Switch to Rspamd for DMARC handling

- Remove OpenDMARC
- Configure Rspamd for DMARC handling
- Update services and how to set up DNS records in README

README.md

@@ -28,7 +28,7 @@ What do you get if you point Sovereign at a server? All kinds of good stuff!
 -   Virtual domains for your email, backed by [PostgreSQL](http://www.postgresql.org/).
 -   Secure on-disk storage for email and more via [EncFS](http://www.arg0.net/encfs).
 -   Spam fighting via [Rspamd](https://www.rspamd.com/) and [Postgrey](http://postgrey.schweikert.ch/).
--   Mail server verification via [OpenDKIM](http://www.opendkim.org/) and [OpenDMARC](http://www.trusteddomain.org/opendmarc/) so the Internet knows your mailserver is legit.
+-   Mail server verification via [OpenDKIM](http://www.opendkim.org/) and [DMARC](http://www.dmarc.org/) so the Internet knows your mailserver is legit.
 -   [CalDAV](https://en.wikipedia.org/wiki/CalDAV) and [CardDAV](https://en.wikipedia.org/wiki/CardDAV) to keep your calendars and contacts in sync, via [ownCloud](http://owncloud.org/).
 -   Your own private storage cloud via [ownCloud](http://owncloud.org/).
 -   Your own VPN server via [OpenVPN](http://openvpn.net/index.php/open-source.html).

group_vars/sovereign

@@ -6,6 +6,7 @@
 # common
 domain: (required)
 main_user_name: (required)
+organization: (required)
 
 # admin email
 # fail2ban reports will be sent to this address

roles/mailserver/defaults/main.yml

@@ -18,11 +18,6 @@ mail_virtual_domains: []
 mail_virtual_users: []
 mail_virtual_aliases: []
 
-# opendmarc
-mail_db_opendmarc_username: opendmarc
-mail_db_opendmarc_database: opendmarc
-mail_db_opendmarc_password: "{{ lookup('password', secret + '/' + 'mail_db_opendmarc_password', length=32) }}"
-
 # zpush
 zpush_version: 2.1.1-1788
 # common_timezone is a sovereign variable

roles/mailserver/files/etc_default_opendmarc

@@ -1,10 +0,0 @@
-# Command-line options specified here will override the contents of
-# /etc/opendmarc.conf. See opendmarc(8) for a complete list of options.
-#DAEMON_OPTS=""
-#
-# Uncomment to specify an alternate socket
-# Note that setting this will override any Socket value in opendkim.conf
-SOCKET="inet:54321" # listen on all interfaces on port 54321
-#SOCKET="local:/var/run/opendmarc/opendmarc.sock" # default
-#SOCKET="inet:12345@localhost" # listen on loopback on port 12345
-#SOCKET="inet:12345@192.0.2.1" # listen on 192.0.2.1 on port 12345

roles/mailserver/files/etc_rspamd_local.d_redis.conf

@@ -0,0 +1,2 @@
+servers = "127.0.0.1";
+

roles/mailserver/handlers/main.yml

@@ -14,8 +14,5 @@
   action: shell PGPASSWORD='{{ mail_db_password }}' psql -h localhost -d {{ mail_db_database }} -U {{ mail_db_username }} -f /etc/postfix/import.sql --set ON_ERROR_STOP=1
   notify: restart postfix
 
-- name: restart opendmarc
-  service: name=opendmarc state=restarted
-
 - name: restart rspamd
   service: name=rspamd state=restarted

roles/mailserver/tasks/main.yml

@@ -1,10 +1,17 @@
-- include: postfix.yml tags=postfix
-- include: dovecot.yml tags=dovecot
-- include: opendkim.yml tags=opendkim
-- include: opendmarc.yml tags=opendmarc
-- include: rspamd.yml tags=rspamd
-- include: solr.yml tags=solr
-- include: checkrbl.yml tags=checkrbl
-- include: z-push.yml tags=zpush
-- include: autoconfig.yml tags=autoconfig
+- include: postfix.yml
+  tags: postfix
+- include: dovecot.yml
+  tags: dovecot
+- include: opendkim.yml
+  tags: opendkim
+- include: rspamd.yml
+  tags: rspamd
+- include: solr.yml
+  tags: solr
+- include: checkrbl.yml
+  tags: checkrbl
+- include: z-push.yml
+  tags: zpush
+- include: autoconfig.yml
+  tags: autoconfig
 

