From d65e9739cde9f7e5e979ac0e08f1cbdc63e499e4 Mon Sep 17 00:00:00 2001 From: shirenn Date: Wed, 22 Dec 2021 17:12:20 +0100 Subject: [PATCH] WIP: --- host_vars/redisdead.adm.crans.org.yml | 7 +- host_vars/sputnik.adm.crans.org.yml | 104 +++++++++++++++++- roles/postfix/tasks/main.yml | 1 + roles/postfix/templates/postfix/main.cf.j2 | 18 +-- roles/postfix/templates/postfix/master.cf.j2 | 2 +- .../templates/postfix/sender_login_maps.j2 | 6 +- 6 files changed, 112 insertions(+), 26 deletions(-) diff --git a/host_vars/redisdead.adm.crans.org.yml b/host_vars/redisdead.adm.crans.org.yml index 18fe7488..5568d73e 100644 --- a/host_vars/redisdead.adm.crans.org.yml +++ b/host_vars/redisdead.adm.crans.org.yml @@ -63,7 +63,6 @@ postfix: tls: cert: /etc/letsencrypt/live/crans.org/fullchain.pem key: /etc/letsencrypt/live/crans.org/privkey.pem - sasl: true smtp: sender_login_maps: - {entry: "@crans.org", owner: root} @@ -78,7 +77,7 @@ postfix: - regex: '/^[ ]*(Content-Type:.*)?(Content-Disposition:.*)?(filename|name)=\"?(.*)\.(exe|com|pif|bat|scr|vbs|chm|cpl)\"?[ ]*$/' action: 'REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.' # - regex: '[ ]*(Content-Type:.*)?(Content-Disposition:.*)?(filename|name)=\"?(.*)\.(com|pif|bat|scr|vbs|chm)\"?[ ]*$/' - action: 'REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.' + # action: 'REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.' milter: true postscreen: - comment: "Nice peoples" @@ -134,3 +133,7 @@ postfix: - {entry: 109.237.103.41, action: REJECT Spammers are not welcome here!} - {entry: 185.230.79.0/24, action: ACCEPT Coucou les serveurs du crans} client_event_limit_exceptions: "172.16.10.0/24, [fd00:0:0:10::]/64, 185.230.79.0/26, [2a0c:700:2::]/64" + sender_login_maps: + - {sender: "@crans.org", owner: root} + - {sender: "@crans.fr", owner: root} + - {sender: "@crans.eu", owner: root} diff --git a/host_vars/sputnik.adm.crans.org.yml b/host_vars/sputnik.adm.crans.org.yml index 4214b054..a1f659a6 100644 --- a/host_vars/sputnik.adm.crans.org.yml +++ b/host_vars/sputnik.adm.crans.org.yml @@ -1,12 +1,12 @@ --- debian_mirror: http://deb.debian.org/debian -postfix: - primary: false - secondary: true - public: true - dkim: true - titanic: false +#postfix: +# primary: false +# secondary: true +# public: true +# dkim: true +# titanic: false loc_wireguard: tunnels: @@ -111,3 +111,95 @@ loc_reverseproxy: redirect_sites: [] static_sites: [] + +postfix: + hostname: sputnik.crans.org + shortname: sputnik + domain: crans.org + origin: crans.org + append_dot: true + my_networks: "172.16.10.0/24, [fd00:0:0:10::]/64" + relay: "$mydestination, lists.$mydomain, $mydomain, crans.ens-cachan.fr, clubs.ens-cachan.fr, install-party.ens-cachan.fr, crans.fr, crans.eu" + transport: + - method: smtp + comment: "Les mailing-listes sont délivrées localement" + params: "[172.16.10.110]" + targets: [lists.crans.org] + - method: smtp + comment: "Les mails sont délivrés par le serveur des adhérents" + params: "[172.16.10.31]" + targets: [crans.org, crans.eu, crans.fr, crans.ens-cachan.fr, clubs.ens-cachan.fr, install-party.ens-cachan.fr] + aliases: /var/local/services/mail/generated/aliases + virtual: /var/local/services/mail/generated/virtual + tls: + cert: /etc/letsencrypt/live/crans.org/fullchain.pem + key: /etc/letsencrypt/live/crans.org/privkey.pem + smtp: + sender_login_maps: + - {entry: "@crans.org", owner: root} + - {entry: "@crans.fr", owner: root} + - {entry: "@crans.eu", owner: root} + mime_header_checks: + - regex: '/^[ ]*(Content-Type:.