-listes sont delivrees sur un serveur à part -lists.crans.org smtp:[{{ query('ldap', 'ip', 'mailman', 'adm') | ipv4 | first }}] -# C'est le serveur des adherents qui fait les livraisons des -# adresses clubs et adherents -crans.org smtp:[users.adm.crans.org] -crans.eu smtp:[users.adm.crans.org] -crans.fr smtp:[users.adm.crans.org] +{% for block in postfix.transport %} +# {{ block.comment }} +{% for target in block.targets %} +{% if block.params is defined %} +{{ '{:<29}{}:{}'.format(target,block.method,block.params) }} +{% else %} +{{ '{:<29}{}:'.format(target,block.method) }} {% endif %} -# SMTP relous -wanadoo.com slow: -wanadoo.fr slow: -orange.com slow: -orange.fr slow: -free.fr slow: -laposte.net slow: +{% endfor %} + +{% endfor %}