roles/mailserver/tasks/opendmarc.yml

@@ -1,55 +0,0 @@
-- name: Install OpenDMARC milter and related packages
-  apt: pkg={{ item }} state=installed update_cache=yes
-  with_items:
-    - mysql-server
-    - python-mysqldb
-    - opendmarc
-
-- name: Patch opendmarc scripts (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742447)
-  lineinfile: dest=/usr/sbin/{{ item }} regexp='^require DBD::' line='require DBD::mysql;'
-  with_items:
-    - opendmarc-import
-    - opendmarc-reports
-    - opendmarc-params
-
-- name: Patch opendmarc scripts part deux (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742447)
-  lineinfile: dest=/usr/sbin/{{ item }} regexp='^my \$dbscheme' line='my $dbscheme     = "mysql";'
-  with_items:
-    - opendmarc-reports
-    - opendmarc-import
-
-- name: Copy OpenDMARC configuration file into place
-  template: src=etc_opendmarc.conf.j2 dest=/etc/opendmarc.conf owner=root group=root
-  notify: restart opendmarc
-
-- name: Create OpenDMARC configuration directory
-  file: state=directory path=/etc/opendmarc
-
-- name: Copy OpenDMARC ignore hosts file into place
-  template: src=etc_opendmarc_ignore.hosts.j2 dest=/etc/opendmarc/ignore.hosts owner=root group=root
-
-- name: Copy OpenDMARC defaults file into place
-  copy: src=etc_default_opendmarc dest=/etc/default/opendmarc owner=root group=root
-  notify:
-    - restart opendmarc
-    - restart postfix
-
-- name: Create database user for OpenDMARC reports
-  mysql_user: user={{ mail_db_opendmarc_username }} password={{ mail_db_opendmarc_password }} state=present priv="opendmarc.*:ALL"
-
-- name: Create database for OpenDMARC reports
-  mysql_db: name={{ mail_db_opendmarc_database }} state=present
-  register: db_created
-
-- name: Import opendmarc schema
-  mysql_db: name={{ mail_db_opendmarc_database }} state=import target=/usr/share/doc/opendmarc/schema.mysql
-  when: db_created.changed
-
-- name: Copy nightly OpenDMARC report generation script into place
-  template: src=etc_opendmarc_report.sh.j2 dest=/etc/opendmarc/report.sh owner=root group=root mode="0755"
-
-- name: Ensure initial report dat file exists with correct permissions
-  copy: content="" dest=/var/run/opendmarc/opendmarc.dat owner=opendmarc group=opendmarc
-
-- name: Activate OpenDMARC report cronjob
-  cron: name="OpenDMARC report" hour="2" minute="0" job="/bin/bash /etc/opendmarc/report.sh >> /var/log/opendmarc_report.log 2>&1 || tail /var/log/opendmarc_report.log"

roles/mailserver/tasks/rspamd.yml

@@ -33,8 +33,13 @@
   tags:
     - dependencies
 
+- name: Copy DMARC configuration into place
+  template: src=etc_rspamd_local.d_dmarc.conf.j2 dest=/etc/rspamd/local.d/dmarc.conf owner=root group=root mode="0644"
+  notify: restart rspamd
+
+- name: Configure Rspamd to use Redis
+  copy: src=etc_rspamd_local.d_redis.conf dest=/etc/rspamd/local.d/redis.conf owner=root group=root mode="0644"
+  notify: restart rspamd
+
 - name: Start redis
   service: name=redis-server state=started
-
-- name: Start rspamd systemd listener
-  service: name=rspamd state=started

