crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

[postfix] Added role to install postfix

certbot_on_virtu
_benjamin 2020-01-24 09:13:15 +01:00
parent 9b35510f3b
commit 709b968d98
10 changed files with 538 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
network.yml
View File

@ -68,3 +68,15 @@
roles: roles:
- quagga-ipv6 - quagga-ipv6
# Deploy postfix on mail servers
- hosts: titanic.adm.crans.org
vars:
postfix:
primary: false
secondary: true
public: true
dkim: true
mailman: false
titanic: true
roles:
- postfix

28
roles/postfix/tasks/main.yml 100644
View File

@ -0,0 +1,28 @@
---
- name: Install postfix
apt:
update_cache: true
name:
- postfix
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Deploy postfix configuration
template:
src: postfix/{{ item }}.j2
dest: /etc/postfix/{{ item }}
mode: 0644
owner: root
group: root
loop:
- main.cf
- master.cf
- transport
- mime_header_checks
- recipient_access
- sender_login_maps
- postscreen_access.cidr
- sasl/smtpd.conf
# - canonical
# - virtual

250
roles/postfix/templates/postfix/main.cf.j2 100644
View File

@ -0,0 +1,250 @@
# {{ ansible_managed }}
# Fichier de configuration principal de postfix.
# +------------------+
# | Variables utiles |
# +------------------+
# Definition par securite (sinon il utilise gethostname)
myhostname = {{ ansible_hostname }}.crans.org
mydomain = crans.org
# Origine des mails
myorigin = crans.org
# Reseaux locaux
mynetworks = 127.0.0.0/8, [::1]/128
{% if postfix.primary or postfix.secondary %}
138.231.136.0/21, 185.230.79.0/24, 185.230.77.0/24, 185.230.76.0/24, 185.230.78.0/24, 10.53.0.0/19, 10.54.0.0/19, [2a0c:700:0:1::]/64, [2a0c:700:0:22::]/64, [2a0c:700:0:21::]/64, [2a0c:700:0:23::]/64, [2a0c:700:0:24::]/64, 10.231.136.0/24, [2a0c:700:0:2::]/64
{% else %}
10.231.136.0/24, [2a0c:700:0:2::]/64
{% endif %}
# Destinations acceptees
mydestination = {{ ansible_hostname }}, $myhostname, localhost, localhost.$mydomain
{% if postfix.primary or not postfix.secondary %}
$mydomain, crans.ens-cachan.fr, clubs.ens-cachan.fr, install-party.ens-cachan.fr, crans.fr, crans.eu
{% endif %}
# Domaine relaye par ce MX
relay_domains = $mydestination
{% if postfix.mailman %}
lists.$mydomain
{% endif %}
{% if postfix.secondary %}
$mydomain, crans.ens-cachan.fr, clubs.ens-cachan.fr, install-party.ens-cachan.fr, crans.fr, crans.eu
{% endif %}
{% if postfix.public %}
lists.$mydomain
{% endif %}
{% if postfix.mailman %}
relay_recipient_maps =
hash:/var/local/re2o-services/mail-server/generated/virtual
hash:/var/lib/mailman/data/virtual-mailman
mailman_destination_recipient_limit = 1
{% endif %}
# Etre notifie ou non de l'arrive de nouveaux mails
{% if postfix.primary or postfix.secondary %}
biff = no
{% else %}
biff = yes
{% endif %}
# Pour pouvoir tester sans tout casser, on active les soft bounces.
# Ca permet aux mails de ne pas etre bounces en cas d'erreur, mais
# a la place, de renvoyer une erreur non permanente. En production
# il faut enlever ca.
soft_bounce = no
smtpd_reject_unlisted_sender = yes
