[WIP] Ptêt que cette fois ça aboutira
parent
40d5e3a11a
commit
67aa7744d3
GPG Key ID:
3A75C55819C8CF85
|
|
@ -33,3 +33,104 @@ loc_service_certbot:
|
|||
name: certbot_adm_challenge.
|
||||
secret: "{{ vault.certbot_adm_dns_secret }}"
|
||||
algorithm: HMAC-SHA512
|
||||
|
||||
postfix:
|
||||
hostname: redisdead.crans.org
|
||||
shortname: redisdead
|
||||
domain: crans.org
|
||||
origin: crans.org
|
||||
my_networks: "185.230.79.0/26, 172.16.3.0/24, 172.16.10.0/24, 185.230.78.0/24, 100.64.0.0/16, [2a0c:700:2::]/64, [2a0c:700:3::]/64, [fd00:0:0:10::]/64, [2a0c:700:12::]/64, [2a0c:700:13::]/64"
|
||||
destination: "$mydomain, crans.ens-cachan.fr, clubs.ens-cachan.fr, install-party.ens-cachan.fr, crans.fr, crans.eu"
|
||||
relay: "lists.$mydomain"
|
||||
transport:
|
||||
- method: smtp
|
||||
comment: "Les mailing-listes sont délivrées localement"
|
||||
params: "[172.16.10.110]"
|
||||
targets: [lists.crans.org]
|
||||
- method: smtp
|
||||
comment: "Les mails sont délivrés par le serveur des adhérents"
|
||||
params: "[172.16.10.31]"
|
||||
targets: [crans.org, crans.eu, crans.fr, crans.ens-cachan.fr, clubs.ens-cachan.fr, install-party.ens-cachan.fr]
|
||||
- method: slow
|
||||
comment: "Microsoft nique ta mère :'("
|
||||
params: "[172.16.10.32]"
|
||||
targets: [hotmail.com, hotmail.fr, outlook.com, outlook.fr, live.com, live.fr, live.it]
|
||||
- method: slow
|
||||
comment: "SMTP relous"
|
||||
targets: [wanadoo.com, wanadoo.fr, orange.com, orange.fr, ens-cachan.fr, ens-paris-saclay.fr, free.fr, laposte.net]
|
||||
aliases: /var/local/services/mail/generated/aliases
|
||||
virtual: /var/local/services/mail/generated/virtual
|
||||
tls:
|
||||
cert: /etc/letsencrypt/live/crans.org/fullchain.pem
|
||||
key: /etc/letsencrypt/live/crans.org/privkey.pem
|
||||
sasl: true
|
||||
smtp:
|
||||
sender_login_maps:
|
||||
- {entry: "@crans.org", owner: root}
|
||||
- {entry: "@crans.fr", owner: root}
|
||||
- {entry: "@crans.eu", owner: root}
|
||||
submission:
|
||||
sasl:
|
||||
path: inet:172.16.10.126:4242
|
||||
sender_login_maps: hash:/var/local/services/mail/generated/loginmap
|
||||
policy: true
|
||||
mime_header_checks:
|
||||
- regex: '/^[ ]*(Content-Type:.*)?(Content-Disposition:.*)?(filename|name)=\"?(.*)\.(exe|com|pif|bat|scr|vbs|chm|cpl)\"?[ ]*$/'
|
||||
action: 'REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.'
|
||||
# - regex: '[ ]*(Content-Type:.*)?(Content-Disposition:.*)?(filename|name)=\"?(.*)\.(com|pif|bat|scr|vbs|chm)\"?[ ]*$/'
|
||||
action: 'REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.'
|
||||
milter: true
|
||||
postscreen:
|
||||
- comment: "Nice peoples"
|
||||
verdict: permit
|
||||
targets: ["127.0.0.1","185.230.76.0/22","185.230.79.40","172.16.10.0/24","82.225.39.54","91.121.179.40","46.105.102.188","fd00:0:0:10::/64","fd00:0:0:11::/64","2a0c:700:0:2::/64","2a0c:700:0:3::/64","2a0c:700:0:12::/64","2a0c:700:0:13::/64","2a0c:700:0:21::/64","2a0c:700:0:22::/64","2a0c:700:0:23::/64","2a0c:700:0:24::/64","2a0c:700:2::ff:fe01:1002"]
|
||||
- comment: "ecommercant qui remplace offrespourlespros, qui spammait le 29/05/2015"
|
||||
verdict: reject
|
||||
targets: ["149.202.29.192/28","37.187.141.230","2001:41d0:a:4ce6::/64"]
|
||||
- comment: "gboxyw.net (reverse wasnh.net) le 05/11/2015, devenu vorange.net, vous le sentez le spam qui vient ?"
