Ver código fonte

Merge pull request #503 from mikeashley/opendmarc-repair

Fix opendmarc installation
Allen Riddell 8 anos atrás
pai
commit
f213d2b70e

+ 0
- 105
roles/mailserver/files/etc_opendmarc_import.sql Ver arquivo

@@ -1,106 +0,0 @@
1
-# Source: http://www.trusteddomain.org/pipermail/opendmarc-users/2015-February/000447.html
2
-
3
-START TRANSACTION;
4
-
5
-SET standard_conforming_strings=off;
6
-SET escape_string_warning=off;
7
-SET CONSTRAINTS ALL DEFERRED;
8
-
9
-CREATE TABLE "domains" (
10
-  "id" integer NOT NULL,
11
-  "name" varchar(510) NOT NULL,
12
-  "firstseen" timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
13
-  PRIMARY KEY ("id"),
14
-  UNIQUE ("name")
15
-);
16
-
17
-CREATE TABLE "ipaddr" (
18
-  "id" integer NOT NULL,
19
-  "addr" varchar(128) NOT NULL,
20
-  "firstseen" timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
21
-  PRIMARY KEY ("id"),
22
-  UNIQUE ("addr")
23
-);
24
-
25
-CREATE TABLE "messages" (
26
-  "id" integer NOT NULL,
27
-  "date" timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
28
-  "jobid" varchar(256) NOT NULL,
29
-  "reporter" integer  NOT NULL,
30
-  "policy" tinyint(3)  NOT NULL,
31
-  "disp" tinyint(3)  NOT NULL,
32
-  "ip" integer  NOT NULL,
33
-  "env_domain" integer  NOT NULL,
34
-  "from_domain" integer  NOT NULL,
35
-  "policy_domain" integer  NOT NULL,
36
-  "spf" tinyint(3)  NOT NULL,
37
-  "align_dkim" tinyint(3)  NOT NULL,
38
-  "align_spf" tinyint(3)  NOT NULL,
39
-  "sigcount" tinyint(3)  NOT NULL,
40
-  PRIMARY KEY ("id"),
41
-  UNIQUE ("reporter", "date", "jobid")
42
-);
43
-
44
-CREATE TABLE "reporters" (
45
-  "id" integer NOT NULL,
46
-  "name" varchar(510) NOT NULL,
47
-  "firstseen" timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
48
-  PRIMARY KEY ("id"),
49
-  UNIQUE ("name")
50
-);
51
-
52
-CREATE TABLE "requests" (
53
-  "id" integer NOT NULL,
54
-  "domain" integer NOT NULL,
55
-  "repuri" varchar(510) NOT NULL,
56
-  "adkim" tinyint(4) NOT NULL,
57
-  "aspf" tinyint(4) NOT NULL,
58
-  "policy" tinyint(4) NOT NULL,
59
-  "spolicy" tinyint(4) NOT NULL,
60
-  "pct" tinyint(4) NOT NULL,
61
-  "locked" tinyint(4) NOT NULL,
62
-  "firstseen" timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
63
-  "lastsent" timestamp NOT NULL DEFAULT '0000-00-00 00:00:00',
64
-  PRIMARY KEY ("id"),
65
-  UNIQUE ("domain")
66
-);
67
-
68
-CREATE TABLE "signatures" (
69
-  "id" integer NOT NULL,
70
-  "message" integer NOT NULL,
71
-  "domain" integer NOT NULL,
72
-  "pass" tinyint(4) NOT NULL,
73
-  "error" tinyint(4) NOT NULL,
74
-  PRIMARY KEY ("id")
75
-);
76
-
77
-COMMIT;
78
-
79
-START TRANSACTION;
80
-
81
-CREATE SEQUENCE domains_id_seq;
82
-SELECT setval('domains_id_seq', max(id)) FROM domains;
83
-ALTER TABLE "domains" ALTER COLUMN "id" SET DEFAULT nextval('domains_id_seq');
84
-
85
-CREATE SEQUENCE ipaddr_id_seq;
86
-SELECT setval('ipaddr_id_seq', max(id)) FROM ipaddr;
87
-ALTER TABLE "ipaddr" ALTER COLUMN "id" SET DEFAULT nextval('ipaddr_id_seq');
88
-
89
-CREATE SEQUENCE messages_id_seq;
90
-SELECT setval('messages_id_seq', max(id)) FROM messages;
91
-ALTER TABLE "messages" ALTER COLUMN "id" SET DEFAULT nextval('messages_id_seq');
92
-
93
-CREATE SEQUENCE reporters_id_seq;
94
-SELECT setval('reporters_id_seq', max(id)) FROM reporters;
95
-ALTER TABLE "reporters" ALTER COLUMN "id" SET DEFAULT nextval('reporters_id_seq');
96
-
97
-CREATE SEQUENCE requests_id_seq;
98
-SELECT setval('requests_id_seq', max(id)) FROM requests;
99
-ALTER TABLE "requests" ALTER COLUMN "id" SET DEFAULT nextval('requests_id_seq');
100
-
101
-CREATE SEQUENCE signatures_id_seq;
102
-SELECT setval('signatures_id_seq', max(id)) FROM signatures;
103
-ALTER TABLE "signatures" ALTER COLUMN "id" SET DEFAULT nextval('signatures_id_seq');
104
-
105
-COMMIT;