{% if not postfix.primary and not postfix.secondary %}
# On delivre dans des maildir
mail_spool_directory = /home/mail/
{% endif %}
# +--------+
# | Divers |
# +--------+
# Delais pour les warnings
delay_warning_time = 24h
# Esthetisme
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
# Par ou passer (notement pour la distrtibution des adresse
# locales par le serveur des adherents)
transport_maps = hash:/etc/postfix/transport
# Une infinite d'adresses mail par personne
recipient_delimiter = +
# +-----------------+
# | Bases d'adresse |
# +-----------------+
# Les fichiers d'alias (pour newaliases)
alias_database = hash:/var/local/re2o-services/mail-server/generated/aliases
alias_maps = $alias_database
# On prend aussi en compte les utilisateurs de /etc/passwd
local_recipient_maps = $alias_maps unix:passwd.byname
# Les anciennes ML @crans.org, @crans.ens-cachan.fr -> @lists.crans.org
virtual_alias_maps = hash:/var/local/re2o-services/mail-server/generated/virtual
# +-------------+
# | TLS et SASL |
# +-------------+
# TLS pour la reception
smtpd_use_tls=yes
smtpd_tls_security_level=may
smtpd_tls_cert_file=/etc/ssl/certs/smtp.pem
smtpd_tls_key_file=/etc/ssl/private/smtp.pem
smtpd_tls_loglevel=0
smtpd_tls_received_header=yes
# On utilise aussi TLS pour envoyer les mails
smtp_use_tls=yes
smtp_tls_security_level=may
smtp_tls_loglevel=1
smtp_tls_cert_file=
smtp_tls_key_file=
smtp_tls_CApath=/etc/ssl/certs/
# On cache les sessions TLS car elles sont couteuses.
smtpd_tls_session_cache_database=btree:/var/lib/postfix/smtpd_tls_session_cache
smtp_tls_session_cache_database=btree:/var/lib/postfix/smtp_tls_session_cache
tls_random_source=dev:/dev/urandom
# Auth que si tls pour eviter des pass en clair sur le reseau
smtpd_tls_auth_only=yes
# Authentification SASL pour relayer du mail
smtpd_sasl_auth_enable=yes
# +--------------------------+
# | Filtrages et limitations |
# +--------------------------+
{% if postfix.public %}
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
{% endif %}
## Limitation des messages envoyés par minute
# On n'ignore que les messages venant d'adresses "protégées"
smtpd_client_event_limit_exceptions = local_networks
10.231.136.0/24, [2a0c:700:0:2::]/64
# we remove the smtpd_access_maps, so that crans.org in the recipient_access does not capture subdomains
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains
# On limite à 10 messages par minute
smtpd_client_message_rate_limit = 10
{% if postfix.public %}
smtpd_sender_login_maps = hash:/etc/postfix/sender_login_maps
{% endif %}
## Filtrage au MAIL FROM
smtpd_sender_restrictions = permit_mynetworks
{% if postfix.public %}
# Si pas authentifié pour un domaine de smtpd_sender_login_maps
# on dégage. Si authentifié, on envoit même si c'est du spoof
# interne.
reject_unauthenticated_sender_login_mismatch
{% endif %}
reject_non_fqdn_sender
reject_unknown_sender_domain
## Dit à postfix de jeter toute socket vers un serveur de policy après une
## utilisation. Il en recrée donc une nouvelle, ce qui permet d'éviter
## qu'un service de policy droppant silencieusement ses sockets ralentisse
## postfix. C'est un palliatif en attendant de corriger ratelimit/policy
smtpd_policy_service_request_limit = 1
