diff options
author | Sam Chudnick <sam@chudnick.com> | 2023-07-02 19:04:30 -0400 |
---|---|---|
committer | Sam Chudnick <sam@chudnick.com> | 2023-07-02 19:04:30 -0400 |
commit | 724d877995dfcc10c462a18dcb4ea6c8b60c2d03 (patch) | |
tree | 270537b8fca585717c1ffa7708e492593f7b2ed5 /roles/postfix |
initial commit
Diffstat (limited to 'roles/postfix')
-rw-r--r-- | roles/postfix/defaults/main.yml | 0 | ||||
-rw-r--r-- | roles/postfix/files/body_checks | 2 | ||||
-rw-r--r-- | roles/postfix/files/header_checks | 11 | ||||
-rw-r--r-- | roles/postfix/handlers/main.yml | 0 | ||||
-rw-r--r-- | roles/postfix/tasks/main.yml | 84 | ||||
-rw-r--r-- | roles/postfix/templates/aliases | 3 | ||||
-rw-r--r-- | roles/postfix/templates/local_maps | 1 | ||||
-rw-r--r-- | roles/postfix/templates/login_maps | 1 | ||||
-rw-r--r-- | roles/postfix/templates/main.cf.j2 | 69 | ||||
-rw-r--r-- | roles/postfix/templates/master.cf.j2 | 84 |
10 files changed, 255 insertions, 0 deletions
diff --git a/roles/postfix/defaults/main.yml b/roles/postfix/defaults/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/postfix/defaults/main.yml | |||
diff --git a/roles/postfix/files/body_checks b/roles/postfix/files/body_checks new file mode 100644 index 0000000..795c922 --- /dev/null +++ b/roles/postfix/files/body_checks | |||
@@ -0,0 +1,2 @@ | |||
1 | #Block iframe vulnerability | ||
2 | /<iframe/ REJECT | ||
diff --git a/roles/postfix/files/header_checks b/roles/postfix/files/header_checks new file mode 100644 index 0000000..f655904 --- /dev/null +++ b/roles/postfix/files/header_checks | |||
@@ -0,0 +1,11 @@ | |||
1 | #Block attachments with executable extensions | ||
2 | /name=[^>]*\.(exe|pif|com|dll|vbs|bat|sh|bash|so|zip|tar|gz|cpio)/ REJECT | ||
3 | # Block message/partial vulnerability | ||
4 | /message\/partial/ REJECT | ||
5 | # CVE-2022-1328 mitigation - block messages with uuencode | ||
6 | /^Content-Transfer-Encoding:.*uuencode.*/ REJECT | ||
7 | # Remove Received string that is created when spamassassin reinjects message into postfix | ||
8 | # This is to prevent leaking the userid of the spamassassin user | ||
9 | /^Received:.*userid.*/ IGNORE | ||
10 | # Remove User-Agent strings from headers | ||
11 | /^User-Agent: .*/ IGNORE | ||
diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/postfix/handlers/main.yml | |||
diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml new file mode 100644 index 0000000..0b482ea --- /dev/null +++ b/roles/postfix/tasks/main.yml | |||
@@ -0,0 +1,84 @@ | |||
1 | - name: install packages | ||
2 | package: | ||
3 | name: | ||
4 | - postfix | ||
5 | state: latest | ||
6 | |||
7 | - name: deploy postfix main.cf | ||
8 | template: | ||
9 | src: main.cf.j2 | ||
10 | dest: /etc/postfix/main.cf | ||
11 | owner: root | ||
12 | group: root | ||
13 | mode: '0644' | ||
14 | |||
15 | - name: deploy postfix master.cf | ||
16 | template: | ||
17 | src: master.cf.j2 | ||
18 | dest: /etc/postfix/master.cf | ||
19 | owner: root | ||
20 | group: root | ||
21 | mode: '0644' | ||
22 | |||
23 | - name: create mailadmin user | ||
24 | user: | ||
25 | name: mailadmin | ||
26 | shell: /usr/sbin/nologin | ||
27 | password_lock: yes | ||
28 | |||
29 | - name: deploy aliases file | ||
30 | template: | ||
31 | src: aliases | ||