+ 0
- 4
roles/mailserver/handlers/main.yml Ver arquivo

@@ -14,10 +14,6 @@
14 14
   action: shell PGPASSWORD='{{ mail_db_password }}' psql -h localhost -d {{ mail_db_database }} -U {{ mail_db_username }} -f /etc/postfix/import.sql --set ON_ERROR_STOP=1
15 15
   notify: restart postfix
16 16
 
17
-- name: import sql opendmarc
18
-  action: shell PGPASSWORD='{{ mail_db_opendmarc_password }}' psql -h localhost -d {{ mail_db_opendmarc_database }} -U {{ mail_db_opendmarc_username }} -f /etc/opendmarc/import.sql --set ON_ERROR_STOP=1
19
-  notify: restart postfix
20
-
21 17
 - name: restart opendmarc
22 18
   service: name=opendmarc state=restarted
23 19
 

+ 7
- 7
roles/mailserver/tasks/opendmarc.yml Ver arquivo

@@ -1,8 +1,8 @@
1 1
 - name: Install OpenDMARC milter and related packages
2 2
   apt: pkg={{ item }} state=installed update_cache=yes
3 3
   with_items:
4
-    - postgresql
5
-    - python-psycopg2
4
+    - mysql-server
5
+    - python-mysqldb
6 6
     - opendmarc
7 7
 
8 8
 - name: Copy OpenDMARC configuration file into place
@@ -22,14 +22,14 @@
22 22
     - restart postfix
23 23
 
24 24
 - name: Create database user for OpenDMARC reports
25
-  postgresql_user: login_host=localhost login_user={{ db_admin_username }} login_password="{{ db_admin_password }}" name={{ mail_db_opendmarc_username }} password="{{ mail_db_opendmarc_password }}" state=present
25
+  mysql_user: user={{ mail_db_opendmarc_username }} password={{ mail_db_opendmarc_password }} state=present priv="opendmarc.*:ALL"
26 26
 
27 27
 - name: Create database for OpenDMARC reports
28
-  postgresql_db: login_host=localhost login_user={{ db_admin_username }} login_password="{{ db_admin_password }}" name={{ mail_db_opendmarc_database }} state=present owner={{ mail_db_opendmarc_username }}
28
+  mysql_db: name={{ mail_db_opendmarc_database }} state=present
29 29
 
30
-- name: Copy OpenDMARC database schema file into place
31
-  copy: src=etc_opendmarc_import.sql dest=/etc/opendmarc/import.sql owner=root group=root mode=0600
32
-  notify: import sql opendmarc
30
+- name: Import database schema for OpenDMARC reports
31
+  mysql_db: name={{ mail_db_opendmarc_database }} state=import target=/usr/share/doc/opendmarc/schema.mysql
32
+  tags: import_mysql_postfix
33 33
 