*)?(Content-Disposition:.*)?(filename|name)=\"?(.*)\.(exe|com|pif|bat|scr|vbs|chm|cpl)\"?[ ]*$/' + action: 'REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.' + # - regex: '[ ]*(Content-Type:.*)?(Content-Disposition:.*)?(filename|name)=\"?(.*)\.(com|pif|bat|scr|vbs|chm)\"?[ ]*$/' + # action: 'REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.' + milter: true + postscreen: + - comment: "Nice peoples" + verdict: permit + targets: ["127.0.0.1","185.230.76.0/22","185.230.79.40","172.16.10.0/24","82.225.39.54","91.121.179.40","46.105.102.188","fd00:0:0:10::/64","fd00:0:0:11::/64","2a0c:700:0:2::/64","2a0c:700:0:3::/64","2a0c:700:0:12::/64","2a0c:700:0:13::/64","2a0c:700:0:21::/64","2a0c:700:0:22::/64","2a0c:700:0:23::/64","2a0c:700:0:24::/64","2a0c:700:2::ff:fe01:1002"] + - comment: "ecommercant qui remplace offrespourlespros, qui spammait le 29/05/2015" + verdict: reject + targets: ["149.202.29.192/28","37.187.141.230","2001:41d0:a:4ce6::/64"] + - comment: "gboxyw.net (reverse wasnh.net) le 05/11/2015, devenu vorange.net, vous le sentez le spam qui vient ?" + verdict: reject + targets: ["37.187.132.105","92.222.109.0/27"] + - comment: "mail.alkar.net spam le 26/06/2016" + verdict: reject + targets: ["195.248.191.95"] + - comment: "mail.testfast.eu spam en juin 2016" + verdict: reject + targets: ["176.20.27.0/24"] + - comment: "Spam depuis des adresses en .ua" + verdict: reject + targets: ["91.194.84.10","213.186.200.70","185.117.89.15","62.141.42.44"] + - comment: "installio.co.ua" + verdict: reject + targets: ["217.79.181.5"] + - comment: Scam + verdict: reject + targets: ["180.137.106.59","169.255.7.5","110.159.122.90","37.104.198.10","46.62.146.206"] + - comment: "Spam alcoolisme 16/09/2018" + verdict: reject + targets: ["46.249.59.89"] + - comment: 'Spam "Pastoral shit"' + verdict: reject + targets: ["198.84.107.98","198.84.74.66","104.168.178.132","104.168.178.156","158.69.253.33"] + - comment: "Spam overdue payment" + verdict: reject + targets: ["193.56.28.114"] + - comment: "Non, nous ne voulons pas traiter l'alcoolisme à l'insu du patient." + verdict: reject + targets: ["94.242.206.15","91.188.222.33"] + - comment: "Et les russes ils dégagent aussi" + verdict: reject + targets: ["185.50.149.0/24"] + - comment: "2021/11/13: vague de spam" + verdict: reject + targets: ["139.162.150.93","130.255.78.23","85.171.248.149","37.59.38.218"] + recipient_access: + - {entry: "crans@crans.fr", action: "REJECT Le Crans se fiche du basket. Veuillez supprimer l'adresse crans@crans.fr de votre carnet."} + - {entry: "crans.org", action: OK} + - {entry: "crans.fr", action: OK} + - {entry: "crans.eu", action: OK} + client_checks: + - {entry: 185.50.149.0/24, action: REJECT Spammers are not welcome here!} + - {entry: 74.201.31.175, action: REJECT Spammers are not welcome here!} + - {entry: 109.237.103.41, action: REJECT Spammers are not welcome here!} + - {entry: 185.230.79.0/24, action: ACCEPT Coucou les serveurs du crans} + client_event_limit_exceptions: "172.16.10.0/24, [fd00:0:0:10::]/64" + sender_login_maps: + - {sender: "@crans.org", owner: root} + - {sender: "@crans.fr", owner: root} + - {sender: "@crans.eu", owner: root} diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml index 972141b4..d654581d 100644 --- a/roles/postfix/tasks/main.yml +++ b/roles/postfix/tasks/main.yml @@ -23,6 +23,7 @@ - recipient_access - postscreen_access.cidr - client_checks + - sender_login_maps notify: - generate postmaps diff --git