diff options
author | Matthieu Saulnier <fantom@fedoraproject.org> | 2017-08-11 03:18:42 +0200 |
---|---|---|
committer | Matthieu Saulnier <fantom@fedoraproject.org> | 2017-08-11 03:18:42 +0200 |
commit | 8b6de7e198776e82f2bd8844ccfcb9ae30848e88 (patch) | |
tree | 9f914710c509e8f649d6a70c1660d591ed02437c | |
parent | 57a078dfd16aeb0bcea2bc2aba099c35a43d21d3 (diff) | |
download | playbooks-ansible-8b6de7e198776e82f2bd8844ccfcb9ae30848e88.tar.gz playbooks-ansible-8b6de7e198776e82f2bd8844ccfcb9ae30848e88.tar.xz playbooks-ansible-8b6de7e198776e82f2bd8844ccfcb9ae30848e88.zip |
add DKIM and DMARC control checks
-rw-r--r-- | roles/dnsserver/files/casperlefantom.net.zone | 12 | ||||
-rw-r--r-- | roles/dnsserver/files/jaysfoodventure.com.zone | 9 | ||||
-rw-r--r-- | roles/mtaserver/files/master.cf | 2 | ||||
-rw-r--r-- | roles/mtaserver/templates/main.cf.j2 | 31 |
4 files changed, 51 insertions, 3 deletions
diff --git a/roles/dnsserver/files/casperlefantom.net.zone b/roles/dnsserver/files/casperlefantom.net.zone index cdddae0..de7842a 100644 --- a/roles/dnsserver/files/casperlefantom.net.zone +++ b/roles/dnsserver/files/casperlefantom.net.zone @@ -1,6 +1,6 @@ $ttl 3600 casperlefantom.net. IN SOA nsa.casperlefantom.net. hostmaster.casperlefantom.net. ( -2017080800 ; serial number +2017081101 ; serial number 3600 ; refresh 3600 ; retry 1209600 ; expire @@ -134,6 +134,16 @@ ntp4 IN A 195.154.75.244 casperlefantom.net. TXT "v=spf1 mx mx:casperlefantom.net mx:jaysfoodventure.com ip4:82.247.103.117 ip6:2a01:e35:2f76:7750::4 -all" mail.casperlefantom.net. TXT "v=spf1 a a:mail.casperlefantom.net ip4:82.247.103.117 ip6:2a01:e35:2f76:7750::4 -all" + +201708._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; s=email; " + "p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9MR0U/PzpSihX+jM1STQm+oFrOh4R/XL9eIHVu9knK0VzxuuQ6Bz/0FAJOMZu1dj5u+wm+z+vNe4f7Qr7RSnqvfwjZjLXodSNhz99Cpe/4IzOT68uciL3H6CCc7e0ZzcPs+GX4rLd8XOSIK188OfK7b+m13gw008cOyhjUzySnVAoO1judRa7tT3k9fufsS7t1XPmY7ClnSGak" + "PfpIqDL0LH2+5qjs1EpwzjFJiHeGF32DSGUFAsKGY7D40IbULFiY0/z9F710GZpfkrKqs0Lt2L9LE0L8cy1YvsrCQO/7NMyOE1jUV3ykxV75H2X483AjSDjnymsisogP+976hIvO2CFsj6rKXWCh//xrTDsDD9d86L8zbZHzCKfa0A8MIod50PZl+G6uX1hDENgcrxvF/ftWo3qwUp6cYZ8iAR5G0s45Y6WGa3ebNagCKyDcJMQGS2JpLq" + "IyAem1/kdOOCw47yYzGmZtIzBNYHJyWeSS7c4SUZNDjR09az+jPH5ZEpti7kJywHDtFvunLTohGLy+RtKrm7o23SY2aBpF4yYHcBFcQIlgPSOEXK0nXVDNlQbRPLsFsT3JKRVBAOSEjGjpYsv6vetSthnxigfWOD3QUQ+qEAUtrGf9d20xhrm0DB5ezs67Ty4pJL2swun8XlKPMmD+lHX0Qfy6Djegr1uvMCAwEAAQ==" ) ; ----- DKIM key 201708 for casperlefantom.net + + +_dmarc IN TXT "v=DMARC1;p=reject;sp=reject;adkim=r;aspf=r" + + blog.casperlefantom.net. TXT "d72vewh3wa4lwpaj.onion" dl.casperlefantom.net. TXT "mwyjtiphky5em4yp.onion" diff --git a/roles/dnsserver/files/jaysfoodventure.com.zone b/roles/dnsserver/files/jaysfoodventure.com.zone index 4b4cebd..8f53ec1 100644 --- a/roles/dnsserver/files/jaysfoodventure.com.zone +++ b/roles/dnsserver/files/jaysfoodventure.com.zone @@ -1,6 +1,6 @@ $ttl 3600 jaysfoodventure.com. IN SOA nsa.jaysfoodventure.com. hostmaster.jaysfoodventure.com. ( -2017080800 ; serial number +2017081101 ; serial number 3600 ; refresh 3600 ; retry 1209600 ; expire @@ -52,3 +52,10 @@ nsd IN A 195.154.75.244 jaysfoodventure.com. TXT "v=spf1 redirect=casperlefantom.net" +201708._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; s=email; " + "p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3yavfAwZl2xEsTVzpH9IC/bIdzJB0am0f7wxOLoEii0AdxOh8/Tia5qqyPpOExepS5CugvY7drzXIZJafcsyasrs3tOwI6WafGeFl9jtiE+0iTMKMK6jNHRq91gLgBLfflBomVNtbKyDw9Agz1ABIvs7ASGJAHzBhY16N4BDYIE6HTMQNd9ocghbUtKexp4GAdA7Vlr7iR88KV" + "5EfTxSPRY5Pfs4XdXw+/So5QAB4eHo+fTexdcT3M+7de0Fv8jCeGrRPCfn3319W6xQgHA9GeLc1u5au56qmCo4o6nGh3mCxYQVgutRBbyM3Q8mY5I+KnKFR6u69Edb8lZrdaE2qcTtrzd0FdOUXJWO2sX1EesVNPC78Tz2XzqsfQJXH8pAtiymKCuG7pXJ6rTs0g7/yJIw179+40f1hc09El6DhJLlnnl05EayLTedULhkGCEkoUNNsizB" + "rF/Jb5ELfB2Fc2J4vIBfLHnRfLOBB13fNYmAtyShB9edhQDd/AnoGs37ymAkYK3PdDfdr9urjFroITaIa438UWU/ip5gYCk+23seT5bIkLsXUH7preUE7+K8pkSkF6oQR8V22B/kZX7GxkQEKAuuKTBzNTlDBp2ycJoOLyFGCWQZlnCKhCptzMPqEYd5mk4Ty9iB42/mYeSEMvFIs9luxgWYNAVCqLU0uhcCAwEAAQ==" ) ; ----- DKIM key 201708 for jaysfoodventure.com + + +_dmarc IN TXT "v=DMARC1;p=reject;sp=reject;adkim=r;aspf=r" diff --git a/roles/mtaserver/files/master.cf b/roles/mtaserver/files/master.cf index 4fe9b2f..73c1c66 100644 --- a/roles/mtaserver/files/master.cf +++ b/roles/mtaserver/files/master.cf @@ -125,3 +125,5 @@ scache unix - - n - 1 scache #mailman unix - n n - - pipe # flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py # ${nexthop} ${user} +policyd-spf unix - n n - 0 spawn + user=nobody argv=/usr/libexec/postfix/policyd-spf diff --git a/roles/mtaserver/templates/main.cf.j2 b/roles/mtaserver/templates/main.cf.j2 index d42c022..50133b1 100644 --- a/roles/mtaserver/templates/main.cf.j2 +++ b/roles/mtaserver/templates/main.cf.j2 @@ -348,7 +348,7 @@ mynetworks = hash:/etc/postfix/network_table #relayhost = uucphost #relayhost = [an.ip.add.ress] {% if is_mtamaster is defined %} -relayhost = [smtp.free.fr] +##relayhost = [smtp.free.fr] {% else %} relayhost = [mail.casperlefantom.net]:587 smtp_sasl_auth_enable = yes @@ -735,6 +735,33 @@ smtpd_tls_ciphers = high smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = $smtpd_sasl_security_options +smtpd_recipient_restrictions = + permit_mynetworks, + check_policy_service unix:private/policyd-spf, + reject_unknown_client, + reject_unauth_pipelining, + reject_non_fqdn_recipient, + reject_unknown_recipient_domain + +# Milter configuration +# OpenDKIM +milter_default_action = accept +# Postfix ≥ 2.6 milter_protocol = 6, Postfix ≤ 2.5 milter_protocol = 2 +milter_protocol = 6 +smtpd_milters = inet:localhost:8891 +non_smtpd_milters = inet:localhost:8891 + +smtpd_sender_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + reject_non_fqdn_sender, + reject_unknown_sender_domain + +smtpd_helo_restrictions = + permit_mynetworks, + reject_non_fqdn_helo_hostname, + reject_invalid_helo_hostname + smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, @@ -751,6 +778,8 @@ smtpd_sasl_path = private/auth virtual_alias_maps = hash:/etc/postfix/virtual mailbox_size_limit = 5368709120 message_size_limit = 5368709120 + +policyd-spf_time_limit = 3600 {% endif %} meta_directory = /etc/postfix |