Browse Source

Revert opendmarc to use mysql

An earlier commit started transitioning opendmarc to use postgres, but
this was incomplete.  This patch reverts that change and uses mysql for
the reporting database.

Other changes:

* Do not maintain a copy of the database import schema.  A copy is
  included in the distribution in /usr/share/doc, so that is used
  instead.
* The configuration file is replaced with the distribution's sample
  configuration.  A second patch will restore the actual configuration.
  This will make the changes easier to see if the default configuraton
  file changes in future versions of opendmarc.
Mike Ashley 8 years ago
parent
commit
1bc60827ef

+ 0
- 105
roles/mailserver/files/etc_opendmarc_import.sql View File

@@ -1,106 +0,0 @@
1
-# Source: http://www.trusteddomain.org/pipermail/opendmarc-users/2015-February/000447.html
2
-
3
-START TRANSACTION;
4
-
5
-SET standard_conforming_strings=off;
6
-SET escape_string_warning=off;
7
-SET CONSTRAINTS ALL DEFERRED;
8
-
9
-CREATE TABLE "domains" (
10
-  "id" integer NOT NULL,
11
-  "name" varchar(510) NOT NULL,
12
-  "firstseen" timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
13
-  PRIMARY KEY ("id"),
14
-  UNIQUE ("name")
15
-);
16
-
17
-CREATE TABLE "ipaddr" (
18
-  "id" integer NOT NULL,
19
-  "addr" varchar(128) NOT NULL,
20
-  "firstseen" timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
21
-  PRIMARY KEY ("id"),
22
-  UNIQUE ("addr")
23
-);
24
-
25
-CREATE TABLE "messages" (
26
-  "id" integer NOT NULL,
27
-  "date" timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
28
-  "jobid" varchar(256) NOT NULL,
29
-  "reporter" integer  NOT NULL,
30
-  "policy" tinyint(3)  NOT NULL,
31
-  "disp" tinyint(3)  NOT NULL,
32
-  "ip" integer  NOT NULL,
33
-  "env_domain" integer  NOT NULL,
34
-  "from_domain" integer  NOT NULL,
35
-  "policy_domain" integer  NOT NULL,
36
-  "spf" tinyint(3)  NOT NULL,
37
-  "align_dkim" tinyint(3)  NOT NULL,
38
-  "align_spf" tinyint(3)  NOT NULL,
39
-  "sigcount" tinyint(3)  NOT NULL,
40
-  PRIMARY KEY ("id"),
41
-  UNIQUE ("reporter", "date", "jobid")
42
-);
43
-
44
-CREATE TABLE "reporters" (
45
-  "id" integer NOT NULL,
46
-  "name" varchar(510) NOT NULL,
47
-  "firstseen" timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
48
-  PRIMARY KEY ("id"),
49
-  UNIQUE ("name")
50
-);
51
-
52
-CREATE TABLE "requests" (
53
-  "id" integer NOT NULL,
54
-  "domain" integer NOT NULL,
55
-  "repuri" varchar(510) NOT NULL,
56
-  "adkim" tinyint(4) NOT NULL,
57
-  "aspf" tinyint(4) NOT NULL,
58
-  "policy" tinyint(4) NOT NULL,
59
-  "spolicy" tinyint(4) NOT NULL,
60
-  "pct" tinyint(4) NOT NULL,
61
-  "locked" tinyint(4) NOT NULL,
62
-  "firstseen" timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
63
-  "lastsent" timestamp NOT NULL DEFAULT '0000-00-00 00:00:00',
64
-  PRIMARY KEY ("id"),
65
-  UNIQUE ("domain")
66
-);
67
-
68
-CREATE TABLE "signatures" (
69
-  "id" integer NOT NULL,
70
-  "message" integer NOT NULL,
71
-  "domain" integer NOT NULL,
72
-  "pass" tinyint(4) NOT NULL,
73
-  "error" tinyint(4) NOT NULL,
74
-  PRIMARY KEY ("id")
75
-);
76
-
77
-COMMIT;
78
-
79
-START TRANSACTION;
80
-
81
-CREATE SEQUENCE domains_id_seq;
82
-SELECT setval('domains_id_seq', max(id)) FROM domains;
83
-ALTER TABLE "domains" ALTER COLUMN "id" SET DEFAULT nextval('domains_id_seq');
84
-
85
-CREATE SEQUENCE ipaddr_id_seq;
86
-SELECT setval('ipaddr_id_seq', max(id)) FROM ipaddr;
87
-ALTER TABLE "ipaddr" ALTER COLUMN "id" SET DEFAULT nextval('ipaddr_id_seq');
88
-
89
-CREATE SEQUENCE messages_id_seq;
90
-SELECT setval('messages_id_seq', max(id)) FROM messages;
91
-ALTER TABLE "messages" ALTER COLUMN "id" SET DEFAULT nextval('messages_id_seq');
92
-
93
-CREATE SEQUENCE reporters_id_seq;
94
-SELECT setval('reporters_id_seq', max(id)) FROM reporters;
95
-ALTER TABLE "reporters" ALTER COLUMN "id" SET DEFAULT nextval('reporters_id_seq');
96
-
97
-CREATE SEQUENCE requests_id_seq;
98
-SELECT setval('requests_id_seq', max(id)) FROM requests;
99
-ALTER TABLE "requests" ALTER COLUMN "id" SET DEFAULT nextval('requests_id_seq');
100
-
101
-CREATE SEQUENCE signatures_id_seq;
102
-SELECT setval('signatures_id_seq', max(id)) FROM signatures;
103
-ALTER TABLE "signatures" ALTER COLUMN "id" SET DEFAULT nextval('signatures_id_seq');
104
-
105
-COMMIT;