34 34
 - name: Copy nightly OpenDMARC report generation script into place
35 35
   template: src=etc_opendmarc_report.sh.j2 dest=/etc/opendmarc/report.sh owner=root group=root mode="755"

+ 308
- 31
roles/mailserver/templates/etc_opendmarc.conf.j2 Ver arquivo

@@ -1,41 +1,336 @@
1
-# This is a basic configuration that can easily be adapted to suit a standard
2
-# installation. For more advanced options, see opendkim.conf(5) and/or
3
-# /usr/share/doc/opendmarc/examples/opendmarc.conf.sample.
1
+##
2
+## opendmarc.conf -- configuration file for OpenDMARC filter
3
+##
4
+## Copyright (c) 2012-2014, The Trusted Domain Project.  All rights reserved.
5
+##
4 6
 
5 7
 ##  AuthservID (string)
6
-##      defaults to MTA name
8
+##  	defaults to MTA name
9
+##
10
+##  Sets the "authserv-id" to use when generating the Authentication-Results:
11
+##  header field after verifying a message.  If the string "HOSTNAME" is
12
+##  provided, the name of the host running the filter (as returned by the
13
+##  gethostname(3) function) will be used.  
7 14
 #
8 15
 AuthservID {{ mail_server_hostname }}
9 16
 