a/roles/postfix/templates/postfix/main.cf.j2 b/roles/postfix/templates/postfix/main.cf.j2 index 3afefdbd..92a67f56 100644 --- a/roles/postfix/templates/postfix/main.cf.j2 +++ b/roles/postfix/templates/postfix/main.cf.j2 @@ -30,13 +30,6 @@ biff = {% if postfix.biff is defined and postfix.biff %}yes{% else %}no{% endif mail_spool_directory = {{ postfix.deliver.spool }} {% endif %} -# Pour pouvoir tester sans tout casser, on active les soft bounces. -# Ca permet aux mails de ne pas etre bounces en cas d'erreur, mais -# a la place, de renvoyer une erreur non permanente. En production -# il faut enlever ca. -soft_bounce = no - -# smtpd_reject_unlisted_sender = yes # +--------+ # | Divers | # +--------+ @@ -103,11 +96,10 @@ smtpd_sasl_auth_enable=yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks -{% if postfix.submission %} +{% if postfix.submission is defined %} permit_sasl_authenticated {% endif %} reject_invalid_helo_hostname -# reject_non_fqdn_helo_hostname {% if postfix.client_checks is defined %} # Vérifie que le client n'est pas dans un / d'ips blacklistées check_client_access cidr:/etc/postfix/client_checks @@ -171,7 +163,7 @@ submission_sender_restrictions = permit_mynetworks smtpd_policy_service_request_limit = 1 ## Filtrage au RCPT TO smtpd_recipient_restrictions = -{% if postfix.policy %} +{% if postfix.policy is defined and postfix.policy %} # Test avec policyd-rate-limit pour limiter le nombre de mails par utilisateur SASL check_policy_service { unix:ratelimit/policy, default_action=DUNNO } {% endif %} @@ -179,7 +171,7 @@ smtpd_recipient_restrictions = permit_mynetworks # rejette les recipients sans nom de domaine totalement qualifie reject_non_fqdn_recipient -{% if postfix.submission %} +{% if postfix.submission is defined %} # permet si le client est authentifie permit_sasl_authenticated {% endif %} @@ -189,15 +181,13 @@ smtpd_recipient_restrictions = # accepte si on est sur un destinaire en @crans check_recipient_access hash:/etc/postfix/recipient_access {% endif %} -# pour les @lists.crans.org, accepte si la greylist est d'accord -# check_policy_service inet:127.0.0.1:2501 # jette le reste -#smtpd_end_of_data_restrictions=check_policy_service inet:127.0.0.1:10031 # Tailles maximales : 20Mo pour les msgs et 75 pour les mbox message_size_limit = 20971520 mailbox_size_limit = 78643000 {% if postfix.append_dot is defined and postfix.append_dot %} +# Obligation de specifier le nom de domaine complet append_dot_mydomain = yes {% else %} # Obligation de specifier le nom de domaine complet diff --git a/roles/postfix/templates/postfix/master.cf.j2 b/roles/postfix/templates/postfix/master.cf.j2 index 3ab1b91a..5dc66747 100644 --- a/roles/postfix/templates/postfix/master.cf.j2 +++ b/roles/postfix/templates/postfix/master.cf.j2 @@ -83,7 +83,7 @@ smtp inet n - - - - smtpd {% if postfix.postscreen %} dnsblog unix - - - - 0 dnsblog {% endif %} -{% if postfix.sasl %} +{% if postfix.submission is defined %} submission inet n - - - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes diff --git a/roles/postfix/templates/postfix/sender_login_maps.j2 b/roles/postfix/templates/postfix/sender_login_maps.j2 index 9b1b22b8..65f04460 100644 --- a/roles/postfix/templates/postfix/sender_login_maps.j2 +++ b/roles/postfix/templates/postfix/sender_login_maps.j2 @@ -1,5 +1,5 @@ {{ ansible_header | comment }} -@crans.org root -@crans.fr root -@crans.eu root +{% for entry in postfix.sender_login_maps %} +{{ '{:<16}{}'.format(entry.sender,entry.owner) }} +{% endfor %}