WIP:

host_vars/redisdead.adm.crans.org.yml

@@ -63,7 +63,6 @@ postfix:
   tls:
     cert: /etc/letsencrypt/live/crans.org/fullchain.pem
     key: /etc/letsencrypt/live/crans.org/privkey.pem
-  sasl: true
   smtp:
     sender_login_maps:
       - {entry: "@crans.org", owner: root}
@@ -78,7 +77,7 @@ postfix:
     - regex: '/^[	 ]*(Content-Type:.*)?(Content-Disposition:.*)?(filename|name)=\"?(.*)\.(exe|com|pif|bat|scr|vbs|chm|cpl)\"?[	 ]*$/'
       action: 'REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.'
     # - regex: '[	 ]*(Content-Type:.*)?(Content-Disposition:.*)?(filename|name)=\"?(.*)\.(com|pif|bat|scr|vbs|chm)\"?[	 ]*$/'
-      action: 'REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.'
+    #   action: 'REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.'
   milter: true
   postscreen:
     - comment: "Nice peoples"
@@ -134,3 +133,7 @@ postfix:
     - {entry: 109.237.103.41, action: REJECT Spammers are not welcome here!}
     - {entry: 185.230.79.0/24, action: ACCEPT Coucou les serveurs du crans}
   client_event_limit_exceptions: "172.16.10.0/24, [fd00:0:0:10::]/64, 185.230.79.0/26, [2a0c:700:2::]/64"
+  sender_login_maps:
+    - {sender: "@crans.org", owner: root}
+    - {sender: "@crans.fr", owner: root}
+    - {sender: "@crans.eu", owner: root}

host_vars/sputnik.adm.crans.org.yml

@@ -1,12 +1,12 @@
 ---
 debian_mirror: http://deb.debian.org/debian
 
-postfix:
-  primary: false
-  secondary: true
-  public: true
-  dkim: true
-  titanic: false
+#postfix:
+#  primary: false
+#  secondary: true
+#  public: true
+#  dkim: true
+#  titanic: false
 
 loc_wireguard:
   tunnels:
@@ -111,3 +111,95 @@ loc_reverseproxy:
   redirect_sites: []
 