## Filtrage au RCPT TO
smtpd_recipient_restrictions =
{% if postfix.primary %}
# Test avec policyd-rate-limit pour limiter le nombre de mails par utilisateur SASL
check_policy_service unix:ratelimit/policy
{% endif %}
# permet si le client est dans le reseau local
permit_mynetworks
# rejette les recipients sans nom de domaine totalement qualifie
reject_non_fqdn_recipient
{% if postfix.public %}
# permet si le client est authentifie
permit_sasl_authenticated
{% endif %}
# rejette les destinations non locales
reject_unauth_destination
{% if postfix.public %}
# accepte si on est sur un destinaire en @crans
check_recipient_access hash:/etc/postfix/recipient_access
# pour les @lists.crans.org, accepte si la greylist est d'accord
check_policy_service inet:127.0.0.1:2501
{% endif %}
# jette le reste
{% if postfix.primary %}
#smtpd_end_of_data_restrictions=check_policy_service inet:127.0.0.1:10031
{% endif %}
# Tailles maximales : 20Mo pour les msgs et 75 pour les mbox
message_size_limit = 20971520
mailbox_size_limit = 78643000
# Obligation de specifier le nom de domaine complet
{% if postfix.secondary %}
append_dot_mydomain = yes
{% else %}
append_dot_mydomain = no
{% endif %}
#Ajout de cyrus pour l'authentification SMTP
smtpd_sasl_type = cyrus
# Pieces jointes
mime_header_checks = regexp:/etc/postfix/mime_header_checks
# Transport slow
slow_destination_recipient_limit = 20
slow_destination_concurrency_limit = 2
{% if postfix.dkim %}
# Filtrage mail
milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301
{% endif %}
{% if postfix.titanic %}
relayhost = [soyouz.adm.crans.org]:25
{% endif %}
{% if postfix.primary or postfix.secondary %}
# PostScreen configuration
# Access List
postscreen_access_list = cidr:/etc/postfix/postscreen_access.cidr
## Tu es blacklisté ? VTFF
postscreen_blacklist_action = drop
# Bannière d'accueil multi valuée
postscreen_greet_banner = Bienvenue au crans, veuillez patienter quelques secondes.
## On droppe.
postscreen_greet_action = drop
# RBL, le retour
postscreen_dnsbl_sites =
zen.spamhaus.org*2
dnsbl.inps.de*2
b.barracudacentral.org*2
dnsbl-2.uceprotect.net*2
bl.spameatingmonkey.net
bl.spamcop.net
dnsbl.sorbs.net
psbl.surriel.com
bl.mailspike.net
swl.spamhaus.org*-2
list.dnswl.org=127.[0..255].[0..255].0*-1
list.dnswl.org=127.[0..255].[0..255].1*-2
list.dnswl.org=127.[0..255].[0..255].[2..255]*-3
# Score >= 4 ? Bye bye
postscreen_dnsbl_threshold = 4
postscreen_dnsbl_action = enforce
## Désactivé, pour éviter le fake greylisting de postscreen.
## Décommenter en cas de spam trop important.
## Filtre utilisé par postfix, mis en amont via postscreen
#postscreen_non_smtp_command_enable = yes
#postscreen_non_smtp_command_action = enforce
#
#postscreen_bare_newline_enable = yes
#postscreen_bare_newline_action = enforce
#
#postscreen_pipelining_enable = yes
#postscreen_pipelining_action = enforce
{% endif %}