+ 0
- 4
roles/mailserver/handlers/main.yml View File

@@ -14,10 +14,6 @@
14 14
   action: shell PGPASSWORD='{{ mail_db_password }}' psql -h localhost -d {{ mail_db_database }} -U {{ mail_db_username }} -f /etc/postfix/import.sql --set ON_ERROR_STOP=1
15 15
   notify: restart postfix
16 16
 
17
-- name: import sql opendmarc
18
-  action: shell PGPASSWORD='{{ mail_db_opendmarc_password }}' psql -h localhost -d {{ mail_db_opendmarc_database }} -U {{ mail_db_opendmarc_username }} -f /etc/opendmarc/import.sql --set ON_ERROR_STOP=1
19
-  notify: restart postfix
20
-
21 17
 - name: restart opendmarc
22 18
   service: name=opendmarc state=restarted
23 19
 

+ 7
- 7
roles/mailserver/tasks/opendmarc.yml View File

@@ -1,8 +1,8 @@
1 1
 - name: Install OpenDMARC milter and related packages
2 2
   apt: pkg={{ item }} state=installed update_cache=yes
3 3
   with_items:
4
-    - postgresql
5
-    - python-psycopg2
4
+    - mysql-server
5
+    - python-mysqldb
6 6
     - opendmarc
7 7
 
8 8
 - name: Copy OpenDMARC configuration file into place
@@ -22,14 +22,14 @@
22 22
     - restart postfix
23 23
 
24 24
 - name: Create database user for OpenDMARC reports
25
-  postgresql_user: login_host=localhost login_user={{ db_admin_username }} login_password="{{ db_admin_password }}" name={{ mail_db_opendmarc_username }} password="{{ mail_db_opendmarc_password }}" state=present
25
+  mysql_user: user={{ mail_db_opendmarc_username }} password={{ mail_db_opendmarc_password }} state=present priv="opendmarc.*:ALL"
26 26
 
27 27
 - name: Create database for OpenDMARC reports
28
-  postgresql_db: login_host=localhost login_user={{ db_admin_username }} login_password="{{ db_admin_password }}" name={{ mail_db_opendmarc_database }} state=present owner={{ mail_db_opendmarc_username }}
28
+  mysql_db: name={{ mail_db_opendmarc_database }} state=present
29 29
 
30
-- name: Copy OpenDMARC database schema file into place
31
-  copy: src=etc_opendmarc_import.sql dest=/etc/opendmarc/import.sql owner=root group=root mode=0600
32
-  notify: import sql opendmarc
30
+- name: Import database schema for OpenDMARC reports
31
+  mysql_db: name={{ mail_db_opendmarc_database }} state=import target=/usr/share/doc/opendmarc/schema.mysql
32
+  tags: import_mysql_postfix
33 33
 