32 | dest: /etc/aliases | ||
33 | owner: root | ||
34 | group: root | ||
35 | mode: '0644' | ||
36 | |||
37 | - name: deploy login_maps | ||
38 | template: | ||
39 | src: login_maps | ||
40 | dest: /etc/postfix/login_maps | ||
41 | owner: root | ||
42 | group: root | ||
43 | mode: '0644' | ||
44 | |||
45 | - name: deploy local_maps | ||
46 | template: | ||
47 | src: local_maps | ||
48 | dest: /etc/postfix/local_maps | ||
49 | owner: root | ||
50 | group: root | ||
51 | mode: '0644' | ||
52 | |||
53 | - name: update address databases | ||
54 | shell: | | ||
55 | newaliases | ||
56 | postmap /etc/postfix/login_maps | ||
57 | postmap /etc/postfix/local_maps | ||
58 | |||
59 | - name: deploy header checks file | ||
60 | copy: | ||
61 | src: header_checks | ||
62 | dest: /etc/postfix/header_checks | ||
63 | owner: root | ||
64 | group: root | ||
65 | mode: '0644' | ||
66 | |||
67 | - name: deploy body checks file | ||
68 | copy: | ||
69 | src: body_checks | ||
70 | dest: /etc/postfix/body_checks | ||
71 | owner: root | ||
72 | group: root | ||
73 | mode: '0644' | ||
74 | |||
75 | - name: enable postfix | ||
76 | systemd: | ||
77 | enabled: yes | ||
78 | masked: no | ||
79 | name: postfix | ||
80 | |||
81 | - name: restart postfix | ||
82 | service: | ||
83 | name: postfix | ||
84 | state: restarted | ||
diff --git a/roles/postfix/templates/aliases b/roles/postfix/templates/aliases new file mode 100644 index 0000000..6cb2ca6 --- /dev/null +++ b/roles/postfix/templates/aliases | |||
@@ -0,0 +1,3 @@ | |||
1 | postmaster: mailadmin | ||
2 | root: mailadmin | ||
3 | dmarc: mailadmin | ||
diff --git a/roles/postfix/templates/local_maps b/roles/postfix/templates/local_maps new file mode 100644 index 0000000..57592f9 --- /dev/null +++ b/roles/postfix/templates/local_maps | |||
@@ -0,0 +1 @@ | |||
mailadmin mailadmin | |||
diff --git a/roles/postfix/templates/login_maps b/roles/postfix/templates/login_maps new file mode 100644 index 0000000..d3ace34 --- /dev/null +++ b/roles/postfix/templates/login_maps | |||
@@ -0,0 +1 @@ | |||
mailadmin@{{ domain }} mailadmin | |||
diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2 new file mode 100644 index 0000000..8a2d767 --- /dev/null +++ b/roles/postfix/templates/main.cf.j2 | |||
@@ -0,0 +1,69 @@ | |||
1 | smtpd_banner = $myhostname ESMTP $mail_name | ||
2 | biff = no | ||
3 | |||
4 | # appending .domain is the MUA's job. | ||
5 | append_dot_mydomain = no | ||
6 | |||
7 | # Uncomment the next line to generate "delayed mail" warnings | ||
8 | #delay_warning_time = 4h | ||
9 | |||
10 | readme_directory = no | ||
11 | |||
12 | # See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on | ||
13 | # fresh installs. | ||
14 | compatibility_level = 2 | ||
15 | |||
16 | # TLS parameters | ||
17 | smtpd_tls_cert_file = /etc/letsencrypt/live/mail.{{ domain }}/fullchain.pem | ||
18 | smtpd_tls_key_file = /etc/letsencrypt/live/mail.{{ domain }}/privkey.pem | ||
19 | smtpd_tls_security_level = encrypt | ||
20 | smtp_tls_CApath=/etc/ssl/certs | ||
21 | smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt | ||
22 | smtp_tls_security_level = encrypt | ||
23 | smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache | ||
24 | |||
25 | smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination | ||