|
||||
verdict: reject
|
||||
targets: ["37.187.132.105","92.222.109.0/27"]
|
||||
- comment: "mail.alkar.net spam le 26/06/2016"
|
||||
verdict: reject
|
||||
targets: ["195.248.191.95"]
|
||||
- comment: "mail.testfast.eu spam en juin 2016"
|
||||
verdict: reject
|
||||
targets: ["176.20.27.0/24"]
|
||||
- comment: "Spam depuis des adresses en .ua"
|
||||
verdict: reject
|
||||
targets: ["91.194.84.10","213.186.200.70","185.117.89.15","62.141.42.44"]
|
||||
- comment: "installio.co.ua"
|
||||
verdict: reject
|
||||
targets: ["217.79.181.5"]
|
||||
- comment: Scam
|
||||
verdict: reject
|
||||
targets: ["180.137.106.59","169.255.7.5","110.159.122.90","37.104.198.10","46.62.146.206"]
|
||||
- comment: "Spam alcoolisme 16/09/2018"
|
||||
verdict: reject
|
||||
targets: ["46.249.59.89"]
|
||||
- comment: 'Spam "Pastoral shit"'
|
||||
verdict: reject
|
||||
targets: ["198.84.107.98","198.84.74.66","104.168.178.132","104.168.178.156","158.69.253.33"]
|
||||
- comment: "Spam overdue payment"
|
||||
verdict: reject
|
||||
targets: ["193.56.28.114"]
|
||||
- comment: "Non, nous ne voulons pas traiter l'alcoolisme à l'insu du patient."
|
||||
verdict: reject
|
||||
targets: ["94.242.206.15","91.188.222.33"]
|
||||
- comment: "Et les russes ils dégagent aussi"
|
||||
verdict: reject
|
||||
targets: ["185.50.149.0/24"]
|
||||
- comment: "2021/11/13: vague de spam"
|
||||
verdict: reject
|
||||
targets: ["139.162.150.93","130.255.78.23","85.171.248.149","37.59.38.218"]
|
||||
recipient_access:
|
||||
- {entry: "crans@crans.fr", action: "REJECT Le Crans se fiche du basket. Veuillez supprimer l'adresse crans@crans.fr de votre carnet."}
|
||||
- {entry: "crans.org", action: OK}
|
||||
- {entry: "crans.fr", action: OK}
|
||||
- {entry: "crans.eu", action: OK}
|
||||
client_checks:
|
||||
- {entry: 185.50.149.0/24, action: REJECT Spammers are not welcome here!}
|
||||
- {entry: 74.201.31.175, action: REJECT Spammers are not welcome here!}
|
||||
- {entry: 109.237.103.41, action: REJECT Spammers are not welcome here!}
|
||||
- {entry: 185.230.79.0/24, action: ACCEPT Coucou les serveurs du crans}
|
||||
client_event_limit_exceptions: "172.16.10.0/24, [fd00:0:0:10::]/64, 185.230.79.0/26, [2a0c:700:2::]/64"
|
||||
|
|
|
|||
|
|
@ -21,9 +21,7 @@
|
|||
- transport
|
||||
- mime_header_checks
|
||||
- recipient_access
|
||||
- sender_login_maps
|
||||
- postscreen_access.cidr
|
||||
- sasl/smtpd.conf
|
||||
- client_checks
|
||||
notify:
|
||||
- generate postmaps
|
||||
|
|
@ -36,8 +34,8 @@
|
|||
|
||||
- name: Reload postfix after certificate renewal
|
||||
template:
|
||||
src: letsencrypt/renewal-hooks/deploy/reload-postfix.sh.j2
|
||||
dest: /etc/letsencrypt/renewal-hooks/deploy/reload-postfix.sh
|
||||
src: letsencrypt/renewal-hooks/post/postfix.j2
|
||||
dest: /etc/letsencrypt/renewal-hooks/post/postfix
|
||||
mode: 0755
|
||||
|
||||
- name: Indicate role in motd
|
||||
|
|
|
|||
|
|
@ -1,3 +0,0 @@
|
|||
#!/bin/sh
|
||||
{{ ansible_header | comment }}
|
||||
systemctl reload postfix
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
#!/bin/bash
|
||||
service postfix reload
|
||||
|
|
@ -1,3 +1,5 @@
|
|||
{{ ansible_header | comment }}
|
||||
|
||||
185.50.149.0/24 REJECT Spammers are not welcome here!