34 34
 - name: Copy nightly OpenDMARC report generation script into place
35 35
   template: src=etc_opendmarc_report.sh.j2 dest=/etc/opendmarc/report.sh owner=root group=root mode="755"

+ 315
- 37
roles/mailserver/templates/etc_opendmarc.conf.j2 View File

@@ -1,41 +1,336 @@
1
-# This is a basic configuration that can easily be adapted to suit a standard
2
-# installation. For more advanced options, see opendkim.conf(5) and/or
3
-# /usr/share/doc/opendmarc/examples/opendmarc.conf.sample.
1
+##
2
+## opendmarc.conf -- configuration file for OpenDMARC filter
3
+##
4
+## Copyright (c) 2012-2014, The Trusted Domain Project.  All rights reserved.
5
+##
4 6
 
5 7
 ##  AuthservID (string)
6
-##      defaults to MTA name
8
+##  	defaults to MTA name
9
+##
10
+##  Sets the "authserv-id" to use when generating the Authentication-Results:
11
+##  header field after verifying a message.  If the string "HOSTNAME" is
12
+##  provided, the name of the host running the filter (as returned by the
13
+##  gethostname(3) function) will be used.  
14
+#
15
+# AuthservID name
16
+
17
+##  AuthservIDWithJobID { true | false }
18
+##  	default "false"
19
+##
20
+##  If "true", requests that the authserv-id portion of the added
21
+##  Authentication-Results header fields contain the job ID of the message
22
+##  being evaluated.
23
+#
24
+# AuthservIDWithJobID false
25
+
26
+##  AutoRestart { true | false }
27
+##  	default "false"
28
+##
29
+##  Automatically re-start on failures. Use with caution; if the filter fails
30
+##  instantly after it starts, this can cause a tight fork(2) loop.
31
+#
32
+# AutoRestart false
33
+
34
+##  AutoRestartCount n
35
+##  	default 0
36
+##
37
+##  Sets the maximum automatic restart count.  After this number of automatic
38
+##  restarts, the filter will give up and terminate.  A value of 0 implies no
39
+##  limit.
40
+#
41
+# AutoRestartCount 0
42
+
43
+##  AutoRestartRate n/t[u]
44
+##  	default (no limit)
45
+##
46
+##  Sets the maximum automatic restart rate.  If the filter begins restarting
47
+##  faster than the rate defined here, it will give up and terminate.  This
48
+##  is a string of the form n/t[u] where n is an integer limiting the count
49
+##  of restarts in the given interval and t[u] defines the time interval
50
+##  through which the rate is calculated; t is an integer and u defines the
51
+##  units thus represented ("s" or "S" for seconds, the default; "m" or "M"
52
+##  for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a
53
+##  value of "10/1h" limits the restarts to 10 in one hour. There is no
54
+##  default, meaning restart rate is not limited.
55
+#
56
+# AutoRestartRate n/t[u]
57
+
58
+##  Background { true | false }
59
+##  	default "true"
60
+##
61
+##  Causes opendmarc to fork and exits immediately, leaving the service
62
+##  running in the background.
63
+#
64
+# Background true
65
+
66
+##  BaseDirectory (string)
67
+##  	default (none)
68
+##
69
+##  If set, instructs the filter to change to the specified directory using
70
+##  chdir(2) before doing anything else.  This means any files referenced
71
+##  elsewhere in the configuration file can be specified relative to this
72
+##  directory.  It's also useful for arranging that any crash dumps will be
73
+##  saved to a specific location.
74
+#
75
+# BaseDirectory /var/run/opendmarc
76
+
77
+##  ChangeRootDirectory (string)
78
+##  	default (none)
79
+##
80
+##  Requests that the operating system change the effective root directory of
81
+##  the process to the one specified here prior to beginning execution.
82
+##  chroot(2) requires superuser access.  A warning will be generated if
83
+##  UserID is not also set.
84
+# 
85
+# ChangeRootDirectory /var/chroot/opendmarc
86
+
87
+##  CopyFailuresTo (string)
88
+##  	default (none)
89
+##
90
+##  Requests addition of the specified email address to the envelope of
91
+##  any message that fails the DMARC evaluation.
92
+#
93
+# CopyFailuresTo postmaster@localhost
94
+
95
+##  DNSTimeout (integer)
96
+##  	default 5
97
+## 
98
+##  Sets the DNS timeout in seconds.  A value of 0 causes an infinite wait.
99
+##  (NOT YET IMPLEMENTED)
7 100
 #
8
-AuthservID {{ mail_server_hostname }}
101
+# DNSTimeout 5
9 102
 