26 | myhostname = {{ mail_domain }} | ||
27 | alias_maps = hash:/etc/aliases | ||
28 | alias_database = hash:/etc/aliases | ||
29 | myorigin = $mydomain | ||
30 | mydestination = $myhostname, $mydomain, localhost | ||
31 | relayhost = | ||
32 | mynetworks = 127.0.0.0/8 [::1]/128 | ||
33 | mailbox_size_limit = 0 | ||
34 | recipient_delimiter = + | ||
35 | inet_interfaces = all | ||
36 | inet_protocols = ipv4 | ||
37 | smtpd_tls_auth_only = yes | ||
38 | smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 | ||
39 | smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 | ||
40 | smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 | ||
41 | smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 | ||
42 | tls_preempt_cipherlist = yes | ||
43 | smtpd_tls_ciphers = high | ||
44 | smtpd_tls_mandatory_ciphers = high | ||
45 | smtp_tls_ciphers = high | ||
46 | smtp_tls_mandatory_ciphers = high | ||
47 | smtpd_tls_exclude_ciphers = aNULL, eNULL, EXP, LOW, MEDIUM, PSK, SRP, SHA1, kRSA, CAMELLIA, ARIA, DSS, RSA+AES, ADH, AECDH | ||
48 | smtp_tls_exclude_ciphers = aNULL, eNULL, EXP, LOW, MEDIUM, PSK, SRP, SHA1, kRSA, CAMELLIA, ARIA, DSS, RSA+AES, ADH, AECDH | ||
49 | smtpd_sasl_type = dovecot | ||
50 | smtpd_sasl_path = private/auth | ||
51 | smtpd_sasl_auth_enable = yes | ||
52 | smtpd_sasl_security_options = noanonymous, noplaintext | ||
53 | smtpd_sasl_tls_security_options = noanonymous | ||
54 | smtpd_helo_required = yes | ||
55 | smtpd_sender_login_maps = proxy:hash:/etc/postfix/login_maps | ||
56 | smtpd_helo_restrictions = reject_unknown_helo_hostname, reject_non_fqdn_helo_hostname | ||
57 | smtpd_sender_restrictions = reject_sender_login_mismatch, reject_non_fqdn_sender, reject_unknown_sender_domain | ||
58 | smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/postgrey, check_policy_service unix:private/policyd-spf, reject_rbl_client zen.spamhaus.org | ||
59 | smtpd_data_restrictions = reject_unauth_pipelining | ||
60 | disable_vrfy_command = yes | ||
61 | local_recipient_maps = proxy:hash:/etc/postfix/local_maps $alias_maps | ||
62 | home_mailbox = Mail/Inbox/ | ||
63 | mailbox_command = /usr/lib/dovecot/deliver | ||
64 | header_checks = regexp:/etc/postfix/header_checks | ||
65 | body_checks = regexp:/etc/postfix/body_checks | ||
66 | postscreen_dnsbl_sites = zen.spamhaus.org | ||
67 | postscreen_dnsbl_action = enforce | ||
68 | postscreen_greet_action = enforce | ||
69 | policyd-spf_time_limit = 3600 | ||
diff --git a/roles/postfix/templates/master.cf.j2 b/roles/postfix/templates/master.cf.j2 new file mode 100644 index 0000000..ea64537 --- /dev/null +++ b/roles/postfix/templates/master.cf.j2 | |||
@@ -0,0 +1,84 @@ | |||
1 | # ========================================================================== | ||
2 | # service type private unpriv chroot wakeup maxproc command + args | ||
3 | # (yes) (yes) (no) (never) (100) | ||
4 | # ========================================================================== | ||
5 | smtp inet n - y - 1 postscreen | ||
6 | pickup unix n - y 60 1 pickup | ||
7 | cleanup unix n - y - 0 cleanup | ||
8 | qmgr unix n - n 300 1 qmgr | ||
9 | tlsmgr unix - - y 1000? 1 tlsmgr | ||
10 | rewrite unix - - y - - trivial-rewrite | ||
11 | bounce unix - - y - 0 bounce | ||
12 | defer unix - - y - 0 bounce | ||
13 | trace unix - - y - 0 bounce | ||
14 | verify unix - - y - 1 verify | ||
15 | flush unix n - y 1000? 0 flush | ||
16 | proxymap unix - - n - - proxymap | ||
17 | proxywrite unix - - n - 1 proxymap | ||
18 | smtp unix - - y - - smtp | ||
19 | relay unix - - y - - smtp | ||
20 | -o syslog_name=postfix/$service_name | ||
21 | showq unix n - y - - showq | ||
22 | error unix - - y - - error | ||
23 | retry unix - - y - - error | ||
24 | discard unix - - y - - discard | ||
25 | local unix - n n - - local | ||
26 | virtual unix - n n - - virtual | ||
27 | lmtp unix - - y - - lmtp | ||
28 | anvil unix - - y - 1 anvil | ||
29 | scache unix - - y - 1 scache | ||
30 | postlog unix-dgram n - n - 1 postlogd | ||
31 | |||
32 | # ==================================================================== | ||
33 | # Interfaces to non-Postfix software. Be sure to examine the manual | ||
34 | # pages of the non-Postfix software to find out what options it wants. | ||
35 | # | ||
36 | # Many of the following services use the Postfix pipe(8) delivery | ||
37 | # agent. See the pipe(8) man page for information about ${recipient} | ||
38 | # and other message envelope options. | ||
39 | # ==================================================================== | ||
40 | maildrop unix - n n - - pipe | ||
41 | flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient} | ||
42 | |||
43 | uucp unix - n n - - pipe | ||
44 | flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) | ||
45 | |||
46 | ifmail unix - n n - - pipe | ||
47 | flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) | ||
48 | |||
49 | bsmtp unix - n n - - pipe | ||
50 | flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient | ||
51 | |||
52 | scalemail-backend unix - n n - 2 pipe | ||
53 | flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} | ||
54 | |||
55 | mailman unix - n n - - pipe | ||
56 | flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} | ||
57 | |||
58 | smtpd pass - - y - - smtpd | ||
59 | -o content_filter=spamassassin | ||
60 | -o smtpd_milters=unix:opendkim/opendkim.sock,unix:opendmarc/opendmarc.sock | ||
61 | tlsproxy unix - - y - 0 tlsproxy | ||
62 | |||
63 | dnsblog unix - - y - 0 dnsblog | ||
64 | |||
65 | submissions inet n - y - - smtpd | ||
66 | -o smtpd_tls_wrappermode=yes | ||
67 | -o smtpd_tls_security_level=encrypt | ||
68 | -o smtpd_tls_auth_only=yes | ||
69 | -o smtpd_sasl_auth_enable=yes | ||
70 | -o smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,reject | ||
71 | -o smtpd_helo_restrictions= | ||
72 | -o smtpd_sender_restrictions=permit_mynetworks,reject_sender_login_mismatch | ||
73 | -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,permit_mynetworks,reject | ||
74 | -o syslog_name=postfix/submissions | ||
75 | -o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,!TLSv1.2 | ||
76 | -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,!TLSv1.2 | ||
77 | -o smtpd_milters=unix:opendkim/opendkim.sock | ||
78 | |||
79 | spamassassin unix - n n - - pipe user=debian-spamd | ||
80 | argv=/usr/bin/spamc --socket=/var/spool/postfix/spamd/spamd.sock -e /usr/sbin/sendmail -oi | ||
81 | -f ${sender} ${recipient} | ||
82 | |||
83 | policyd-spf unix - n n - 0 spawn user=policyd-spf | ||
84 | argv=/usr/bin/policyd-spf | ||