roles/mailserver/templates/etc_opendmarc.conf.j2

@@ -1,362 +0,0 @@
-##
-## opendmarc.conf -- configuration file for OpenDMARC filter
-##
-## Copyright (c) 2012-2014, The Trusted Domain Project.  All rights reserved.
-##
-
-##  AuthservID (string)
-##  	defaults to MTA name
-##
-##  Sets the "authserv-id" to use when generating the Authentication-Results:
-##  header field after verifying a message.  If the string "HOSTNAME" is
-##  provided, the name of the host running the filter (as returned by the
-##  gethostname(3) function) will be used.  
-#
-AuthservID {{ mail_server_hostname }}
-
-##  AuthservIDWithJobID { true | false }
-##  	default "false"
-##
-##  If "true", requests that the authserv-id portion of the added
-##  Authentication-Results header fields contain the job ID of the message
-##  being evaluated.
-#
-# AuthservIDWithJobID false
-
-##  AutoRestart { true | false }
-##  	default "false"
-##
-##  Automatically re-start on failures. Use with caution; if the filter fails
-##  instantly after it starts, this can cause a tight fork(2) loop.
-#
-# AutoRestart false
-
-##  AutoRestartCount n
-##  	default 0
-##
-##  Sets the maximum automatic restart count.  After this number of automatic
-##  restarts, the filter will give up and terminate.  A value of 0 implies no
-##  limit.
-#
-# AutoRestartCount 0
-
-##  AutoRestartRate n/t[u]
-##  	default (no limit)
-##
-##  Sets the maximum automatic restart rate.  If the filter begins restarting
-##  faster than the rate defined here, it will give up and terminate.  This
-##  is a string of the form n/t[u] where n is an integer limiting the count
-##  of restarts in the given interval and t[u] defines the time interval
-##  through which the rate is calculated; t is an integer and u defines the
-##  units thus represented ("s" or "S" for seconds, the default; "m" or "M"
-##  for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a
-##  value of "10/1h" limits the restarts to 10 in one hour. There is no
-##  default, meaning restart rate is not limited.
-#
-# AutoRestartRate n/t[u]
-
-##  Background { true | false }
-##  	default "true"
-##
-##  Causes opendmarc to fork and exits immediately, leaving the service
-##  running in the background.
-#
-# Background true
-
-##  BaseDirectory (string)
-##  	default (none)
-##
-##  If set, instructs the filter to change to the specified directory using
-##  chdir(2) before doing anything else.  This means any files referenced
-##  elsewhere in the configuration file can be specified relative to this
-##  directory.  It's also useful for arranging that any crash dumps will be
-##  saved to a specific location.
-#
-# BaseDirectory /var/run/opendmarc
-
-##  ChangeRootDirectory (string)
-##  	default (none)
-##
-##  Requests that the operating system change the effective root directory of
-##  the process to the one specified here prior to beginning execution.
-##  chroot(2) requires superuser access.  A warning will be generated if
-##  UserID is not also set.
-# 
-# ChangeRootDirectory /var/chroot/opendmarc
-
-##  CopyFailuresTo (string)
-##  	default (none)
-##
-##  Requests addition of the specified email address to the envelope of
-##  any message that fails the DMARC evaluation.
-#
-# CopyFailuresTo postmaster@localhost
-
-##  DNSTimeout (integer)
-##  	default 5
-## 
-##  Sets the DNS timeout in seconds.  A value of 0 causes an infinite wait.
-##  (NOT YET IMPLEMENTED)
-#
-# DNSTimeout 5
-
-##  EnableCoredumps { true | false }
-##  	default "false"
-##
-##  On systems that have such support, make an explicit request to the kernel
-##  to dump cores when the filter crashes for some reason.  Some modern UNIX
-##  systems suppress core dumps during crashes for security reasons if the
-##  user ID has changed during the lifetime of the process.  Currently only
-##  supported on Linux.
-#
-# EnableCoreDumps false
-
-##  FailureReports { true | false }
-##  	default "false"
-##
-##  Enables generation of failure reports when the DMARC test fails and the
-##  purported sender of the message has requested such reports.  Reports are
-##  formatted per RFC6591.
-# 
-# FailureReports false
-
-##  FailureReportsBcc (string)
-##  	default (none)
-##
-##  When failure reports are enabled and one is to be generated, always