10
-##  ForensicReports { true | false }
11
-##      default "false"
103
+##  EnableCoredumps { true | false }
104
+##  	default "false"
12 105
 ##
13
-# ForensicReports false
106
+##  On systems that have such support, make an explicit request to the kernel
107
+##  to dump cores when the filter crashes for some reason.  Some modern UNIX
108
+##  systems suppress core dumps during crashes for security reasons if the
109
+##  user ID has changed during the lifetime of the process.  Currently only
110
+##  supported on Linux.
111
+#
112
+# EnableCoreDumps false
113
+
114
+##  FailureReports { true | false }
115
+##  	default "false"
116
+##
117
+##  Enables generation of failure reports when the DMARC test fails and the
118
+##  purported sender of the message has requested such reports.  Reports are
119
+##  formatted per RFC6591.
120
+# 
121
+# FailureReports false
14 122
 
15
-PidFile /var/run/opendmarc.pid
123
+##  FailureReportsBcc (string)
124
+##  	default (none)
125
+##
126
+##  When failure reports are enabled and one is to be generated, always
127
+##  send one to the address(es) specified here.  If a failure report is
128
+##  requested by the domain owner, the address(es) are added in a Bcc: field.
129
+##  If no request is made, they address(es) are used in a To: field.  There
130
+##  is no default.
131
+# 
132
+# FailureReportsBcc postmaster@example.coom
133
+
134
+##  FailureReportsOnNone { true | false }
135
+##  	default "false"
136
+##
137
+##  Supplements the "FailureReports" setting by generating reports for
138
+##  domains that advertise "none" policies.  By default, reports are only
139
+##  generated (when enabled) for sending domains advertising a "quarantine"
140
+##  or "reject" policy.
141
+# 
142
+# FailureReportsOnNone false
143
+
144
+##  FailureReportsSentBy string
145
+##  	default "USER@HOSTNAME"
146
+##
147
+##  Specifies the email address to use in the From: field of failure
148
+##  reports generated by the filter.  The default is to use the userid of
149
+##  the user running the filter and the local hostname to construct an
150
+##  email address.  "postmaster" is used in place of the userid if a name
151
+##  could not be determined.
152
+# 
153
+# FailureReportsSentBy USER@HOSTNAME
154
+
155
+##  HistoryFile path
156
+##  	default (none)
157
+##
158
+##  If set, specifies the location of a text file to which records are written
159
+##  that can be used to generate DMARC aggregate reports.  Records are groups
160
+##  of rows containing information about a single received message, and
161
+##  include all relevant information needed to generate a DMARC aggregate
162
+##  report.  It is expected that this will not be used in its raw form, but
163
+##  rather periodically imported into a relational database from which the
164
+##  aggregate reports can be extracted by a tool such as opendmarc-import(8).
165
+#
166
+# HistoryFile /var/run/opendmarc.dat
167
+
168
+##  IgnoreAuthenticatedClients { true | false }
169
+##  	default "false"
170
+##
171
+##  If set, causes mail from authenticated clients (i.e., those that used
172
+##  SMTP AUTH) to be ignored by the filter.
173
+#
174
+# IgnoreAuthenticatedClients false
175
+
176
+##  IgnoreHosts path
177
+##  	default (internal)
178
+##
179
+##  Specifies the path to a file that contains a list of hostnames, IP
180
+##  addresses, and/or CIDR expressions identifying hosts whose SMTP
181
+##  connections are to be ignored by the filter.  If not specified, defaults
182
+##  to "127.0.0.1" only.
183
+#
184
+# IgnoreHosts /usr/local/etc/opendmarc/ignore.hosts
185
+
186
+##  IgnoreMailFrom domain[,...]
187
+##  	default (none)
188
+##
189
+##  Gives a list of domain names whose mail (based on the From: domain) is to
190
+##  be ignored by the filter.  The list should be comma-separated.  Matching
191
+##  against this list is case-insensitive.  The default is an empty list,
192
+##  meaning no mail is ignored.
193
+#
194
+# IgnoreMailFrom example.com
195
+
196
+##  MilterDebug (integer)
197
+##  	default 0
198
+##
199
+##  Sets the debug level to be requested from the milter library.
200
+#
201
+# MilterDebug 0
202
+
203
+##  PidFile path
204
+##  	default (none)
205
+##
206
+##  Specifies the path to a file that should be created at process start
207
+##  containing the process ID.
208
+##
209
+#
210
+# PidFile /var/run/opendmarc.pid
211
+
212
+##  PublicSuffixList path
213
+##  	default (none)
214
+##
215
+##  Specifies the path to a file that contains top-level domains (TLDs) that
216
+##  will be used to compute the Organizational Domain for a given domain name,
217
+##  as described in the DMARC specification.  If not provided, the filter will
218
+##  not be able to determine the Organizational Domain and only the presented
219
+##  domain will be evaluated.
220
+#
221
+# PublicSuffixList path
222
+
223
+##  RecordAllMessages { true | false }
224
+##  	default "false"
225
+##
226
+##  If set and "HistoryFile" is in use, all received messages are recorded
227
+##  to the history file.  If not set (the default), only messages for which
228
+##  the From: domain published a DMARC record will be recorded in the
229
+##  history file.
230
+#
231
+# RecordAllMessages false
16 232
 
