Implement OpenDMARC. Resolves #369.

roles/mailserver/files/etc_default_opendmarc

@@ -0,0 +1,10 @@
+# Command-line options specified here will override the contents of
+# /etc/opendmarc.conf. See opendmarc(8) for a complete list of options.
+#DAEMON_OPTS=""
+#
+# Uncomment to specify an alternate socket
+# Note that setting this will override any Socket value in opendkim.conf
+SOCKET="inet:54321" # listen on all interfaces on port 54321
+#SOCKET="local:/var/run/opendmarc/opendmarc.sock" # default
+#SOCKET="inet:12345@localhost" # listen on loopback on port 12345
+#SOCKET="inet:12345@192.0.2.1" # listen on 192.0.2.1 on port 12345

roles/mailserver/files/etc_opendmarc_import.sql

@@ -0,0 +1,89 @@
+-- OpenDMARC database schema
+--
+-- Copyright (c) 2012, The Trusted Domain Project.
+--      All rights reserved.
+
+USE opendmarc;
+
+-- A table for mapping domain names and their DMARC policies to IDs
+CREATE TABLE IF NOT EXISTS domains (
+        id INT NOT NULL AUTO_INCREMENT,
+        name VARCHAR(255) NOT NULL,
+        firstseen TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+        PRIMARY KEY(id),
+        UNIQUE KEY(name)
+);
+
+-- A table for logging reporting requests
+CREATE TABLE IF NOT EXISTS requests (
+        id INT NOT NULL AUTO_INCREMENT,
+        domain INT NOT NULL,
+        repuri VARCHAR(255) NOT NULL,
+        adkim TINYINT NOT NULL,
+        aspf TINYINT NOT NULL,
+        policy TINYINT NOT NULL,
+        spolicy TINYINT NOT NULL,
+        pct TINYINT NOT NULL,
+        locked TINYINT NOT NULL,
+        firstseen TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+        lastsent TIMESTAMP NOT NULL DEFAULT '0000-00-00 00:00:00',
+
+        PRIMARY KEY(id),
+        KEY(lastsent),
+        UNIQUE KEY(domain)
+);
+
+-- A table for reporting hosts
+CREATE TABLE IF NOT EXISTS reporters (
+        id INT NOT NULL AUTO_INCREMENT,
+        name VARCHAR(255) NOT NULL,
+        firstseen TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+        PRIMARY KEY(id),
+        UNIQUE KEY(name)
+);
+
+-- A table for IP addresses
+CREATE TABLE IF NOT EXISTS ipaddr (
+	id INT NOT NULL AUTO_INCREMENT,
+	addr VARCHAR(64) NOT NULL,
+	firstseen TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+	PRIMARY KEY(id),
+	UNIQUE KEY(addr)
+);
+
+-- A table for messages
+CREATE TABLE IF NOT EXISTS messages (
+        id INT NOT NULL AUTO_INCREMENT,
+        date TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+        jobid VARCHAR(128) NOT NULL,
+        reporter INT UNSIGNED NOT NULL,
+        policy TINYINT UNSIGNED NOT NULL,
+        disp TINYINT UNSIGNED NOT NULL,
+        ip INT UNSIGNED NOT NULL,
+        env_domain INT UNSIGNED NOT NULL,
+        from_domain INT UNSIGNED NOT NULL,
+        policy_domain INT UNSIGNED NOT NULL,
+        spf TINYINT UNSIGNED NOT NULL,
+        align_dkim TINYINT UNSIGNED NOT NULL,
+        align_spf TINYINT UNSIGNED NOT NULL,
+        sigcount TINYINT UNSIGNED NOT NULL,
+
+        PRIMARY KEY(id),
+        KEY(date),
+        UNIQUE KEY(reporter, date, jobid)
+);
+
+-- A table for signatures
+CREATE TABLE IF NOT EXISTS signatures (
+        id INT NOT NULL AUTO_INCREMENT,
+        message INT NOT NULL,
+        domain INT NOT NULL,
+        pass TINYINT NOT NULL,
+        error TINYINT NOT NULL,
+
+        PRIMARY KEY(id),
+        KEY(message)
+);