-##  send one to the address(es) specified here.  If a failure report is
-##  requested by the domain owner, the address(es) are added in a Bcc: field.
-##  If no request is made, they address(es) are used in a To: field.  There
-##  is no default.
-# 
-# FailureReportsBcc postmaster@example.coom
-
-##  FailureReportsOnNone { true | false }
-##  	default "false"
-##
-##  Supplements the "FailureReports" setting by generating reports for
-##  domains that advertise "none" policies.  By default, reports are only
-##  generated (when enabled) for sending domains advertising a "quarantine"
-##  or "reject" policy.
-# 
-# FailureReportsOnNone false
-
-##  FailureReportsSentBy string
-##  	default "USER@HOSTNAME"
-##
-##  Specifies the email address to use in the From: field of failure
-##  reports generated by the filter.  The default is to use the userid of
-##  the user running the filter and the local hostname to construct an
-##  email address.  "postmaster" is used in place of the userid if a name
-##  could not be determined.
-# 
-# FailureReportsSentBy USER@HOSTNAME
-
-##  HistoryFile path
-##  	default (none)
-##
-##  If set, specifies the location of a text file to which records are written
-##  that can be used to generate DMARC aggregate reports.  Records are groups
-##  of rows containing information about a single received message, and
-##  include all relevant information needed to generate a DMARC aggregate
-##  report.  It is expected that this will not be used in its raw form, but
-##  rather periodically imported into a relational database from which the
-##  aggregate reports can be extracted by a tool such as opendmarc-import(8).
-#
-HistoryFile /var/run/opendmarc/opendmarc.dat
-
-##  IgnoreAuthenticatedClients { true | false }
-##  	default "false"
-##
-##  If set, causes mail from authenticated clients (i.e., those that used
-##  SMTP UATH) to be ignored by the filter.
-#
-# IgnoreAuthenticatedClients false
-
-##  IgnoreHosts path
-##  	default (internal)
-##
-##  Specifies the path to a file that contains a list of hostnames, IP
-##  addresses, and/or CIDR expressions identifying hosts whose SMTP
-##  connections are to be ignored by the filter.  If not specified, defaults
-##  to "127.0.0.1" only.
-#
-IgnoreHosts /etc/opendmarc/ignore.hosts
-
-##  IgnoreMailFrom domain[,...]
-##  	default (none)
-##
-##  Gives a list of domain names whose mail (based on the From: domain) is to
-##  be ignored by the filter.  The list should be comma-separated.  Matching
-##  against this list is case-insensitive.  The default is an empty list,
-##  meaning no mail is ignored.
-#
-# IgnoreMailFrom example.com
-
-##  MilterDebug (integer)
-##  	default 0
-##
-##  Sets the debug level to be requested from the milter library.
-#
-# MilterDebug 0
-
-##  PidFile path
-##  	default (none)
-##
-##  Specifies the path to a file that should be created at process start
-##  containing the process ID.
-##
-#
-PidFile /var/run/opendmarc.pid
-
-##  PublicSuffixList path
-##  	default (none)
-##
-##  Specifies the path to a file that contains top-level domains (TLDs) that
-##  will be used to compute the Organizational Domain for a given domain name,
-##  as described in the DMARC specification.  If not provided, the filter will
-##  not be able to determine the Organizational Domain and only the presented
-##  domain will be evaluated.
-#
-# PublicSuffixList path
-
-##  RecordAllMessages { true | false }
-##  	default "false"
-##
-##  If set and "HistoryFile" is in use, all received messages are recorded
-##  to the history file.  If not set (the default), only messages for which
-##  the From: domain published a DMARC record will be recorded in the
-##  history file.
-#
-# RecordAllMessages false
-
-##  RejectFailures { true | false }
-##  	default "false"
-##
-##  If set, messages will be rejected if they fail the DMARC evaluation, or
-##  temp-failed if evaluation could not be completed.  By default, no message
-##  will be rejected or temp-failed regardless of the outcome of the DMARC
-##  evaluation of the message.  Instead, an Authentication-Results header
-##  field will be added.
-#
-RejectFailures false
-
-##  ReportCommand string
-##  	default "/usr/sbin/sendmail -t"