17 233
 ##  RejectFailures { true | false }
18
-##      default "false"
234
+##  	default "false"
19 235
 ##
20
-RejectFailures false
236
+##  If set, messages will be rejected if they fail the DMARC evaluation, or
237
+##  temp-failed if evaluation could not be completed.  By default, no message
238
+##  will be rejected or temp-failed regardless of the outcome of the DMARC
239
+##  evaluation of the message.  Instead, an Authentication-Results header
240
+##  field will be added.
241
+#
242
+# RejectFailures false
243
+
244
+##  ReportCommand string
245
+##  	default "/usr/sbin/sendmail -t"
246
+##
247
+##  Indicates the shell command to which failure reports should be passed for
248
+##  delivery when "FailureReports" is enabled.
249
+#
250
+# ReportCommand /usr/sbin/sendmail -t
251
+
252
+##  RequiredHeaders { true | false }
253
+##  	default "false"
254
+##
255
+##  If set, the filter will ensure the header of the message conforms to the
256
+##  basic header field count restrictions laid out in RFC5322, Section 3.6.
257
+##  Messages failing this test are rejected without further processing.  A
258
+##  From: field from which no domain name could be extracted will also be
259
+##  rejected.
260
+#
261
+# RequiredHeaders false
262
+
263
+##  Socket socketspec
264
+##  	default (none)
265
+##
266
+##  Specifies the socket that should be established by the filter to receive
267
+##  connections from sendmail(8) in order to provide service.  socketspec is
268
+##  in one of two forms: local:path, which creates a UNIX domain socket at
269
+##  the specified path, or inet:port[@host] or inet6:port[@host] which creates
270
+##  a TCP socket on the specified port for the appropriate protocol family.
271
+##  If the host is not given as either a hostname or an IP address, the
272
+##  socket will be listening on all interfaces.  This option is mandatory
273
+##  either in the configuration file or on the command line.  If an IP
274
+##  address is used, it must be enclosed in square brackets.
275
+#
276
+# Socket inet:8893@localhost
277
+
278
+##  SoftwareHeader { true | false }
279
+##  	default "false"
280
+##
281
+##  Causes the filter to add a "DMARC-Filter" header field indicating the
282
+##  presence of this filter in the path of the message from injection to
283
+##  delivery.  The product's name, version, and the job ID are included in
284
+##  the header field's contents.
285
+#
286
+# SoftwareHeader false
287
+
288
+##  SPFIgnoreResults { true | false }
289
+##	default "false"
290
+##
291
+##  Causes the filter to ignore any SPF results in the header of the
292
+##  message.  This is useful if you want the filter to perfrom SPF checks
293
+##  itself, or because you don't trust the arriving header.
294
+#
295
+# SPFIgnoreResults false
296
+
297
+##  SPFSelfValidate { true | false }
298
+##	default false
299
+##
300
+##  Enable internal spf checking with --with-spf
301
+##  To use libspf2 instead:  --with-spf --with-spf2-include=path --with-spf2-lib=path
302
+##
303
+##  Causes the filter to perform a fallback SPF check itself when
304
+##  it can find no SPF results in the message header.  If SPFIgnoreResults
305
+##  is also set, it never looks for SPF results in headers and
306
+##  always performs the SPF check itself when this is set.
307
+#
308
+# SPFSelfValidate false
21 309
 