roles/mailserver/handlers/main.yml

@@ -13,3 +13,6 @@
 - name: import sql postfix
   action: shell PGPASSWORD='{{ mail_db_password }}' psql -h localhost -d {{ mail_db_database }} -U {{ mail_db_username }} -f /etc/postfix/import.sql --set ON_ERROR_STOP=1
   notify: restart postfix
+
+- name: restart opendmarc
+  service: name=opendmarc state=restarted

roles/mailserver/tasks/dmarc.yml

@@ -0,0 +1,38 @@
+- name: Install OpenDMARC milter
+  apt: pkg=opendmarc state=installed update_cache=yes
+
+- name: Copy OpenDMARC configuration file into place
+  template: src=etc_opendmarc.conf.j2 dest=/etc/opendmarc.conf owner=root group=root
+  notify: restart opendmarc
+
+- name: Create OpenDMARC configuration directory
+  file: state=directory path=/etc/opendmarc
+
+- name: Copy OpenDMARC ignore hosts file into place
+  template: src=etc_opendmarc_ignore.hosts.j2 dest=/etc/opendmarc/ignore.hosts owner=root group=root
+
+- name: Copy OpenDMARC defaults file into place
+  copy: src=etc_default_opendmarc dest=/etc/default/opendmarc owner=root group=root
+  notify:
+    - restart opendmarc
+    - restart postfix
+
+- name: Copy OpenDMARC database schema file into place
+  copy: src=etc_opendmarc_import.sql dest=/etc/opendmarc/import.sql owner=root group=root
+
+- name: Create database user for OpenDMARC reports
+  mysql_user: user={{ mail_db_opendmarc_username }} password={{ mail_db_opendmarc_password }} state=present priv="opendmarc.*:ALL"
+
+- name: Create database for OpenDMARC reports
+  mysql_db: name={{ mail_db_opendmarc_database }} state=present
+
+- name: Import database schema for OpenDMARC reports
+  mysql_db: name={{ mail_db_opendmarc_database }} state=import target=/etc/opendmarc/import.sql
+  tags: import_mysql_postfix
+
+- name: Copy nightly OpenDMARC report generation script into place
+  template: src=etc_opendmarc_report.sh.j2 dest=/etc/opendmarc/report.sh owner=root group=root mode="755"
+
+- name: Activate OpenDMARC report cronjob
+  cron: name="OpenDMARC report" hour="2" minute="0" job="/bin/bash /etc/opendmarc/report.sh >> /var/log/opendmarc_report.log"
+

roles/mailserver/tasks/main.yml

@@ -1,8 +1,10 @@
 - include: postfix.yml tags=postfix
 - include: dovecot.yml tags=dovecot
 - include: opendkim.yml tags=opendkim
+- include: dmarc.yml tags=dmarc
 - include: dspam.yml tags=dspam
 - include: solr.yml tags=solr
 - include: checkrbl.yml tags=checkrbl
 - include: z-push.yml tags=zpush
 - include: autoconfig.yml tags=autoconfig
+