|
||||
{% for item in postfix.client_checks %}
|
||||
{{ item.entry }} {{ item.action }}
|
||||
{% endfor %}
|
||||
|
|
|
|||
|
|
@ -6,44 +6,37 @@
|
|||
# +------------------+
|
||||
|
||||
# Definition par securite (sinon il utilise gethostname)
|
||||
myhostname = {{ ansible_hostname }}.crans.org
|
||||
mydomain = crans.org
|
||||
myhostname = {{ postfix.hostname }}
|
||||
mydomain = {{ postfix.domain }}
|
||||
# Origine des mails
|
||||
myorigin = crans.org
|
||||
myorigin = {{ postfix.origin }}
|
||||
# Reseaux locaux
|
||||
mynetworks = 127.0.0.0/8, [::1]/128
|
||||
{% if postfix.primary or postfix.secondary %}
|
||||
138.231.136.0/21, 185.230.79.0/24, 185.230.77.0/24, 185.230.76.0/24, 185.230.78.0/24, 10.53.0.0/19, 10.54.0.0/19, [2a0c:700:0:1::]/64, [2a0c:700:0:22::]/64, [2a0c:700:0:21::]/64, [2a0c:700:0:23::]/64, [2a0c:700:0:24::]/64, 10.231.136.0/24, [2a0c:700:0:2::]/64
|
||||
{% else %}
|
||||
10.231.136.0/24, [2a0c:700:0:2::]/64
|
||||
{% endif %}
|
||||
{{ postfix.my_networks }}
|
||||
# Destinations acceptees
|
||||
mydestination = {{ ansible_hostname }}, $myhostname, localhost, localhost.$mydomain
|
||||
{% if postfix.primary or not postfix.secondary %}
|
||||
$mydomain, crans.fr, crans.eu
|
||||
{% if postfix.destination is defined %}
|
||||
mydestination = {{ postfix.shortname }}, $myhostname, localhost, localhost.$mydomain
|
||||
{{ postfix.destination }}
|
||||
{% endif %}
|
||||
# Domaine relaye par ce MX
|
||||
{% if postfix.relay is defined %}
|
||||
relay_domains = $mydestination
|
||||
lists.$mydomain
|
||||
{% if postfix.secondary %}
|
||||
$mydomain, crans.fr, crans.eu
|
||||
{{ postfix.relay }}
|
||||
{% endif %}
|
||||
# Etre notifie ou non de l'arrive de nouveaux mails
|
||||
{% if postfix.primary or postfix.secondary %}
|
||||
biff = no
|
||||
{% else %}
|
||||
biff = yes
|
||||
biff = {% if postfix.biff is defined and postfix.biff %}yes{% else %}no{% endif %}
|
||||
{% if postfix.deliver is defined %}
|
||||
# On delivre dans des maildir
|
||||
mail_spool_directory = {{ postfix.deliver.spool }}
|
||||
{% endif %}
|
||||
|
||||
# Pour pouvoir tester sans tout casser, on active les soft bounces.
|
||||
# Ca permet aux mails de ne pas etre bounces en cas d'erreur, mais
|
||||
# a la place, de renvoyer une erreur non permanente. En production
|
||||
# il faut enlever ca.
|
||||
soft_bounce = no
|
||||
|
||||
{% if not postfix.primary and not postfix.secondary %}
|
||||
# On delivre dans des maildir
|
||||
mail_spool_directory = /home/mail/
|
||||
{% endif %}
|
||||
# smtpd_reject_unlisted_sender = yes
|
||||
# +--------+
|
||||
# | Divers |
|
||||
# +--------+
|
||||
|
|
@ -51,21 +44,24 @@ mail_spool_directory = /home/mail/
|
|||
delay_warning_time = 24h
|
||||
# Esthetisme
|
||||
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
|
||||
{% if postfix.transport is defined %}
|
||||
# Par ou passer (notement pour la distrtibution des adresse
|
||||
# locales par le serveur des adherents)
|
||||
transport_maps = hash:/etc/postfix/transport
|
||||
{% endif %}
|
||||
# Une infinite d'adresses mail par personne
|
||||
recipient_delimiter = +
|
||||
# +-----------------+
|
||||
# | Bases d'adresse |
|
||||
# +-----------------+
|
||||
# Les fichiers d'alias (pour newaliases)
|
||||
alias_database = hash:/var/local/re2o-services/mail-server/generated/aliases
|
||||
alias_database = hash:{{ postfix.aliases }}
|
||||
alias_maps = $alias_database
|
||||
# On prend aussi en compte les utilisateurs de /etc/passwd
|
||||
local_recipient_maps = $alias_maps unix:passwd.byname
|
||||
local_recipient_maps = $alias_maps
|
||||
# unix:passwd.byname
|
||||
# Les anciennes ML @crans.org, @crans.ens-cachan.fr -> @lists.crans.org
|
||||
virtual_alias_maps = hash:/var/local/re2o-services/mail-server/generated/virtual
|
||||
virtual_alias_maps = hash:{{ postfix.virtual }}
|
||||
|
||||
# +-------------+
|
||||
# | TLS et SASL |
|
||||
|
|
@ -74,8 +70,8 @@ virtual_alias_maps = hash:/var/local/re2o-services/mail-server/generated/virtual
|
|||
# TLS pour la reception
|
||||
smtpd_use_tls=yes
|
||||
smtpd_tls_security_level=may
|
||||
smtpd_tls_cert_file=/etc/letsencrypt/live/crans.org/fullchain.pem
|
||||
smtpd_tls_key_file=/etc/letsencrypt/live/crans.org/privkey.pem
|
||||
smtpd_tls_cert_file={{ postfix.tls.cert }}
|
||||
smtpd_tls_key_file={{ postfix.tls.key }}
|
||||
smtpd_tls_loglevel=0
|
||||
smtpd_tls_received_header=yes
|
||||
|
||||
|
|
@ -94,55 +90,79 @@ smtp_tls_session_cache_database=btree:/var/lib/postfix/smtp_tls_session_cache
|
|||
|
||||
tls_random_source=dev:/dev/urandom
|
||||
|
||||
{% if postfix.submission is defined %}
|
||||
# Auth que si tls pour eviter des pass en clair sur le reseau
|
||||
smtpd_tls_auth_only=yes
|
||||
# Authentification SASL pour relayer du mail
|
||||
smtpd_sasl_auth_enable=yes
|
||||
{% endif %}
|
||||
|
||||
# +--------------------------+
|
||||
# | Filtrages et limitations |
|
||||
# +--------------------------+
|
||||
|
||||
{% if postfix.public %}
|
||||
smtpd_helo_required = yes
|
||||
smtpd_helo_restrictions = permit_mynetworks
|
||||
{% if postfix.submission %}
|
||||
permit_sasl_authenticated
|
||||
{% endif %}
|
||||
reject_invalid_helo_hostname
|
||||
reject_non_fqdn_helo_hostname
|
||||
# reject_non_fqdn_helo_hostname
|
||||
{% if postfix.client_checks is defined %}
|
||||
# Vérifie que le client n'est pas dans un / d'ips blacklistées
|
||||
check_client_access cidr:/etc/postfix/client_checks
|
||||
{% endif %}
|
||||
{% if postfix.primary %}
|
||||
{% if postfix.submission is defined %}
|
||||
submission_client_restrictions =
|
||||
{% if postfix.client_checks is defined %}
|
||||
check_client_access cidr:/etc/postfix/client_checks
|
||||
submission_relay_restrictions =
|
||||
permit_sasl_authenticated
|
||||
reject
|
||||
|
||||
{% endif %}
|
||||
submission_relay_restrictions = permit_sasl_authenticated
|
||||
reject
|
||||
{% endif %}
|
||||
|
||||
## Limitation des messages envoyés par minute
|
||||
# On n'ignore que les messages venant d'adresses "protégées"
|
||||
smtpd_client_event_limit_exceptions = local_networks
|
||||
10.231.136.0/24, [2a0c:700:0:2::]/64
|
||||
# we remove the smtpd_access_maps, so that crans.org in the recipient_access does not capture subdomains
|
||||
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains
|
||||
{{ postfix.client_event_limit_exceptions }}
|
||||
# we remove the smtpd_access_maps, so that crans.org in the recipient_access does not capture subdomains
|
||||
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains#,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,mynetworks