   static_sites: []
+
+postfix:
+  hostname: sputnik.crans.org
+  shortname: sputnik
+  domain: crans.org
+  origin: crans.org
+  append_dot: true
+  my_networks: "172.16.10.0/24, [fd00:0:0:10::]/64"
+  relay: "$mydestination, lists.$mydomain, $mydomain, crans.ens-cachan.fr, clubs.ens-cachan.fr, install-party.ens-cachan.fr, crans.fr, crans.eu"
+  transport:
+    - method: smtp
+      comment: "Les mailing-listes sont délivrées localement"
+      params: "[172.16.10.110]"
+      targets: [lists.crans.org]
+    - method: smtp
+      comment: "Les mails sont délivrés par le serveur des adhérents"
+      params: "[172.16.10.31]"
+      targets: [crans.org, crans.eu, crans.fr, crans.ens-cachan.fr, clubs.ens-cachan.fr, install-party.ens-cachan.fr]
+  aliases: /var/local/services/mail/generated/aliases
+  virtual: /var/local/services/mail/generated/virtual
+  tls:
+    cert: /etc/letsencrypt/live/crans.org/fullchain.pem
+    key: /etc/letsencrypt/live/crans.org/privkey.pem
+  smtp:
+    sender_login_maps:
+      - {entry: "@crans.org", owner: root}
+      - {entry: "@crans.fr", owner: root}
+      - {entry: "@crans.eu", owner: root}
+  mime_header_checks:
+    - regex: '/^[	 ]*(Content-Type:.*)?(Content-Disposition:.*)?(filename|name)=\"?(.*)\.(exe|com|pif|bat|scr|vbs|chm|cpl)\"?[	 ]*$/'
+      action: 'REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.'
+    # - regex: '[	 ]*(Content-Type:.*)?(Content-Disposition:.*)?(filename|name)=\"?(.*)\.(com|pif|bat|scr|vbs|chm)\"?[	 ]*$/'
+    #   action: 'REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.'
+  milter: true
+  postscreen:
+    - comment: "Nice peoples"
+      verdict: permit
+      targets: ["127.0.0.1","185.230.76.0/22","185.230.79.40","172.16.10.0/24","82.225.39.54","91.121.179.40","46.105.102.188","fd00:0:0:10::/64","fd00:0:0:11::/64","2a0c:700:0:2::/64","2a0c:700:0:3::/64","2a0c:700:0:12::/64","2a0c:700:0:13::/64","2a0c:700:0:21::/64","2a0c:700:0:22::/64","2a0c:700:0:23::/64","2a0c:700:0:24::/64","2a0c:700:2::ff:fe01:1002"]
+    - comment: "ecommercant qui remplace offrespourlespros, qui spammait le 29/05/2015"
+      verdict: reject
+      targets: ["149.202.29.192/28","37.187.141.230","2001:41d0:a:4ce6::/64"]
+    - comment: "gboxyw.net (reverse wasnh.net) le 05/11/2015, devenu vorange.net, vous le sentez le spam qui vient ?"
+      verdict: reject
+      targets: ["37.187.132.105","92.222.109.0/27"]
+    - comment: "mail.alkar.net spam le 26/06/2016"
+      verdict: reject
+      targets: ["195.248.191.95"]
+    - comment: "mail.testfast.eu spam en juin 2016"
+      verdict: reject
+      targets: ["176.20.27.0/24"]
+    - comment: "Spam depuis des adresses en .ua"
+      verdict: reject
+      targets: ["91.194.84.10","213.186.200.70","185.117.89.15","62.141.42.44"]
+    - comment: "installio.co.ua"
+      verdict: reject
+      targets: ["217.79.181.5"]
+    - comment: Scam
+      verdict: reject
+      targets: ["180.137.106.59","169.255.7.5","110.159.122.90","37.104.198.10","46.62.146.206"]
+    - comment: "Spam alcoolisme 16/09/2018"
+      verdict: reject
+      targets: ["46.249.59.89"]
+    - comment: 'Spam "Pastoral shit"'
+      verdict: reject
+      targets: ["198.84.107.98","198.84.74.66","104.168.178.132","104.168.178.156","158.69.253.33"]
+    - comment: "Spam overdue payment"
+      verdict: reject
+      targets: ["193.56.28.114"]
+    - comment: "Non, nous ne voulons pas traiter l'alcoolisme à l'insu du patient."
+      verdict: reject
+      targets: ["94.242.206.15","91.188.222.33"]
+    - comment: "Et les russes ils dégagent aussi"
+      verdict: reject
+      targets: ["185.50.149.0/24"]
+    - comment: "2021/11/13: vague de spam"
+      verdict: reject
+      targets: ["139.162.150.93","130.255.78.23","85.171.248.149","37.59.38.218"]
+  recipient_access:
+    - {entry: "crans@crans.fr", action: "REJECT Le Crans se fiche du basket. Veuillez supprimer l'adresse crans@crans.fr de votre carnet."}
+    - {entry: "crans.org", action: OK}
+    - {entry: "crans.fr", action: OK}
+    - {entry: "crans.eu", action: OK}
+  client_checks:
+    - {entry: 185.50.149.0/24, action: REJECT Spammers are not welcome here!}
+    - {entry: 74.201.31.175, action: REJECT Spammers are not welcome here!}
+    - {entry: 109.237.103.41, action: REJECT Spammers are not welcome here!}
+    - {entry: 185.230.79.0/24, action: ACCEPT Coucou les serveurs du crans}
+  client_event_limit_exceptions: "172.16.10.0/24, [fd00:0:0:10::]/64"
+  sender_login_maps:
+    - {sender: "@crans.org", owner: root}
+    - {sender: "@crans.fr", owner: root}
+    - {sender: "@crans.eu", owner: root}

roles/postfix/tasks/main.yml

@@ -23,6 +23,7 @@
     - recipient_access
     - postscreen_access.cidr
     - client_checks
+    - sender_login_maps
   notify:
     - generate postmaps
 

roles/postfix/templates/postfix/main.cf.j2

@@ -30,13 +30,6 @@ biff = {% if postfix.biff is defined and postfix.biff %}yes{% else %}no{% endif
 mail_spool_directory = {{ postfix.deliver.spool }}
 {% endif %}
 
