crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

[Postfix] Allows to filter connection to smtp based on client IP.

certbot_on_virtu
_pollion 2020-05-17 13:28:32 +02:00
parent 9f15e2115c
commit bb9ce4fb57
6 changed files with 24 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
roles/postfix/handlers/main.yml
View File

@ -6,3 +6,4 @@
- /etc/postfix/recipient_access - /etc/postfix/recipient_access
- /etc/postfix/sender_login_maps - /etc/postfix/sender_login_maps
- /etc/postfix/transport - /etc/postfix/transport
- /etc/postfix/client_checks

1
roles/postfix/tasks/main.yml
View File

@ -24,5 +24,6 @@
- sender_login_maps - sender_login_maps
- postscreen_access.cidr - postscreen_access.cidr
- sasl/smtpd.conf - sasl/smtpd.conf
- client_checks
notify: notify:
- generate postmaps - generate postmaps

3
roles/postfix/templates/postfix/client_checks.j2 100644
View File

@ -0,0 +1,3 @@
{{ ansible_header | comment }}
185.50.149.0/24 REJECT Spammers are not welcome here!

10
roles/postfix/templates/postfix/main.cf.j2
View File

@ -117,6 +117,16 @@ smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks smtpd_helo_restrictions = permit_mynetworks
reject_invalid_helo_hostname reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname reject_non_fqdn_helo_hostname
# Vérifie que le client n'est pas dans un / d'ips blacklistées
check_client_access cidr:/etc/postfix/client_checks
{% endif %}
{% if postfix.primary %}
submission_client_restrictions =
check_client_access cidr:/etc/postfix/client_checks
submission_relay_restrictions =
permit_sasl_authenticated
reject
{% endif %} {% endif %}
## Limitation des messages envoyés par minute ## Limitation des messages envoyés par minute
# On n'ignore que les messages venant d'adresses "protégées" # On n'ignore que les messages venant d'adresses "protégées"

9
roles/postfix/templates/postfix/master.cf.j2
View File

@ -87,14 +87,17 @@ dnsblog unix - - - - 0 dnsblog
submission inet n - - - - smtpd submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt -o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes -o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_delay_reject=no
-o smtpd_client_restrictions=$submission_client_restrictions
-o smtpd_relay_restrictions=$submission_relay_restrictions
-o milter_macro_daemon_name=ORIGINATING -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes -o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes -o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_delay_reject=no
-o smtpd_client_restrictions=$submission_client_restrictions
-o smtpd_relay_restrictions=$submission_relay_restrictions
{% endif %} {% endif %}
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup cleanup unix n - - - 0 cleanup
qmgr fifo n - - 300 1 qmgr qmgr fifo n - - 300 1 qmgr

3
roles/postfix/templates/postfix/postscreen_access.cidr.j2
View File

@ -59,3 +59,6 @@
# Non, nous ne voulons pas traiter l'alcoolisme à l'insu du patient. # Non, nous ne voulons pas traiter l'alcoolisme à l'insu du patient.
94.242.206.15 reject 94.242.206.15 reject
91.188.222.33 reject 91.188.222.33 reject
# Et les russes ils dégagent aussi
185.50.149.0/24 reject