143
roles/postfix/templates/postfix/master.cf.j2 100644
View File

@ -0,0 +1,143 @@
# {{ ansible_managed }}
# Fichier de configuration des démons de postfix.
# +------------------------+
# | Utils pour le template |
# +------------------------+
# Postfix master process configuration file. Each line describes how
# a mailer component program should be run. The fields that make up
# each line are described below. A "-" field value requests that a
# default value be used for that field.
#
# Service: any name that is valid for the specified transport type
# (the next field). With INET transports, a service is specified as
# host:port. The host part (and colon) may be omitted. Either host
# or port may be given in symbolic form or in numeric form. Examples
# for the SMTP server: localhost:smtp receives mail via the loopback
# interface only; 10025 receives mail on port 10025.
#
# Transport type: "inet" for Internet sockets, "unix" for UNIX-domain
# sockets, "fifo" for named pipes.
#
# Private: whether or not access is restricted to the mail system.
# Default is private service. Internet (inet) sockets can't be private.
#
# Unprivileged: whether the service runs with root privileges or as
# the owner of the Postfix system (the owner name is controlled by the
# mail_owner configuration variable in the main.cf file).
#
# Chroot: whether or not the service runs chrooted to the mail queue
# directory (pathname is controlled by the queue_directory configuration
# variable in the main.cf file). Presently, all Postfix daemons can run
# chrooted, except for the pipe, virtual and local delivery daemons.
# The files in the examples/chroot-setup subdirectory describe how
# to set up a Postfix chroot environment for your type of machine.
#
# Wakeup time: automatically wake up the named service after the
# specified number of seconds. A ? at the end of the wakeup time
# field requests that wake up events be sent only to services that
# are actually being used. Specify 0 for no wakeup. Presently, only
# the pickup, queue manager and flush daemons need a wakeup timer.
#
# Max procs: the maximum number of processes that may execute this
# service simultaneously. Default is to use a globally configurable
# limit (the default_process_limit configuration parameter in main.cf).
# Specify 0 for no process count limit.
#
# Command + args: the command to be executed. The command name is
# relative to the Postfix program directory (pathname is controlled by
# the program_directory configuration variable). Adding one or more
# -v options turns on verbose logging for that service; adding a -D
# option enables symbolic debugging (see the debugger_command variable
# in the main.cf configuration file). See individual command man pages
# for specific command-line options, if any.
#
# In order to use the "uucp" message tranport below, set up entries
# in the transport table.
#
# In order to use the "cyrus" message transport below, configure it
# in main.cf as the mailbox_transport.
#
# SPECIFY ONLY PROGRAMS THAT ARE WRITTEN TO RUN AS POSTFIX DAEMONS.
# ALL DAEMONS SPECIFIED HERE MUST SPEAK A POSTFIX-INTERNAL PROTOCOL.
#
# DO NOT CHANGE THE ZERO PROCESS LIMIT FOR CLEANUP/BOUNCE/DEFER OR
# POSTFIX WILL BECOME STUCK UP UNDER HEAVY LOAD
#
# DO NOT CHANGE THE ONE PROCESS LIMIT FOR PICKUP/QMGR OR POSTFIX WILL
# DELIVER MAIL MULTIPLE TIMES.
#
# DO NOT SHARE THE POSTFIX QUEUE BETWEEN MULTIPLE POSTFIX INSTANCES.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (50)
# ==========================================================================
{% if postfix.primary or postfix.secondary %}
smtp inet n - - - 1 postscreen
smtpd pass - - - - - smtpd
{% else %}
smtp inet n - - - - smtpd
{% endif %}
{% if postfix.primary or postfix.secondary %}
dnsblog unix - - - - 0 dnsblog
{% endif %}
{% if postfix.primary %}
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
{% endif %}
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - - 300 1 qmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
{% if postfix.primary %}
-o fallback_relay=
{% endif %}
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - 5 lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
slow unix - - n - 1 smtp
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
# The Cyrus deliver program has changed incompatibly.
#
cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m $${extension} $${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$$sender - $$nexthop!rmail ($$recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $$nexthop ($$recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$$nexthop -f$$sender $$recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store $${nexthop} $${user} $${extension}
# only used by postfix-tls
tlsmgr unix - - n 300 1 tlsmgr
{% if postfix.mailman %}
mailman unix - n n - - pipe
flags=FR user=list
argv=/var/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
{% endif %}

8
roles/postfix/templates/postfix/mime_header_checks.j2 100644
View File

@ -0,0 +1,8 @@
# {{ ansible_managed }}
# Filtrage des fichiers envoyes en piece jointe.
# La version hard (s'il n'y a pas d'antivirus, ou pour le dernier virus a la mode)
/^[ ]*(Content-Type:.*)?(Content-Disposition:.*)?(filename|name)=\"?(.*)\.(exe|com|pif|bat|scr|vbs|chm|cpl)\"?[ ]*$/ REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.
# La version soft :
#/^[ ]*(Content-Type:.*)?(Content-Disposition:.*)?(filename|name)=\"?(.*)\.(com|pif|bat|scr|vbs|chm)\"?[ ]*$/ REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.