-##
-##  Indicates the shell command to which failure reports should be passed for
-##  delivery when "FailureReports" is enabled.
-#
-# ReportCommand /usr/sbin/sendmail -t
-
-##  RequiredHeaders { true | false }
-##  	default "false"
-##
-##  If set, the filter will ensure the header of the message conforms to the
-##  basic header field count restrictions laid out in RFC5322, Section 3.6.
-##  Messages failing this test are rejected without further processing.  A
-##  From: field from which no domain name could be extracted will also be
-##  rejected.
-#
-# RequiredHeaders false
-
-##  Socket socketspec
-##  	default (none)
-##
-##  Specifies the socket that should be established by the filter to receive
-##  connections from sendmail(8) in order to provide service.  socketspec is
-##  in one of two forms: local:path, which creates a UNIX domain socket at
-##  the specified path, or inet:port[@host] or inet6:port[@host] which creates
-##  a TCP socket on the specified port for the appropriate protocol family.
-##  If the host is not given as either a hostname or an IP address, the
-##  socket will be listening on all interfaces.  This option is mandatory
-##  either in the configuration file or on the command line.  If an IP
-##  address is used, it must be enclosed in square brackets.
-#
-# Socket inet:8893@localhost
-
-##  SoftwareHeader { true | false }
-##  	default "false"
-##
-##  Causes the filter to add a "DMARC-Filter" header field indicating the
-##  presence of this filter in the path of the message from injection to
-##  delivery.  The product's name, version, and the job ID are included in
-##  the header field's contents.
-#
-SoftwareHeader true
-
-##  SPFIgnoreResults { true | false }
-##	default "false"
-##
-##  Causes the filter to ignore any SPF results in the header of the
-##  message.  This is useful if you want the filter to perfrom SPF checks
-##  itself, or because you don't trust the arriving header.
-#
-# SPFIgnoreResults false
-
-##  SPFSelfValidate { true | false }
-##	default false
-##
-##  Enable internal spf checking with --with-spf
-##  To use libspf2 instead:  --with-spf --with-spf2-include=path --with-spf2-lib=path
-##
-##  Causes the filter to perform a fallback SPF check itself when
-##  it can find no SPF results in the message header.  If SPFIgnoreResults
-##  is also set, it never looks for SPF results in headers and
-##  always performs the SPF check itself when this is set.
-#
-# SPFSelfValidate false
-
-##  Syslog { true | false }
-##  	default "false"
-##
-##  Log via calls to syslog(3) any interesting activity.
-#
-Syslog true
-
-##  SyslogFacility facility-name
-##  	default "mail"
-##
-##  Log via calls to syslog(3) using the named facility.  The facility names
-##  are the same as the ones allowed in syslog.conf(5).
-#
-# SyslogFacility mail
-
-##  TemporaryDirectory path
-##  	default /var/tmp
-##
-##  Specifies the directory in which temporary files should be written.
-#
-# TemporaryDirectory /var/tmp
-
-##  TrustedAuthservIDs string
-##  	default HOSTNAME
-##
-##  Specifies one or more "authserv-id" values to trust as relaying true
-##  upstream DKIM and SPF results.  The default is to use the name of
-##  the MTA processing the message.  To specify a list, separate each entry
-##  with a comma.  The key word "HOSTNAME" will be replaced by the name of
-##  the host running the filter as reported by the gethostname(3) function.
-#
-TrustedAuthservIDs {{ mail_server_hostname }}
-
-##  UMask mask
-##  	default (none)
-##
-##  Requests a specific permissions mask to be used for file creation.  This
-##  only really applies to creation of the socket when Socket specifies a
-##  UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary
-##  files are normally created by the mkstemp(3) function that enforces a
-##  specific file mode on creation regardless of the process umask.  See
-##  umask(2) for more information.
-#
-UMask 0002
-
-##  UserID user[:group]
-##  	default (none)
-##
-##  Attempts to become the specified userid before starting operations.
-##  The process will be assigned all of the groups and primary group ID of
-##  the named userid unless an alternate group is specified.
-#
-UserID opendmarc:opendmarc

roles/mailserver/templates/etc_opendmarc_ignore.hosts.j2

@@ -1,4 +0,0 @@
-localhost
-10.0.0.0/24
-{{ ansible_default_ipv4.address }}
-{{ "/n".join(friendly_networks) }}

roles/mailserver/templates/etc_opendmarc_report.sh.j2

@@ -1,23 +0,0 @@
-#!/bin/bash
-
-# ensure this script errors out if any of its steps do
-set -e
-
-DB_SERVER='localhost'
-DB_USER='{{ mail_db_opendmarc_username }}'
-DB_PASS='{{ mail_db_opendmarc_password }}'
-DB_NAME='{{ mail_db_opendmarc_database }}'
-WORK_DIR='/var/run/opendmarc'
-REPORT_EMAIL='postmaster@{{ domain }}'
-
-mv ${WORK_DIR}/opendmarc.dat ${WORK_DIR}/opendmarc_import.dat -f
-touch ${WORK_DIR}/opendmarc.dat
-chown opendmarc:opendmarc ${WORK_DIR}/opendmarc.dat
-
-/usr/sbin/opendmarc-import --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose < ${WORK_DIR}/opendmarc_import.dat
-
-{% for domain in mail_virtual_domains %}
-/usr/sbin/opendmarc-reports --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose --interval=86400 --report-email $REPORT_EMAIL --report-org '{{ domain.name }}'
-{% endfor %}
-
-/usr/sbin/opendmarc-expire --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose

roles/mailserver/templates/etc_postfix_main.cf.j2

@@ -99,8 +99,8 @@ virtual_mailbox_maps = pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
 virtual_alias_maps = pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
 local_recipient_maps = $virtual_mailbox_maps
 
-# Milters: OpenDKIM, OpenDMARC, Rspamd
-smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:54321,inet:127.0.0.1:11332
+# Milters: OpenDKIM, Rspamd
+smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:11332
 non_smtpd_milters = $smtpd_milters
 milter_protocol = 6
 milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} {auth_type}

roles/mailserver/templates/etc_rspamd_local.d_dmarc.conf.j2

@@ -0,0 +1,47 @@
+# Enables storing reporting information to redis
+reporting = true;
+
+# Actions to enforce based on DMARC disposition
+actions = {
+  quarantine = "add_header";
+  reject = "reject";
+}
+
+# From Rspamd 1.6 experimental support for generation of DMARC reports is provided.
+# send_reports MUST be true
+send_reports = true;
+
+# report_settings MUST be present
+report_settings {
+  # The following elements MUST be present
+  # organisation name to use for reports
+  org_name = "{{ organization }}";
+  
+  # organisation domain
+  domain = "{{ domain }}";
+
+  # sender address to use for reports
+  email = "postmaster@{{ domain }}";
+
+  # The following elements MAY be present
+  # SMTP host to send reports to ("127.0.0.1" if unset)
+  # smtp = "127.0.0.1";
+	
+  # TCP port to use for SMTP (25 if unset)
+  # smtp_port = 25;
+	
+  # HELO to use for SMTP ("rspamd" if unset)
+  # helo = "rspamd";
+	
+  # Number of retries on temporary errors (2 if unset)
+  # retries = 2;
+	
+  # Send DMARC reports here instead of domain owners
+  # override_address = "postmaster@example.net";
+	
+  # Send DMARC reports here in addition to domain owners
+  additional_address = "postmaster@{{ domain }}";
+	
+  # Number of records to request with HSCAN
+  # hscan_count = 200
+}