roles/mailserver/templates/etc_opendmarc.conf.j2

@@ -0,0 +1,85 @@
+# This is a basic configuration that can easily be adapted to suit a standard
+# installation. For more advanced options, see opendkim.conf(5) and/or
+# /usr/share/doc/opendmarc/examples/opendmarc.conf.sample.
+
+##  AuthservID (string)
+##      defaults to MTA name
+#
+AuthservID {{ mail_server_hostname }}
+
+##  ForensicReports { true | false }
+##      default "false"
+##
+# ForensicReports false
+
+PidFile /var/run/opendmarc.pid
+
+##  RejectFailures { true | false }
+##      default "false"
+##
+RejectFailures false
+
+##  Syslog { true | false }
+##      default "false"
+##
+##  Log via calls to syslog(3) any interesting activity.
+#
+Syslog true
+
+##  SyslogFacility facility-name
+##      default "mail"
+##
+##  Log via calls to syslog(3) using the named facility.  The facility names
+##  are the same as the ones allowed in syslog.conf(5).
+#
+# SyslogFacility mail
+
+##  TrustedAuthservIDs string
+##      default HOSTNAME
+##
+##  Specifies one or more "authserv-id" values to trust as relaying true
+##  upstream DKIM and SPF results.  The default is to use the name of
+##  the MTA processing the message.  To specify a list, separate each entry
+##  with a comma.  The key word "HOSTNAME" will be replaced by the name of
+##  the host running the filter as reported by the gethostname(3) function.
+#
+TrustedAuthservIDs {{ mail_server_hostname }}
+
+
+##  UMask mask
+##      default (none)
+##
+##  Requests a specific permissions mask to be used for file creation.  This
+##  only really applies to creation of the socket when Socket specifies a
+##  UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary
+##  files are normally created by the mkstemp(3) function that enforces a
+##  specific file mode on creation regardless of the process umask.  See
+##  umask(2) for more information.
+#
+UMask 0002
+
+##  UserID user[:group]
+##      default (none)
+##
+##  Attempts to become the specified userid before starting operations.
+##  The process will be assigned all of the groups and primary group ID of
+##  the named userid unless an alternate group is specified.
+#
+UserID opendmarc:opendmarc
+
+## The path to the Ignored Hosts list. This file should contain a list of
+## networks and hosts that you trust. Their mail will not be checked by
+## OpenDMARC.
+#
+IgnoreHosts /etc/opendmarc/ignore.hosts
+
+## The path under which the History file should be created.
+## This file is necessary if you want to be able to create aggregate
+## reports to send out to other organizations
+#
+HistoryFile /var/run/opendmarc/opendmarc.dat
+
+## Adds a “Dmarc-Filter” header with the opendmarc version in every processed mail.
+## This is good to have during testing.
+#
+SoftwareHeader true

roles/mailserver/templates/etc_opendmarc_ignore.hosts.j2

@@ -0,0 +1,4 @@
+localhost
+10.0.0.0/24
+{{ ansible_default_ipv4.address }}
+{{ "/n".join(friendly_networks) }}

roles/mailserver/templates/etc_opendmarc_report.sh.j2

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+DB_SERVER='localhost'
+DB_USER='{{ mail_db_opendmarc_username }}'
+DB_PASS='{{ mail_db_opendmarc_password }}'
+DB_NAME='{{ mail_db_opendmarc_database }}'
+WORK_DIR='/var/run/opendmarc'
+REPORT_EMAIL='{{ admin_email }}'
+
+mv ${WORK_DIR}/opendmarc.dat ${WORK_DIR}/opendmarc_import.dat -f
+cat /dev/null > ${WORK_DIR}/opendmarc.dat
+
+/usr/sbin/opendmarc-import --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose < ${WORK_DIR}/opendmarc_import.dat
+
+{% for domain in mail_virtual_domains %}
+/usr/sbin/opendmarc-reports --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose --interval=86400 --report-email $REPORT_EMAIL --report-org '{{ domain.name }}'
+{% endfor %}
+
+/usr/sbin/opendmarc-expire --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose

roles/mailserver/templates/etc_postfix_main.cf.j2

@@ -98,8 +98,8 @@ virtual_mailbox_maps = pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
 virtual_alias_maps = pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
 local_recipient_maps = $virtual_mailbox_maps
 
-# OpenDKIM
-smtpd_milters = inet:127.0.0.1:8891
+# OpenDKIM and OpenDMARC
+smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:54321
 non_smtpd_milters = $smtpd_milters
 milter_default_action = accept
 

vars/defaults.yml

@@ -63,6 +63,9 @@ mail_db_database: mailserver
 # mail_virtual_domains: (required)
 # mail_virtual_users: (required)
 # mail_virtual_aliases: (required)
+mail_db_opendmarc_username: opendmarc
+# mail_db_opendmarc_password: (required)
+mail_db_opendmarc_database: opendmarc
 
 # z-push
 zpush_version: 2.1.1-1788

vars/user.yml

@@ -24,6 +24,7 @@ irc_timezone: TODO      #Example: "America/New_York"
 
 # mailserver
 mail_db_password: TODO
+mail_db_opendmarc_password: TODO
 mail_virtual_domains:
   - name: "{{ domain }}"
     pk_id: 1