|
||||
|
||||
# On limite à 10 messages par minute
|
||||
smtpd_client_message_rate_limit = 10
|
||||
|
||||
{% if postfix.public %}
|
||||
{% if postfix.smtp.sender_login_maps is defined %}
|
||||
smtpd_sender_login_maps = hash:/etc/postfix/sender_login_maps
|
||||
{% endif %}
|
||||
## Filtrage au MAIL FROM
|
||||
smtpd_sender_restrictions = permit_mynetworks
|
||||
{% if postfix.public %}
|
||||
{% if postfix.smtp.sender_login_maps is defined %}
|
||||
# Si pas authentifié pour un domaine de smtpd_sender_login_maps
|
||||
# on dégage. Si authentifié, on envoit même si c'est du spoof
|
||||
# interne.
|
||||
reject_unauthenticated_sender_login_mismatch
|
||||
# Option commentée le 28 octobre 2021 par shirenn suite à un mail sur
|
||||
# nounou@lists.crans.org. Dans le cas des mails externes qui redirige vers le
|
||||
# crans (au niveau du MTA), le serveur renvoit une erreur disant que
|
||||
# l'utilisateur n'est pas authentifiée ce qui n'est pas le comportement
|
||||
# attendu.
|
||||
# reject_unauthenticated_sender_login_mismatch
|
||||
{% endif %}
|
||||
reject_non_fqdn_sender
|
||||
reject_unknown_sender_domain
|
||||
reject_unlisted_sender
|
||||
{% if postfix.submission.sender_login_maps is defined %}
|
||||
|
||||
submission_sender_login_maps = {{ postfix.submission.sender_login_maps }}
|
||||
{% endif %}
|
||||
{% if postfix.submission is defined %}
|
||||
submission_sender_restrictions = permit_mynetworks
|
||||
# Pareil que plus haut: des redirections posent problème
|
||||
# reject_unauthenticated_sender_login_mismatch
|
||||
reject_non_fqdn_sender
|
||||
reject_unknown_sender_domain
|
||||
reject_unlisted_sender
|
||||
# reject_sender_login_mismatch
|
||||
{% endif %}
|
||||
|
||||
## Dit à postfix de jeter toute socket vers un serveur de policy après une
|
||||
## utilisation. Il en recrée donc une nouvelle, ce qui permet d'éviter
|
||||
|
|
@ -151,7 +171,7 @@ smtpd_sender_restrictions = permit_mynetworks
|
|||
smtpd_policy_service_request_limit = 1
|
||||
## Filtrage au RCPT TO
|
||||
smtpd_recipient_restrictions =
|
||||
{% if postfix.primary %}
|
||||
{% if postfix.policy %}
|
||||
# Test avec policyd-rate-limit pour limiter le nombre de mails par utilisateur SASL
|
||||
check_policy_service { unix:ratelimit/policy, default_action=DUNNO }
|
||||
{% endif %}
|
||||
|
|
@ -159,52 +179,47 @@ smtpd_recipient_restrictions =
|
|||
permit_mynetworks
|
||||
# rejette les recipients sans nom de domaine totalement qualifie
|
||||
reject_non_fqdn_recipient
|
||||
{% if postfix.public %}
|
||||
{% if postfix.submission %}
|
||||
# permet si le client est authentifie
|
||||
permit_sasl_authenticated
|
||||
{% endif %}
|
||||
# rejette les destinations non locales
|
||||
reject_unauth_destination
|
||||
{% if postfix.public %}
|
||||
{% if postfix.recipient_access is defined %}
|
||||
# accepte si on est sur un destinaire en @crans
|
||||
check_recipient_access hash:/etc/postfix/recipient_access
|
||||
# pour les @lists.crans.org, accepte si la greylist est d'accord
|
||||
check_policy_service inet:127.0.0.1:2501
|
||||
{% endif %}
|
||||