61
roles/postfix/templates/postfix/postscreen_access.cidr.j2 100644
View File

@ -0,0 +1,61 @@
# {{ ansible_managed }}
127.0.0.1 permit
138.231.0.0/16 permit
185.230.76.0/22 permit
10.231.136.0/24 permit
82.225.39.54 permit
91.121.179.40 permit
46.105.102.188 permit
2a0c:700:0:1::/64 permit
2a0c:700:0:2::/64 permit
2a0c:700:0:21::/64 permit
2a0c:700:0:22::/64 permit
2a0c:700:0:23::/64 permit
2a0c:700:0:24::/64 permit
# ecommercant qui repmplace offrespourlespros, qui spammait le le 29/05/2015
149.202.29.192/28 reject
37.187.141.230 reject
2001:41d0:a:4ce6::/64 reject
# gboxyw.net (reverse wasnh.net) le 05/11/2015, devenu vorange.net, vous le sentez le spam qui vient ?
37.187.132.105 reject
92.222.109.0/27 reject
# mail.alkar.net spam le 26/06/2016
195.248.191.95 reject
# mail.testfast.eu spam en juin 2016
176.20.27.0/24 reject
# Spam depuis des adresses en .ua
91.194.84.10 reject
213.186.200.70 reject
185.117.89.15 reject
62.141.42.44 reject
# installio.co.ua
217.79.181.5 reject
# Scam
180.137.106.59 reject
169.255.7.5 reject
110.159.122.90 reject
37.104.198.10 reject
46.62.146.206 reject
# Spam alcoolisme 16/09/2018
46.249.59.89 reject
# Spam "Pastoral shit"
198.84.107.98 reject
198.84.74.66 reject
104.168.178.132 reject
104.168.178.156 reject
158.69.253.33 reject
# Spam overdue payment
193.56.28.114 reject
# Non, nous ne voulons pas traiter l'alcoolisme à l'insu du patient.
94.242.206.15 reject
91.188.222.33 reject

4
roles/postfix/templates/postfix/recipient_access.j2 100644
View File

@ -0,0 +1,4 @@
crans@crans.fr REJECT Le Crans se fiche du basket. Veuillez supprimer l'adresse crans@crans.fr de votre carnet.
crans.org OK
crans.fr OK
crans.eu OK

2
roles/postfix/templates/postfix/sasl/smtpd.conf.j2 100644
View File

@ -0,0 +1,2 @@
pwcheck_method: saslauthd
mech_list: plain login

3
roles/postfix/templates/postfix/sender_login_maps.j2 100644
View File

@ -0,0 +1,3 @@
@crans.org root
@crans.fr root
@crans.eu root

27
roles/postfix/templates/postfix/transport.j2 100644
View File

@ -0,0 +1,27 @@
# {{ ansible_managed }}
# Transport des mails
{% if postfix.mailman %}
# Les mailing-listes sont delivrees localement
lists.crans.org mailman:
{% else %}
lists.crans.org smtp:[lists.adm.crans.org]
{% endif %}
{% if postfix.primary or postfix.secondary %}
# C'est le serveur des adherents qui fait les livraisons des
# adresses clubs et adherents
crans.org smtp:[users.adm.crans.org]
crans.ens-cachan.fr smtp:[users.adm.crans.org]
install-party.ens-cachan.fr smtp:[users.adm.crans.org]
clubs.ens-cachan.fr smtp:[users.adm.crans.org]
crans.eu smtp:[users.adm.crans.org]
crans.fr smtp:[users.adm.crans.org]
{% endif %}
# SMTP relous
wanadoo.com slow:
wanadoo.fr slow:
orange.com slow:
orange.fr slow:
ens-cachan.fr slow:
free.fr slow:
laposte.net slow: