Przeglądaj źródła

Switch to Rspamd for DMARC handling

- Remove OpenDMARC
- Configure Rspamd for DMARC handling
- Update services and how to set up DNS records in README
Mike Ashley 7 lat temu
rodzic
commit
14615ae223

+ 1
- 1
README.md Wyświetl plik

@@ -28,7 +28,7 @@ What do you get if you point Sovereign at a server? All kinds of good stuff!
28 28
 -   Virtual domains for your email, backed by [PostgreSQL](http://www.postgresql.org/).
29 29
 -   Secure on-disk storage for email and more via [EncFS](http://www.arg0.net/encfs).
30 30
 -   Spam fighting via [Rspamd](https://www.rspamd.com/) and [Postgrey](http://postgrey.schweikert.ch/).
31
--   Mail server verification via [OpenDKIM](http://www.opendkim.org/) and [OpenDMARC](http://www.trusteddomain.org/opendmarc/) so the Internet knows your mailserver is legit.
31
+-   Mail server verification via [OpenDKIM](http://www.opendkim.org/) and [DMARC](http://www.dmarc.org/) so the Internet knows your mailserver is legit.
32 32
 -   [CalDAV](https://en.wikipedia.org/wiki/CalDAV) and [CardDAV](https://en.wikipedia.org/wiki/CardDAV) to keep your calendars and contacts in sync, via [ownCloud](http://owncloud.org/).
33 33
 -   Your own private storage cloud via [ownCloud](http://owncloud.org/).
34 34
 -   Your own VPN server via [OpenVPN](http://openvpn.net/index.php/open-source.html).

+ 1
- 0
group_vars/sovereign Wyświetl plik

@@ -6,6 +6,7 @@
6 6
 # common
7 7
 domain: (required)
8 8
 main_user_name: (required)
9
+organization: (required)
9 10
 
10 11
 # admin email
11 12
 # fail2ban reports will be sent to this address

+ 0
- 5
roles/mailserver/defaults/main.yml Wyświetl plik

@@ -18,11 +18,6 @@ mail_virtual_domains: []
18 18
 mail_virtual_users: []
19 19
 mail_virtual_aliases: []
20 20
 
21
-# opendmarc
22
-mail_db_opendmarc_username: opendmarc
23
-mail_db_opendmarc_database: opendmarc
24
-mail_db_opendmarc_password: "{{ lookup('password', secret + '/' + 'mail_db_opendmarc_password', length=32) }}"
25
-
26 21
 # zpush
27 22
 zpush_version: 2.1.1-1788
28 23
 # common_timezone is a sovereign variable

+ 0
- 10
roles/mailserver/files/etc_default_opendmarc Wyświetl plik

@@ -1,10 +0,0 @@
1
-# Command-line options specified here will override the contents of
2
-# /etc/opendmarc.conf. See opendmarc(8) for a complete list of options.
3
-#DAEMON_OPTS=""
4
-#
5
-# Uncomment to specify an alternate socket
6
-# Note that setting this will override any Socket value in opendkim.conf
7
-SOCKET="inet:54321" # listen on all interfaces on port 54321
8
-#SOCKET="local:/var/run/opendmarc/opendmarc.sock" # default
9
-#SOCKET="inet:12345@localhost" # listen on loopback on port 12345
10
-#SOCKET="inet:12345@192.0.2.1" # listen on 192.0.2.1 on port 12345

+ 2
- 0
roles/mailserver/files/etc_rspamd_local.d_redis.conf Wyświetl plik

@@ -0,0 +1,2 @@
1
+servers = "127.0.0.1";
2
+

+ 0
- 3
roles/mailserver/handlers/main.yml Wyświetl plik

@@ -14,8 +14,5 @@
14 14
   action: shell PGPASSWORD='{{ mail_db_password }}' psql -h localhost -d {{ mail_db_database }} -U {{ mail_db_username }} -f /etc/postfix/import.sql --set ON_ERROR_STOP=1
15 15
   notify: restart postfix
16 16
 
17
-- name: restart opendmarc
18
-  service: name=opendmarc state=restarted
19
-
20 17
 - name: restart rspamd
21 18
   service: name=rspamd state=restarted

+ 16
- 9
roles/mailserver/tasks/main.yml Wyświetl plik

@@ -1,10 +1,17 @@
1
-- include: postfix.yml tags=postfix
2
-- include: dovecot.yml tags=dovecot
3
-- include: opendkim.yml tags=opendkim
4
-- include: opendmarc.yml tags=opendmarc
5
-- include: rspamd.yml tags=rspamd
6
-- include: solr.yml tags=solr
7
-- include: checkrbl.yml tags=checkrbl
8
-- include: z-push.yml tags=zpush
9
-- include: autoconfig.yml tags=autoconfig
1
+- include: postfix.yml
2
+  tags: postfix
3
+- include: dovecot.yml
4
+  tags: dovecot
5
+- include: opendkim.yml
6
+  tags: opendkim
7
+- include: rspamd.yml
8
+  tags: rspamd
9
+- include: solr.yml
10
+  tags: solr
11
+- include: checkrbl.yml
12
+  tags: checkrbl
13
+- include: z-push.yml
14
+  tags: zpush
15
+- include: autoconfig.yml
16
+  tags: autoconfig
10 17
 

+ 0
- 55
roles/mailserver/tasks/opendmarc.yml Wyświetl plik

@@ -1,55 +0,0 @@
1
-- name: Install OpenDMARC milter and related packages
2
-  apt: pkg={{ item }} state=installed update_cache=yes
3
-  with_items:
4
-    - mysql-server
5
-    - python-mysqldb
6
-    - opendmarc
7
-
8
-- name: Patch opendmarc scripts (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742447)
9
-  lineinfile: dest=/usr/sbin/{{ item }} regexp='^require DBD::' line='require DBD::mysql;'
10
-  with_items:
11
-    - opendmarc-import
12
-    - opendmarc-reports
13
-    - opendmarc-params
14
-
15
-- name: Patch opendmarc scripts part deux (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742447)
16
-  lineinfile: dest=/usr/sbin/{{ item }} regexp='^my \$dbscheme' line='my $dbscheme     = "mysql";'
17
-  with_items:
18
-    - opendmarc-reports
19
-    - opendmarc-import
20
-
21
-- name: Copy OpenDMARC configuration file into place
22
-  template: src=etc_opendmarc.conf.j2 dest=/etc/opendmarc.conf owner=root group=root
23
-  notify: restart opendmarc
24
-
25
-- name: Create OpenDMARC configuration directory
26
-  file: state=directory path=/etc/opendmarc
27
-
28
-- name: Copy OpenDMARC ignore hosts file into place
29
-  template: src=etc_opendmarc_ignore.hosts.j2 dest=/etc/opendmarc/ignore.hosts owner=root group=root
30
-
31
-- name: Copy OpenDMARC defaults file into place
32
-  copy: src=etc_default_opendmarc dest=/etc/default/opendmarc owner=root group=root
33
-  notify:
34
-    - restart opendmarc
35
-    - restart postfix
36
-
37
-- name: Create database user for OpenDMARC reports
38
-  mysql_user: user={{ mail_db_opendmarc_username }} password={{ mail_db_opendmarc_password }} state=present priv="opendmarc.*:ALL"
39
-
40
-- name: Create database for OpenDMARC reports
41
-  mysql_db: name={{ mail_db_opendmarc_database }} state=present
42
-  register: db_created
43
-
44
-- name: Import opendmarc schema
45
-  mysql_db: name={{ mail_db_opendmarc_database }} state=import target=/usr/share/doc/opendmarc/schema.mysql
46
-  when: db_created.changed
47
-
48
-- name: Copy nightly OpenDMARC report generation script into place
49
-  template: src=etc_opendmarc_report.sh.j2 dest=/etc/opendmarc/report.sh owner=root group=root mode="0755"
50
-
51
-- name: Ensure initial report dat file exists with correct permissions
52
-  copy: content="" dest=/var/run/opendmarc/opendmarc.dat owner=opendmarc group=opendmarc
53
-
54
-- name: Activate OpenDMARC report cronjob
55
-  cron: name="OpenDMARC report" hour="2" minute="0" job="/bin/bash /etc/opendmarc/report.sh >> /var/log/opendmarc_report.log 2>&1 || tail /var/log/opendmarc_report.log"

+ 8
- 3
roles/mailserver/tasks/rspamd.yml Wyświetl plik

@@ -33,8 +33,13 @@
33 33
   tags:
34 34
     - dependencies
35 35
 
36
+- name: Copy DMARC configuration into place
37
+  template: src=etc_rspamd_local.d_dmarc.conf.j2 dest=/etc/rspamd/local.d/dmarc.conf owner=root group=root mode="0644"
38
+  notify: restart rspamd
39
+
40
+- name: Configure Rspamd to use Redis
41
+  copy: src=etc_rspamd_local.d_redis.conf dest=/etc/rspamd/local.d/redis.conf owner=root group=root mode="0644"
42
+  notify: restart rspamd
43
+
36 44
 - name: Start redis
37 45
   service: name=redis-server state=started
38
-
39
-- name: Start rspamd systemd listener
40
-  service: name=rspamd state=started

+ 0
- 362
roles/mailserver/templates/etc_opendmarc.conf.j2 Wyświetl plik

@@ -1,362 +0,0 @@
1
-##
2
-## opendmarc.conf -- configuration file for OpenDMARC filter
3
-##
4
-## Copyright (c) 2012-2014, The Trusted Domain Project.  All rights reserved.
5
-##
6
-
7
-##  AuthservID (string)
8
-##  	defaults to MTA name
9
-##
10
-##  Sets the "authserv-id" to use when generating the Authentication-Results:
11
-##  header field after verifying a message.  If the string "HOSTNAME" is
12
-##  provided, the name of the host running the filter (as returned by the
13
-##  gethostname(3) function) will be used.  
14
-#
15
-AuthservID {{ mail_server_hostname }}
16
-
17
-##  AuthservIDWithJobID { true | false }
18
-##  	default "false"
19
-##
20
-##  If "true", requests that the authserv-id portion of the added
21
-##  Authentication-Results header fields contain the job ID of the message
22
-##  being evaluated.
23
-#
24
-# AuthservIDWithJobID false
25
-
26
-##  AutoRestart { true | false }
27
-##  	default "false"
28
-##
29
-##  Automatically re-start on failures. Use with caution; if the filter fails
30
-##  instantly after it starts, this can cause a tight fork(2) loop.
31
-#
32
-# AutoRestart false
33
-
34
-##  AutoRestartCount n
35
-##  	default 0
36
-##
37
-##  Sets the maximum automatic restart count.  After this number of automatic
38
-##  restarts, the filter will give up and terminate.  A value of 0 implies no
39
-##  limit.
40
-#
41
-# AutoRestartCount 0
42
-
43
-##  AutoRestartRate n/t[u]
44
-##  	default (no limit)
45
-##
46
-##  Sets the maximum automatic restart rate.  If the filter begins restarting
47
-##  faster than the rate defined here, it will give up and terminate.  This
48
-##  is a string of the form n/t[u] where n is an integer limiting the count
49
-##  of restarts in the given interval and t[u] defines the time interval
50
-##  through which the rate is calculated; t is an integer and u defines the
51
-##  units thus represented ("s" or "S" for seconds, the default; "m" or "M"
52
-##  for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a
53
-##  value of "10/1h" limits the restarts to 10 in one hour. There is no
54
-##  default, meaning restart rate is not limited.
55
-#
56
-# AutoRestartRate n/t[u]
57
-
58
-##  Background { true | false }
59
-##  	default "true"
60
-##
61
-##  Causes opendmarc to fork and exits immediately, leaving the service
62
-##  running in the background.
63
-#
64
-# Background true
65
-
66
-##  BaseDirectory (string)
67
-##  	default (none)
68
-##
69
-##  If set, instructs the filter to change to the specified directory using
70
-##  chdir(2) before doing anything else.  This means any files referenced
71
-##  elsewhere in the configuration file can be specified relative to this
72
-##  directory.  It's also useful for arranging that any crash dumps will be
73
-##  saved to a specific location.
74
-#
75
-# BaseDirectory /var/run/opendmarc
76
-
77
-##  ChangeRootDirectory (string)
78
-##  	default (none)
79
-##
80
-##  Requests that the operating system change the effective root directory of
81
-##  the process to the one specified here prior to beginning execution.
82
-##  chroot(2) requires superuser access.  A warning will be generated if
83
-##  UserID is not also set.
84
-# 
85
-# ChangeRootDirectory /var/chroot/opendmarc
86
-
87
-##  CopyFailuresTo (string)
88
-##  	default (none)
89
-##
90
-##  Requests addition of the specified email address to the envelope of
91
-##  any message that fails the DMARC evaluation.
92
-#
93
-# CopyFailuresTo postmaster@localhost
94
-
95
-##  DNSTimeout (integer)
96
-##  	default 5
97
-## 
98
-##  Sets the DNS timeout in seconds.  A value of 0 causes an infinite wait.
99
-##  (NOT YET IMPLEMENTED)
100
-#
101
-# DNSTimeout 5
102
-
103
-##  EnableCoredumps { true | false }
104
-##  	default "false"
105
-##
106
-##  On systems that have such support, make an explicit request to the kernel
107
-##  to dump cores when the filter crashes for some reason.  Some modern UNIX
108
-##  systems suppress core dumps during crashes for security reasons if the
109
-##  user ID has changed during the lifetime of the process.  Currently only
110
-##  supported on Linux.
111
-#
112
-# EnableCoreDumps false
113
-
114
-##  FailureReports { true | false }
115
-##  	default "false"
116
-##
117
-##  Enables generation of failure reports when the DMARC test fails and the
118
-##  purported sender of the message has requested such reports.  Reports are
119
-##  formatted per RFC6591.
120
-# 
121
-# FailureReports false
122
-
123
-##  FailureReportsBcc (string)
124
-##  	default (none)
125
-##
126
-##  When failure reports are enabled and one is to be generated, always
127
-##  send one to the address(es) specified here.  If a failure report is
128
-##  requested by the domain owner, the address(es) are added in a Bcc: field.
129
-##  If no request is made, they address(es) are used in a To: field.  There
130
-##  is no default.
131
-# 
132
-# FailureReportsBcc postmaster@example.coom
133
-
134
-##  FailureReportsOnNone { true | false }
135
-##  	default "false"
136
-##
137
-##  Supplements the "FailureReports" setting by generating reports for
138
-##  domains that advertise "none" policies.  By default, reports are only
139
-##  generated (when enabled) for sending domains advertising a "quarantine"
140
-##  or "reject" policy.
141
-# 
142
-# FailureReportsOnNone false
143
-
144
-##  FailureReportsSentBy string
145
-##  	default "USER@HOSTNAME"
146
-##
147
-##  Specifies the email address to use in the From: field of failure
148
-##  reports generated by the filter.  The default is to use the userid of
149
-##  the user running the filter and the local hostname to construct an
150
-##  email address.  "postmaster" is used in place of the userid if a name
151
-##  could not be determined.
152
-# 
153
-# FailureReportsSentBy USER@HOSTNAME
154
-
155
-##  HistoryFile path
156
-##  	default (none)
157
-##
158
-##  If set, specifies the location of a text file to which records are written
159
-##  that can be used to generate DMARC aggregate reports.  Records are groups
160
-##  of rows containing information about a single received message, and
161
-##  include all relevant information needed to generate a DMARC aggregate
162
-##  report.  It is expected that this will not be used in its raw form, but
163
-##  rather periodically imported into a relational database from which the
164
-##  aggregate reports can be extracted by a tool such as opendmarc-import(8).
165
-#
166
-HistoryFile /var/run/opendmarc/opendmarc.dat
167
-
168
-##  IgnoreAuthenticatedClients { true | false }
169
-##  	default "false"
170
-##
171
-##  If set, causes mail from authenticated clients (i.e., those that used
172
-##  SMTP UATH) to be ignored by the filter.
173
-#
174
-# IgnoreAuthenticatedClients false
175
-
176
-##  IgnoreHosts path
177
-##  	default (internal)
178
-##
179
-##  Specifies the path to a file that contains a list of hostnames, IP
180
-##  addresses, and/or CIDR expressions identifying hosts whose SMTP
181
-##  connections are to be ignored by the filter.  If not specified, defaults
182
-##  to "127.0.0.1" only.
183
-#
184
-IgnoreHosts /etc/opendmarc/ignore.hosts
185
-
186
-##  IgnoreMailFrom domain[,...]
187
-##  	default (none)
188
-##
189
-##  Gives a list of domain names whose mail (based on the From: domain) is to
190
-##  be ignored by the filter.  The list should be comma-separated.  Matching
191
-##  against this list is case-insensitive.  The default is an empty list,
192
-##  meaning no mail is ignored.
193
-#
194
-# IgnoreMailFrom example.com
195
-
196
-##  MilterDebug (integer)
197
-##  	default 0
198
-##
199
-##  Sets the debug level to be requested from the milter library.
200
-#
201
-# MilterDebug 0
202
-
203
-##  PidFile path
204
-##  	default (none)
205
-##
206
-##  Specifies the path to a file that should be created at process start
207
-##  containing the process ID.
208
-##
209
-#
210
-PidFile /var/run/opendmarc.pid
211
-
212
-##  PublicSuffixList path
213
-##  	default (none)
214
-##
215
-##  Specifies the path to a file that contains top-level domains (TLDs) that
216
-##  will be used to compute the Organizational Domain for a given domain name,
217
-##  as described in the DMARC specification.  If not provided, the filter will
218
-##  not be able to determine the Organizational Domain and only the presented
219
-##  domain will be evaluated.
220
-#
221
-# PublicSuffixList path
222
-
223
-##  RecordAllMessages { true | false }
224
-##  	default "false"
225
-##
226
-##  If set and "HistoryFile" is in use, all received messages are recorded
227
-##  to the history file.  If not set (the default), only messages for which
228
-##  the From: domain published a DMARC record will be recorded in the
229
-##  history file.
230
-#
231
-# RecordAllMessages false
232
-
233
-##  RejectFailures { true | false }
234
-##  	default "false"
235
-##
236
-##  If set, messages will be rejected if they fail the DMARC evaluation, or
237
-##  temp-failed if evaluation could not be completed.  By default, no message
238
-##  will be rejected or temp-failed regardless of the outcome of the DMARC
239
-##  evaluation of the message.  Instead, an Authentication-Results header
240
-##  field will be added.
241
-#
242
-RejectFailures false
243
-
244
-##  ReportCommand string
245
-##  	default "/usr/sbin/sendmail -t"
246
-##
247
-##  Indicates the shell command to which failure reports should be passed for
248
-##  delivery when "FailureReports" is enabled.
249
-#
250
-# ReportCommand /usr/sbin/sendmail -t
251
-
252
-##  RequiredHeaders { true | false }
253
-##  	default "false"
254
-##
255
-##  If set, the filter will ensure the header of the message conforms to the
256
-##  basic header field count restrictions laid out in RFC5322, Section 3.6.
257
-##  Messages failing this test are rejected without further processing.  A
258
-##  From: field from which no domain name could be extracted will also be
259
-##  rejected.
260
-#
261
-# RequiredHeaders false
262
-
263
-##  Socket socketspec
264
-##  	default (none)
265
-##
266
-##  Specifies the socket that should be established by the filter to receive
267
-##  connections from sendmail(8) in order to provide service.  socketspec is
268
-##  in one of two forms: local:path, which creates a UNIX domain socket at
269
-##  the specified path, or inet:port[@host] or inet6:port[@host] which creates
270
-##  a TCP socket on the specified port for the appropriate protocol family.
271
-##  If the host is not given as either a hostname or an IP address, the
272
-##  socket will be listening on all interfaces.  This option is mandatory
273
-##  either in the configuration file or on the command line.  If an IP
274
-##  address is used, it must be enclosed in square brackets.
275
-#
276
-# Socket inet:8893@localhost
277
-
278
-##  SoftwareHeader { true | false }
279
-##  	default "false"
280
-##
281
-##  Causes the filter to add a "DMARC-Filter" header field indicating the
282
-##  presence of this filter in the path of the message from injection to
283
-##  delivery.  The product's name, version, and the job ID are included in
284
-##  the header field's contents.
285
-#
286
-SoftwareHeader true
287
-
288
-##  SPFIgnoreResults { true | false }
289
-##	default "false"
290
-##
291
-##  Causes the filter to ignore any SPF results in the header of the
292
-##  message.  This is useful if you want the filter to perfrom SPF checks
293
-##  itself, or because you don't trust the arriving header.
294
-#
295
-# SPFIgnoreResults false
296
-
297
-##  SPFSelfValidate { true | false }
298
-##	default false
299
-##
300
-##  Enable internal spf checking with --with-spf
301
-##  To use libspf2 instead:  --with-spf --with-spf2-include=path --with-spf2-lib=path
302
-##
303
-##  Causes the filter to perform a fallback SPF check itself when
304
-##  it can find no SPF results in the message header.  If SPFIgnoreResults
305
-##  is also set, it never looks for SPF results in headers and
306
-##  always performs the SPF check itself when this is set.
307
-#
308
-# SPFSelfValidate false
309
-
310
-##  Syslog { true | false }
311
-##  	default "false"
312
-##
313
-##  Log via calls to syslog(3) any interesting activity.
314
-#
315
-Syslog true
316
-
317
-##  SyslogFacility facility-name
318
-##  	default "mail"
319
-##
320
-##  Log via calls to syslog(3) using the named facility.  The facility names
321
-##  are the same as the ones allowed in syslog.conf(5).
322
-#
323
-# SyslogFacility mail
324
-
325
-##  TemporaryDirectory path
326
-##  	default /var/tmp
327
-##
328
-##  Specifies the directory in which temporary files should be written.
329
-#
330
-# TemporaryDirectory /var/tmp
331
-
332
-##  TrustedAuthservIDs string
333
-##  	default HOSTNAME
334
-##
335
-##  Specifies one or more "authserv-id" values to trust as relaying true
336
-##  upstream DKIM and SPF results.  The default is to use the name of
337
-##  the MTA processing the message.  To specify a list, separate each entry
338
-##  with a comma.  The key word "HOSTNAME" will be replaced by the name of
339
-##  the host running the filter as reported by the gethostname(3) function.
340
-#
341
-TrustedAuthservIDs {{ mail_server_hostname }}
342
-
343
-##  UMask mask
344
-##  	default (none)
345
-##
346
-##  Requests a specific permissions mask to be used for file creation.  This
347
-##  only really applies to creation of the socket when Socket specifies a
348
-##  UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary
349
-##  files are normally created by the mkstemp(3) function that enforces a
350
-##  specific file mode on creation regardless of the process umask.  See
351
-##  umask(2) for more information.
352
-#
353
-UMask 0002
354
-
355
-##  UserID user[:group]
356
-##  	default (none)
357
-##
358
-##  Attempts to become the specified userid before starting operations.
359
-##  The process will be assigned all of the groups and primary group ID of
360
-##  the named userid unless an alternate group is specified.
361
-#
362
-UserID opendmarc:opendmarc

+ 0
- 4
roles/mailserver/templates/etc_opendmarc_ignore.hosts.j2 Wyświetl plik

@@ -1,4 +0,0 @@
1
-localhost
2
-10.0.0.0/24
3
-{{ ansible_default_ipv4.address }}
4
-{{ "/n".join(friendly_networks) }}

+ 0
- 23
roles/mailserver/templates/etc_opendmarc_report.sh.j2 Wyświetl plik

@@ -1,23 +0,0 @@
1
-#!/bin/bash
2
-
3
-# ensure this script errors out if any of its steps do
4
-set -e
5
-
6
-DB_SERVER='localhost'
7
-DB_USER='{{ mail_db_opendmarc_username }}'
8
-DB_PASS='{{ mail_db_opendmarc_password }}'
9
-DB_NAME='{{ mail_db_opendmarc_database }}'
10
-WORK_DIR='/var/run/opendmarc'
11
-REPORT_EMAIL='postmaster@{{ domain }}'
12
-
13
-mv ${WORK_DIR}/opendmarc.dat ${WORK_DIR}/opendmarc_import.dat -f
14
-touch ${WORK_DIR}/opendmarc.dat
15
-chown opendmarc:opendmarc ${WORK_DIR}/opendmarc.dat
16
-
17
-/usr/sbin/opendmarc-import --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose < ${WORK_DIR}/opendmarc_import.dat
18
-
19
-{% for domain in mail_virtual_domains %}
20
-/usr/sbin/opendmarc-reports --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose --interval=86400 --report-email $REPORT_EMAIL --report-org '{{ domain.name }}'
21
-{% endfor %}
22
-
23
-/usr/sbin/opendmarc-expire --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose

+ 2
- 2
roles/mailserver/templates/etc_postfix_main.cf.j2 Wyświetl plik

@@ -99,8 +99,8 @@ virtual_mailbox_maps = pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
99 99
 virtual_alias_maps = pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
100 100
 local_recipient_maps = $virtual_mailbox_maps
101 101
 
102
-# Milters: OpenDKIM, OpenDMARC, Rspamd
103
-smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:54321,inet:127.0.0.1:11332
102
+# Milters: OpenDKIM, Rspamd
103
+smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:11332
104 104
 non_smtpd_milters = $smtpd_milters
105 105
 milter_protocol = 6
106 106
 milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} {auth_type}

+ 47
- 0
roles/mailserver/templates/etc_rspamd_local.d_dmarc.conf.j2 Wyświetl plik

@@ -0,0 +1,47 @@
1
+# Enables storing reporting information to redis
2
+reporting = true;
3
+
4
+# Actions to enforce based on DMARC disposition
5
+actions = {
6
+  quarantine = "add_header";
7
+  reject = "reject";
8
+}
9
+
10
+# From Rspamd 1.6 experimental support for generation of DMARC reports is provided.
11
+# send_reports MUST be true
12
+send_reports = true;
13
+
14
+# report_settings MUST be present
15
+report_settings {
16
+  # The following elements MUST be present
17
+  # organisation name to use for reports
18
+  org_name = "{{ organization }}";
19
+  
20
+  # organisation domain
21
+  domain = "{{ domain }}";
22
+
23
+  # sender address to use for reports
24
+  email = "postmaster@{{ domain }}";
25
+
26
+  # The following elements MAY be present
27
+  # SMTP host to send reports to ("127.0.0.1" if unset)
28
+  # smtp = "127.0.0.1";
29
+	
30
+  # TCP port to use for SMTP (25 if unset)
31
+  # smtp_port = 25;
32
+	
33
+  # HELO to use for SMTP ("rspamd" if unset)
34
+  # helo = "rspamd";
35
+	
36
+  # Number of retries on temporary errors (2 if unset)
37
+  # retries = 2;
38
+	
39
+  # Send DMARC reports here instead of domain owners
40
+  # override_address = "postmaster@example.net";
41
+	
42
+  # Send DMARC reports here in addition to domain owners
43
+  additional_address = "postmaster@{{ domain }}";
44
+	
45
+  # Number of records to request with HSCAN
46
+  # hscan_count = 200
47
+}

Ładowanie…
Anuluj
Zapisz