10
-##  ForensicReports { true | false }
11
-##      default "false"
17
+##  AuthservIDWithJobID { true | false }
18
+##  	default "false"
19
+##
20
+##  If "true", requests that the authserv-id portion of the added
21
+##  Authentication-Results header fields contain the job ID of the message
22
+##  being evaluated.
23
+#
24
+# AuthservIDWithJobID false
25
+
26
+##  AutoRestart { true | false }
27
+##  	default "false"
28
+##
29
+##  Automatically re-start on failures. Use with caution; if the filter fails
30
+##  instantly after it starts, this can cause a tight fork(2) loop.
31
+#
32
+# AutoRestart false
33
+
34
+##  AutoRestartCount n
35
+##  	default 0
36
+##
37
+##  Sets the maximum automatic restart count.  After this number of automatic
38
+##  restarts, the filter will give up and terminate.  A value of 0 implies no
39
+##  limit.
40
+#
41
+# AutoRestartCount 0
42
+
43
+##  AutoRestartRate n/t[u]
44
+##  	default (no limit)
45
+##
46
+##  Sets the maximum automatic restart rate.  If the filter begins restarting
47
+##  faster than the rate defined here, it will give up and terminate.  This
48
+##  is a string of the form n/t[u] where n is an integer limiting the count
49
+##  of restarts in the given interval and t[u] defines the time interval
50
+##  through which the rate is calculated; t is an integer and u defines the
51
+##  units thus represented ("s" or "S" for seconds, the default; "m" or "M"
52
+##  for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a
53
+##  value of "10/1h" limits the restarts to 10 in one hour. There is no
54
+##  default, meaning restart rate is not limited.
55
+#
56
+# AutoRestartRate n/t[u]
57
+
58
+##  Background { true | false }
59
+##  	default "true"
60
+##
61
+##  Causes opendmarc to fork and exits immediately, leaving the service
62
+##  running in the background.
63
+#
64
+# Background true
65
+
66
+##  BaseDirectory (string)
67
+##  	default (none)
68
+##
69
+##  If set, instructs the filter to change to the specified directory using
70
+##  chdir(2) before doing anything else.  This means any files referenced
71
+##  elsewhere in the configuration file can be specified relative to this
72
+##  directory.  It's also useful for arranging that any crash dumps will be
73
+##  saved to a specific location.
74
+#
75
+# BaseDirectory /var/run/opendmarc
76
+
77
+##  ChangeRootDirectory (string)
78
+##  	default (none)
79
+##
80
+##  Requests that the operating system change the effective root directory of
81
+##  the process to the one specified here prior to beginning execution.
82
+##  chroot(2) requires superuser access.  A warning will be generated if
83
+##  UserID is not also set.
84
+# 
85
+# ChangeRootDirectory /var/chroot/opendmarc
86
+
87
+##  CopyFailuresTo (string)
88
+##  	default (none)
89
+##
90
+##  Requests addition of the specified email address to the envelope of
91
+##  any message that fails the DMARC evaluation.
92
+#
93
+# CopyFailuresTo postmaster@localhost
94
+
95
+##  DNSTimeout (integer)
96
+##  	default 5
97
+## 
98
+##  Sets the DNS timeout in seconds.  A value of 0 causes an infinite wait.
99
+##  (NOT YET IMPLEMENTED)
100
+#
101
+# DNSTimeout 5
102
+
103
+##  EnableCoredumps { true | false }
104
+##  	default "false"
105
+##
106
+##  On systems that have such support, make an explicit request to the kernel
107
+##  to dump cores when the filter crashes for some reason.  Some modern UNIX
108
+##  systems suppress core dumps during crashes for security reasons if the
109
+##  user ID has changed during the lifetime of the process.  Currently only
110
+##  supported on Linux.
111
+#
112
+# EnableCoreDumps false
113
+
114
+##  FailureReports { true | false }
115
+##  	default "false"
116
+##
117
+##  Enables generation of failure reports when the DMARC test fails and the
118
+##  purported sender of the message has requested such reports.  Reports are
119
+##  formatted per RFC6591.
120
+# 
121
+# FailureReports false
122
+
123
+##  FailureReportsBcc (string)
124
+##  	default (none)
125
+##
126
+##  When failure reports are enabled and one is to be generated, always
127
+##  send one to the address(es) specified here.  If a failure report is
128
+##  requested by the domain owner, the address(es) are added in a Bcc: field.
129
+##  If no request is made, they address(es) are used in a To: field.  There
130
+##  is no default.
131
+# 
132
+# FailureReportsBcc postmaster@example.coom
133
+
134
+##  FailureReportsOnNone { true | false }
135
+##  	default "false"
136
+##
137
+##  Supplements the "FailureReports" setting by generating reports for
138
+##  domains that advertise "none" policies.  By default, reports are only
139
+##  generated (when enabled) for sending domains advertising a "quarantine"
140
+##  or "reject" policy.
141
+# 
142
+# FailureReportsOnNone false
143
+
144
+##  FailureReportsSentBy string
145
+##  	default "USER@HOSTNAME"
146
+##
147
+##  Specifies the email address to use in the From: field of failure
148
+##  reports generated by the filter.  The default is to use the userid of
149
+##  the user running the filter and the local hostname to construct an
150
+##  email address.  "postmaster" is used in place of the userid if a name
151
+##  could not be determined.
152
+# 
153
+# FailureReportsSentBy USER@HOSTNAME
154
+
155
+##  HistoryFile path
156
+##  	default (none)
157
+##
158
+##  If set, specifies the location of a text file to which records are written
159
+##  that can be used to generate DMARC aggregate reports.  Records are groups
160
+##  of rows containing information about a single received message, and
161
+##  include all relevant information needed to generate a DMARC aggregate
162
+##  report.  It is expected that this will not be used in its raw form, but
163
+##  rather periodically imported into a relational database from which the
164
+##  aggregate reports can be extracted by a tool such as opendmarc-import(8).
165
+#
166
+HistoryFile /var/run/opendmarc/opendmarc.dat
167
+
168
+##  IgnoreAuthenticatedClients { true | false }
169
+##  	default "false"
170
+##
171
+##  If set, causes mail from authenticated clients (i.e., those that used
172
+##  SMTP UATH) to be ignored by the filter.
173
+#
174
+# IgnoreAuthenticatedClients false
175
+
176
+##  IgnoreHosts path
177
+##  	default (internal)
178
+##
179
+##  Specifies the path to a file that contains a list of hostnames, IP
180
+##  addresses, and/or CIDR expressions identifying hosts whose SMTP
181
+##  connections are to be ignored by the filter.  If not specified, defaults
182
+##  to "127.0.0.1" only.
183
+#
184
+IgnoreHosts /etc/opendmarc/ignore.hosts
185
+
186
+##  IgnoreMailFrom domain[,...]
187
+##  	default (none)
12 188
 ##
13
-# ForensicReports false
189
+##  Gives a list of domain names whose mail (based on the From: domain) is to
190
+##  be ignored by the filter.  The list should be comma-separated.  Matching
191
+##  against this list is case-insensitive.  The default is an empty list,
192
+##  meaning no mail is ignored.
193
+#
194
+# IgnoreMailFrom example.com
14 195
 