# pour les @lists.crans.org, accepte si la greylist est d'accord
|
||||
# check_policy_service inet:127.0.0.1:2501
|
||||
# jette le reste
|
||||
|
||||
{% if postfix.primary %}
|
||||
#smtpd_end_of_data_restrictions=check_policy_service inet:127.0.0.1:10031
|
||||
{% endif %}
|
||||
# Tailles maximales : 20Mo pour les msgs et 75 pour les mbox
|
||||
message_size_limit = 20971520
|
||||
mailbox_size_limit = 78643000
|
||||
# Obligation de specifier le nom de domaine complet
|
||||
{% if postfix.secondary %}
|
||||
{% if postfix.append_dot is defined and postfix.append_dot %}
|
||||
append_dot_mydomain = yes
|
||||
{% else %}
|
||||
# Obligation de specifier le nom de domaine complet
|
||||
append_dot_mydomain = no
|
||||
{% endif %}
|
||||
#Ajout de cyrus pour l'authentification SMTP
|
||||
smtpd_sasl_type = cyrus
|
||||
{% if postfix.mime_header_checks is defined %}
|
||||
# Pieces jointes
|
||||
mime_header_checks = regexp:/etc/postfix/mime_header_checks
|
||||
{% endif %}
|
||||
# Transport slow
|
||||
slow_destination_recipient_limit = 20
|
||||
slow_destination_concurrency_limit = 2
|
||||
{% if postfix.dkim %}
|
||||
{% if postfix.milter is defined and postfix.milter %}
|
||||
|
||||
# Filtrage mail
|
||||
milter_protocol = 2
|
||||
milter_default_action = accept
|
||||
smtpd_milters = inet:localhost:12301
|
||||
non_smtpd_milters = inet:localhost:12301
|
||||
{% endif %}
|
||||
{% if postfix.postscreen is defined and postfix.postscreen %}
|
||||
|
||||
{% endif %}
|
||||
{% if postfix.titanic %}
|
||||
relayhost = [soyouz.adm.crans.org]:25
|
||||
{% endif %}
|
||||
{% if postfix.primary or postfix.secondary %}
|
||||
# PostScreen configuration
|
||||
# Access List
|
||||
postscreen_access_list = cidr:/etc/postfix/postscreen_access.cidr
|
||||
|
|
@ -238,12 +253,12 @@ postscreen_dnsbl_action = enforce
|
|||
## Désactivé, pour éviter le fake greylisting de postscreen.
|
||||
## Décommenter en cas de spam trop important.
|
||||
## Filtre utilisé par postfix, mis en amont via postscreen
|
||||
#postscreen_non_smtp_command_enable = yes
|
||||
#postscreen_non_smtp_command_action = enforce
|
||||
#
|
||||
#postscreen_bare_newline_enable = yes
|
||||
#postscreen_bare_newline_action = enforce
|
||||
#
|
||||
#postscreen_pipelining_enable = yes
|
||||
#postscreen_pipelining_action = enforce
|
||||
postscreen_non_smtp_command_enable = no
|
||||
# postscreen_non_smtp_command_action = enforce
|
||||
|
||||
postscreen_bare_newline_enable = no
|
||||
# postscreen_bare_newline_action = enforce
|
||||
|
||||
postscreen_pipelining_enable = no
|
||||
# postscreen_pipelining_action = enforce
|
||||
{% endif %}
|
||||
|
|
|
|||
|
|
@ -74,29 +74,46 @@
|
|||
# service type private unpriv chroot wakeup maxproc command + args
|
||||
# (yes) (yes) (yes) (never) (50)
|
||||
# ==========================================================================
|
||||
{% if postfix.primary or postfix.secondary %}
|
||||
{% if postfix.postscreen %}
|
||||
smtp inet n - - - 1 postscreen
|
||||
smtpd pass - - - - - smtpd
|
||||
{% else %}
|
||||
smtp inet n - - - - smtpd
|
||||
{% endif %}
|
||||