22 310
 ##  Syslog { true | false }
23
-##      default "false"
311
+##  	default "false"
24 312
 ##
25 313
 ##  Log via calls to syslog(3) any interesting activity.
26 314
 #
27
-Syslog true
315
+# Syslog false
28 316
 
29 317
 ##  SyslogFacility facility-name
30
-##      default "mail"
318
+##  	default "mail"
31 319
 ##
32 320
 ##  Log via calls to syslog(3) using the named facility.  The facility names
33 321
 ##  are the same as the ones allowed in syslog.conf(5).
34 322
 #
35 323
 # SyslogFacility mail
36 324
 
325
+##  TemporaryDirectory path
326
+##  	default /var/tmp
327
+##
328
+##  Specifies the directory in which temporary files should be written.
329
+#
330
+# TemporaryDirectory /var/tmp
331
+
37 332
 ##  TrustedAuthservIDs string
38
-##      default HOSTNAME
333
+##  	default HOSTNAME
39 334
 ##
40 335
 ##  Specifies one or more "authserv-id" values to trust as relaying true
41 336
 ##  upstream DKIM and SPF results.  The default is to use the name of
@@ -43,11 +338,11 @@ Syslog true
43 338
 ##  with a comma.  The key word "HOSTNAME" will be replaced by the name of
44 339
 ##  the host running the filter as reported by the gethostname(3) function.
45 340
 #
46
-TrustedAuthservIDs {{ mail_server_hostname }}
341
+# TrustedAuthservIDs HOSTNAME
47 342
 
48 343
 
49 344
 ##  UMask mask
50
-##      default (none)
345
+##  	default (none)
51 346
 ##
52 347
 ##  Requests a specific permissions mask to be used for file creation.  This
53 348
 ##  only really applies to creation of the socket when Socket specifies a
@@ -56,30 +351,13 @@ TrustedAuthservIDs {{ mail_server_hostname }}
56 351
 ##  specific file mode on creation regardless of the process umask.  See
57 352
 ##  umask(2) for more information.
58 353
 #
59
-UMask 0002
354
+# UMask 077
60 355
 
61 356
 ##  UserID user[:group]
62
-##      default (none)
357
+##  	default (none)
63 358
 ##
64 359
 ##  Attempts to become the specified userid before starting operations.
65 360
 ##  The process will be assigned all of the groups and primary group ID of
66 361
 ##  the named userid unless an alternate group is specified.
67 362
 #
68
-UserID opendmarc:opendmarc
69
-
70
-## The path to the Ignored Hosts list. This file should contain a list of
71
-## networks and hosts that you trust. Their mail will not be checked by
72
-## OpenDMARC.
73
-#
74
-IgnoreHosts /etc/opendmarc/ignore.hosts
75
-
76
-## The path under which the History file should be created.
77
-## This file is necessary if you want to be able to create aggregate
78
-## reports to send out to other organizations
79
-#
80
-HistoryFile /var/run/opendmarc/opendmarc.dat
81
-
82
-## Adds a “Dmarc-Filter” header with the opendmarc version in every processed mail.
83
-## This is good to have during testing.
84
-#
85
-SoftwareHeader true
363
+# UserID opendmarc

Loading…
Cancel
Save