-# Pour pouvoir tester sans tout casser, on active les soft bounces.
-# Ca permet aux mails de ne pas etre bounces en cas d'erreur, mais
-# a la place, de renvoyer une erreur non permanente. En production
-# il faut enlever ca.
-soft_bounce = no
-
-# smtpd_reject_unlisted_sender = yes
 # +--------+
 # | Divers |
 # +--------+
@@ -103,11 +96,10 @@ smtpd_sasl_auth_enable=yes
 
 smtpd_helo_required = yes
 smtpd_helo_restrictions = permit_mynetworks
-{% if postfix.submission %}
+{% if postfix.submission is defined %}
                           permit_sasl_authenticated
 {% endif %}
                           reject_invalid_helo_hostname
-#                         reject_non_fqdn_helo_hostname
 {% if postfix.client_checks is defined %}
 # Vérifie que le client n'est pas dans un / d'ips blacklistées
                           check_client_access cidr:/etc/postfix/client_checks
@@ -171,7 +163,7 @@ submission_sender_restrictions = permit_mynetworks
 smtpd_policy_service_request_limit = 1
 ## Filtrage au RCPT TO
 smtpd_recipient_restrictions =
-{% if postfix.policy  %}
+{% if postfix.policy is defined and postfix.policy  %}
 # Test avec policyd-rate-limit pour limiter le nombre de mails par utilisateur SASL
                                check_policy_service { unix:ratelimit/policy, default_action=DUNNO }
 {% endif %}
@@ -179,7 +171,7 @@ smtpd_recipient_restrictions =
                                permit_mynetworks
 # rejette les recipients sans nom de domaine totalement qualifie
                                reject_non_fqdn_recipient
-{% if postfix.submission %}
+{% if postfix.submission is defined %}
 # permet si le client est authentifie
                                permit_sasl_authenticated
 {% endif %}
@@ -189,15 +181,13 @@ smtpd_recipient_restrictions =
 # accepte si on est sur un destinaire en @crans
                                check_recipient_access hash:/etc/postfix/recipient_access
 {% endif %}
-# pour les @lists.crans.org, accepte si la greylist est d'accord
-#                               check_policy_service inet:127.0.0.1:2501
 # jette le reste
 
-#smtpd_end_of_data_restrictions=check_policy_service inet:127.0.0.1:10031
 # Tailles maximales : 20Mo pour les msgs et 75 pour les mbox
 message_size_limit = 20971520
 mailbox_size_limit = 78643000
 {% if postfix.append_dot is defined and postfix.append_dot %}
+# Obligation de specifier le nom de domaine complet
 append_dot_mydomain = yes
 {% else %}
 # Obligation de specifier le nom de domaine complet

roles/postfix/templates/postfix/master.cf.j2

@@ -83,7 +83,7 @@ smtp      inet  n       -       -       -       -       smtpd
 {% if postfix.postscreen %}
 dnsblog   unix  -       -       -       -       0       dnsblog
 {% endif %}
-{% if postfix.sasl %}
+{% if postfix.submission is defined %}
 submission inet n       -       -       -       -       smtpd
   -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_auth_enable=yes

roles/postfix/templates/postfix/sender_login_maps.j2

@@ -1,5 +1,5 @@
 {{ ansible_header | comment }}
 
-@crans.org root
-@crans.fr root
-@crans.eu root
+{% for entry in postfix.sender_login_maps %}
+{{ '{:<16}{}'.format(entry.sender,entry.owner) }}
+{% endfor %}