{% if postfix.primary or postfix.secondary %}
|
||||
{% if postfix.postscreen %}
|
||||
dnsblog unix - - - - 0 dnsblog
|
||||
{% endif %}
|
||||
{% if postfix.primary %}
|
||||
{% if postfix.sasl %}
|
||||
submission inet n - - - - smtpd
|
||||
-o smtpd_tls_security_level=encrypt
|
||||
-o smtpd_sasl_auth_enable=yes
|
||||
-o smtpd_sasl_type=dovecot
|
||||
-o smtpd_sasl_path={{ postfix.submission.sasl.path }}
|
||||
-o smtpd_delay_reject=no
|
||||
-o smtpd_client_restrictions=$submission_client_restrictions
|
||||
-o smtpd_relay_restrictions=$submission_relay_restrictions
|
||||
{% if postfix.smtp.sender_login_maps %}
|
||||
-o smtpd_sender_restrictions=$submission_sender_restrictions
|
||||
-o smtpd_sender_login_maps=$submission_sender_login_maps
|
||||
{% endif %}
|
||||
{% if postfix.milter is defined and postfix.milter %}
|
||||
-o milter_macro_daemon_name=ORIGINATING
|
||||
{% endif %}
|
||||
smtps inet n - - - - smtpd
|
||||
-o smtpd_tls_wrappermode=yes
|
||||
-o smtpd_sasl_auth_enable=yes
|
||||
-o smtpd_sasl_type=dovecot
|
||||
-o smtpd_sasl_path={{ postfix.submission.sasl.path }}
|
||||
-o smtpd_delay_reject=no
|
||||
-o smtpd_client_restrictions=$submission_client_restrictions
|
||||
-o smtpd_relay_restrictions=$submission_relay_restrictions
|
||||
{% if postfix.smtp.sender_login_maps %}
|
||||
-o smtpd_sender_restrictions=$submission_sender_restrictions
|
||||
-o smtpd_sender_login_maps=$submission_sender_login_maps
|
||||
{% endif %}
|
||||
{% if postfix.milter is defined and postfix.milter %}
|
||||
-o milter_macro_daemon_name=ORIGINATING
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
pickup fifo n - - 60 1 pickup
|
||||
cleanup unix n - - - 0 cleanup
|
||||
|
|
@ -110,9 +127,6 @@ flush unix n - - 1000? 0 flush
|
|||
proxymap unix - - n - - proxymap
|
||||
smtp unix - - - - - smtp
|
||||
relay unix - - - - - smtp
|
||||
{% if postfix.primary %}
|
||||
-o fallback_relay=
|
||||
{% endif %}
|
||||
showq unix n - - - - showq
|
||||
error unix - - - - - error
|
||||
retry unix - - - - - error
|
||||
|
|
@ -128,8 +142,6 @@ slow unix - - n - 1 smtp
|
|||
# pages of the non-Postfix software to find out what options it wants.
|
||||
# The Cyrus deliver program has changed incompatibly.
|
||||
#
|
||||
cyrus unix - n n - - pipe
|
||||
flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m $${extension} $${user}
|
||||
uucp unix - n n - - pipe
|
||||
flags=Fqhu user=uucp argv=uux -r -n -z -a$$sender - $$nexthop!rmail ($$recipient)
|
||||
ifmail unix - n n - - pipe
|
||||
|
|
|
|||
|
|
@ -1,8 +1,6 @@
|
|||
{{ ansible_header | comment }}
|
||||
# Filtrage des fichiers envoyes en piece jointe.
|
||||
|
||||
# La version hard (s'il n'y a pas d'antivirus, ou pour le dernier virus a la mode)
|
||||
/^[ ]*(Content-Type:.*)?(Content-Disposition:.*)?(filename|name)=\"?(.*)\.(exe|com|pif|bat|scr|vbs|chm|cpl)\"?[ ]*$/ REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.
|
||||
|
||||
# La version soft :
|
||||
#/^[ ]*(Content-Type:.*)?(Content-Disposition:.*)?(filename|name)=\"?(.*)\.(com|pif|bat|scr|vbs|chm)\"?[ ]*$/ REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.