196
+##  MilterDebug (integer)
197
+##  	default 0
198
+##
199
+##  Sets the debug level to be requested from the milter library.
200
+#
201
+# MilterDebug 0
202
+
203
+##  PidFile path
204
+##  	default (none)
205
+##
206
+##  Specifies the path to a file that should be created at process start
207
+##  containing the process ID.
208
+##
209
+#
15 210
 PidFile /var/run/opendmarc.pid
16 211
 
212
+##  PublicSuffixList path
213
+##  	default (none)
214
+##
215
+##  Specifies the path to a file that contains top-level domains (TLDs) that
216
+##  will be used to compute the Organizational Domain for a given domain name,
217
+##  as described in the DMARC specification.  If not provided, the filter will
218
+##  not be able to determine the Organizational Domain and only the presented
219
+##  domain will be evaluated.
220
+#
221
+# PublicSuffixList path
222
+
223
+##  RecordAllMessages { true | false }
224
+##  	default "false"
225
+##
226
+##  If set and "HistoryFile" is in use, all received messages are recorded
227
+##  to the history file.  If not set (the default), only messages for which
228
+##  the From: domain published a DMARC record will be recorded in the
229
+##  history file.
230
+#
231
+# RecordAllMessages false
232
+
17 233
 ##  RejectFailures { true | false }
18
-##      default "false"
234
+##  	default "false"
19 235
 ##
236
+##  If set, messages will be rejected if they fail the DMARC evaluation, or
237
+##  temp-failed if evaluation could not be completed.  By default, no message
238
+##  will be rejected or temp-failed regardless of the outcome of the DMARC
239
+##  evaluation of the message.  Instead, an Authentication-Results header
240
+##  field will be added.
241
+#
20 242
 RejectFailures false
21 243
 
244
+##  ReportCommand string
245
+##  	default "/usr/sbin/sendmail -t"
246
+##
247
+##  Indicates the shell command to which failure reports should be passed for
248
+##  delivery when "FailureReports" is enabled.
249
+#
250
+# ReportCommand /usr/sbin/sendmail -t
251
+
252
+##  RequiredHeaders { true | false }
253
+##  	default "false"
254
+##
255
+##  If set, the filter will ensure the header of the message conforms to the
256
+##  basic header field count restrictions laid out in RFC5322, Section 3.6.
257
+##  Messages failing this test are rejected without further processing.  A
258
+##  From: field from which no domain name could be extracted will also be
259
+##  rejected.
260
+#
261
+# RequiredHeaders false
262
+
263
+##  Socket socketspec
264
+##  	default (none)
265
+##
266
+##  Specifies the socket that should be established by the filter to receive
267
+##  connections from sendmail(8) in order to provide service.  socketspec is
268
+##  in one of two forms: local:path, which creates a UNIX domain socket at
269
+##  the specified path, or inet:port[@host] or inet6:port[@host] which creates
270
+##  a TCP socket on the specified port for the appropriate protocol family.
271
+##  If the host is not given as either a hostname or an IP address, the
272
+##  socket will be listening on all interfaces.  This option is mandatory
273
+##  either in the configuration file or on the command line.  If an IP
274
+##  address is used, it must be enclosed in square brackets.
275
+#
276
+# Socket inet:8893@localhost
277
+
278
+##  SoftwareHeader { true | false }
279
+##  	default "false"
280
+##
281
+##  Causes the filter to add a "DMARC-Filter" header field indicating the
282
+##  presence of this filter in the path of the message from injection to
283
+##  delivery.  The product's name, version, and the job ID are included in
284
+##  the header field's contents.
285
+#
286
+SoftwareHeader true
287
+
288
+##  SPFIgnoreResults { true | false }
289
+##	default "false"
290
+##
291
+##  Causes the filter to ignore any SPF results in the header of the
292
+##  message.  This is useful if you want the filter to perfrom SPF checks
293
+##  itself, or because you don't trust the arriving header.
294
+#
295
+# SPFIgnoreResults false
296
+
297
+##  SPFSelfValidate { true | false }
298
+##	default false
299
+##
300
+##  Enable internal spf checking with --with-spf
301
+##  To use libspf2 instead:  --with-spf --with-spf2-include=path --with-spf2-lib=path
302
+##
303
+##  Causes the filter to perform a fallback SPF check itself when
304
+##  it can find no SPF results in the message header.  If SPFIgnoreResults
305
+##  is also set, it never looks for SPF results in headers and
306
+##  always performs the SPF check itself when this is set.
307
+#
308
+# SPFSelfValidate false
309
+
22 310
 ##  Syslog { true | false }
23
-##      default "false"
311
+##  	default "false"
24 312
 ##
25 313
 ##  Log via calls to syslog(3) any interesting activity.
26 314
 #
27 315
 Syslog true
28 316
 
29 317
 ##  SyslogFacility facility-name
30
-##      default "mail"
318
+##  	default "mail"
31 319
 ##
32 320
 ##  Log via calls to syslog(3) using the named facility.  The facility names
33 321
 ##  are the same as the ones allowed in syslog.conf(5).
34 322
 #
35 323
 # SyslogFacility mail
36 324
 
325
+##  TemporaryDirectory path
326
+##  	default /var/tmp
327
+##
328
+##  Specifies the directory in which temporary files should be written.
329
+#
330
+# TemporaryDirectory /var/tmp
331
+
37 332
 ##  TrustedAuthservIDs string
38
-##      default HOSTNAME
333
+##  	default HOSTNAME
39 334
 ##
40 335
 ##  Specifies one or more "authserv-id" values to trust as relaying true
41 336
 ##  upstream DKIM and SPF results.  The default is to use the name of
@@ -45,9 +340,8 @@ Syslog true
45 340
 #
46 341
 TrustedAuthservIDs {{ mail_server_hostname }}
47 342
 
48
-
49 343
 ##  UMask mask
50
-##      default (none)
344
+##  	default (none)
51 345
 ##
52 346
 ##  Requests a specific permissions mask to be used for file creation.  This
53 347
 ##  only really applies to creation of the socket when Socket specifies a
@@ -59,27 +353,10 @@ TrustedAuthservIDs {{ mail_server_hostname }}
59 353
 UMask 0002
60 354
 
61 355
 ##  UserID user[:group]
62
-##      default (none)
356
+##  	default (none)
63 357
 ##
64 358
 ##  Attempts to become the specified userid before starting operations.
65 359
 ##  The process will be assigned all of the groups and primary group ID of
66 360
 ##  the named userid unless an alternate group is specified.
67 361
 #
68 362
 UserID opendmarc:opendmarc
69
-
70
-## The path to the Ignored Hosts list. This file should contain a list of
71
-## networks and hosts that you trust. Their mail will not be checked by
72
-## OpenDMARC.
73
-#
74
-IgnoreHosts /etc/opendmarc/ignore.hosts
75
-
76
-## The path under which the History file should be created.
77
-## This file is necessary if you want to be able to create aggregate
78
-## reports to send out to other organizations
79
-#
80
-HistoryFile /var/run/opendmarc/opendmarc.dat
81
-
82
-## Adds a “Dmarc-Filter” header with the opendmarc version in every processed mail.
83
-## This is good to have during testing.
84
-#
85
-SoftwareHeader true

Carregando…
Cancelar
Salvar