|
||||
{% for item in postfix.mime_header_checks %}
|
||||
{{ item.regex }} {{ item.action }}
|
||||
{% endfor %}
|
||||
|
|
|
|||
|
|
@ -1,64 +1,9 @@
|
|||
{{ ansible_header | comment }}
|
||||
|
||||
127.0.0.1 permit
|
||||
138.231.0.0/16 permit
|
||||
185.230.76.0/22 permit
|
||||
10.231.136.0/24 permit
|
||||
82.225.39.54 permit
|
||||
91.121.179.40 permit
|
||||
46.105.102.188 permit
|
||||
2a0c:700:0:1::/64 permit
|
||||
2a0c:700:0:2::/64 permit
|
||||
2a0c:700:0:21::/64 permit
|
||||
2a0c:700:0:22::/64 permit
|
||||
2a0c:700:0:23::/64 permit
|
||||
2a0c:700:0:24::/64 permit
|
||||
{% for block in postfix.postscreen %}
|
||||
# {{ block.comment }}
|
||||
{% for target in block.targets %}
|
||||
{{ '{:<42}{}'.format(target,block.verdict) }}
|
||||
{% endfor %}
|
||||
|
||||
# ecommercant qui repmplace offrespourlespros, qui spammait le le 29/05/2015
|
||||
149.202.29.192/28 reject
|
||||
37.187.141.230 reject
|
||||
2001:41d0:a:4ce6::/64 reject
|
||||
# gboxyw.net (reverse wasnh.net) le 05/11/2015, devenu vorange.net, vous le sentez le spam qui vient ?
|
||||
37.187.132.105 reject
|
||||
92.222.109.0/27 reject
|
||||
|
||||
# mail.alkar.net spam le 26/06/2016
|
||||
195.248.191.95 reject
|
||||
|
||||
# mail.testfast.eu spam en juin 2016
|
||||
176.20.27.0/24 reject
|
||||
|
||||
# Spam depuis des adresses en .ua
|
||||
91.194.84.10 reject
|
||||
213.186.200.70 reject
|
||||
185.117.89.15 reject
|
||||
62.141.42.44 reject
|
||||
# installio.co.ua
|
||||
217.79.181.5 reject
|
||||
|
||||
# Scam
|
||||
180.137.106.59 reject
|
||||
169.255.7.5 reject
|
||||
110.159.122.90 reject
|
||||
37.104.198.10 reject
|
||||
46.62.146.206 reject
|
||||
|
||||
# Spam alcoolisme 16/09/2018
|
||||
46.249.59.89 reject
|
||||
|
||||
# Spam "Pastoral shit"
|
||||
198.84.107.98 reject
|
||||
198.84.74.66 reject
|
||||
104.168.178.132 reject
|
||||
104.168.178.156 reject
|
||||
158.69.253.33 reject
|
||||
|
||||
# Spam overdue payment
|
||||
193.56.28.114 reject
|
||||
|
||||
# Non, nous ne voulons pas traiter l'alcoolisme à l'insu du patient.
|
||||
94.242.206.15 reject
|
||||
91.188.222.33 reject
|
||||
|
||||
# Et les russes ils dégagent aussi
|
||||
185.50.149.0/24 reject
|
||||
{% endfor %}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
crans@crans.fr REJECT Le Crans se fiche du basket. Veuillez supprimer l'adresse crans@crans.fr de votre carnet.
|
||||
crans.org OK
|
||||
crans.fr OK
|
||||
crans.eu OK
|
||||
{{ ansible_header | comment }}
|
||||
|
||||
{% for item in postfix.recipient_access %}
|
||||
{{ item.entry }} {{ item.action }}
|
||||
{% endfor %}
|
||||
|
|
|
|||
|
|
@ -1,19 +1,14 @@
|
|||
{{ ansible_header | comment }}
|
||||
# Transport des mails
|
||||
|
||||
{% if postfix.primary or postfix.secondary %}
|
||||
# Les mailing-listes sont delivrees sur un serveur à part
|
||||
lists.crans.org smtp:[{{ query('ldap', 'ip', 'mailman', 'adm') | ipv4 | first }}]
|
||||
# C'est le serveur des adherents qui fait les livraisons des
|
||||
# adresses clubs et adherents
|
||||
crans.org smtp:[users.adm.crans.org]
|
||||
crans.eu smtp:[users.adm.crans.org]
|
||||
crans.fr smtp:[users.adm.crans.org]
|
||||
{% for block in postfix.transport %}
|
||||
# {{ block.comment }}
|
||||
{% for target in block.targets %}
|
||||
{% if block.params is defined %}
|
||||
{{ '{:<29}{}:{}'.format(target,block.method,block.params) }}
|
||||
{% else %}
|
||||
{{ '{:<29}{}:'.format(target,block.method) }}
|
||||
{% endif %}
|
||||
# SMTP relous
|
||||
wanadoo.com slow:
|
||||
wanadoo.fr slow:
|
||||
orange.com slow:
|
||||
orange.fr slow:
|
||||
free.fr slow:
|
||||
laposte.net slow:
|
||||
{% endfor %}
|
||||
|
||||
{% endfor %}
|
||||
|
|
|
|||
Loading…
Reference in New Issue