add DKIM and DMARC control checks

4 files changed, 51 insertions, 3 deletions

diff --git a/roles/dnsserver/files/casperlefantom.net.zone b/roles/dnsserver/files/casperlefantom.net.zone
index cdddae0..de7842a 100644
--- a/roles/dnsserver/files/casperlefantom.net.zone
+++ b/roles/dnsserver/files/casperlefantom.net.zone
@@ -1,6 +1,6 @@
 $ttl 3600
 casperlefantom.net. IN SOA nsa.casperlefantom.net. hostmaster.casperlefantom.net. (
-2017080800  ; serial number
+2017081101  ; serial number
 3600  ; refresh
 3600  ; retry
 1209600  ; expire
@@ -134,6 +134,16 @@ ntp4 IN A 195.154.75.244
 casperlefantom.net. TXT "v=spf1 mx mx:casperlefantom.net mx:jaysfoodventure.com ip4:82.247.103.117 ip6:2a01:e35:2f76:7750::4 -all"
 mail.casperlefantom.net. TXT "v=spf1 a a:mail.casperlefantom.net ip4:82.247.103.117 ip6:2a01:e35:2f76:7750::4 -all"
 
+
+201708._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; s=email; "
+          "p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9MR0U/PzpSihX+jM1STQm+oFrOh4R/XL9eIHVu9knK0VzxuuQ6Bz/0FAJOMZu1dj5u+wm+z+vNe4f7Qr7RSnqvfwjZjLXodSNhz99Cpe/4IzOT68uciL3H6CCc7e0ZzcPs+GX4rLd8XOSIK188OfK7b+m13gw008cOyhjUzySnVAoO1judRa7tT3k9fufsS7t1XPmY7ClnSGak"
+          "PfpIqDL0LH2+5qjs1EpwzjFJiHeGF32DSGUFAsKGY7D40IbULFiY0/z9F710GZpfkrKqs0Lt2L9LE0L8cy1YvsrCQO/7NMyOE1jUV3ykxV75H2X483AjSDjnymsisogP+976hIvO2CFsj6rKXWCh//xrTDsDD9d86L8zbZHzCKfa0A8MIod50PZl+G6uX1hDENgcrxvF/ftWo3qwUp6cYZ8iAR5G0s45Y6WGa3ebNagCKyDcJMQGS2JpLq"
+          "IyAem1/kdOOCw47yYzGmZtIzBNYHJyWeSS7c4SUZNDjR09az+jPH5ZEpti7kJywHDtFvunLTohGLy+RtKrm7o23SY2aBpF4yYHcBFcQIlgPSOEXK0nXVDNlQbRPLsFsT3JKRVBAOSEjGjpYsv6vetSthnxigfWOD3QUQ+qEAUtrGf9d20xhrm0DB5ezs67Ty4pJL2swun8XlKPMmD+lHX0Qfy6Djegr1uvMCAwEAAQ==" )  ; ----- DKIM key 201708 for casperlefantom.net
+
+
+_dmarc IN TXT "v=DMARC1;p=reject;sp=reject;adkim=r;aspf=r"
+
+
 blog.casperlefantom.net. TXT "d72vewh3wa4lwpaj.onion"
 
 dl.casperlefantom.net. TXT "mwyjtiphky5em4yp.onion"
diff --git a/roles/dnsserver/files/jaysfoodventure.com.zone b/roles/dnsserver/files/jaysfoodventure.com.zone
index 4b4cebd..8f53ec1 100644
--- a/roles/dnsserver/files/jaysfoodventure.com.zone
+++ b/roles/dnsserver/files/jaysfoodventure.com.zone
@@ -1,6 +1,6 @@
 $ttl 3600
 jaysfoodventure.com. IN SOA nsa.jaysfoodventure.com. hostmaster.jaysfoodventure.com. (
-2017080800  ; serial number
+2017081101  ; serial number
 3600  ; refresh
 3600  ; retry
 1209600  ; expire
@@ -52,3 +52,10 @@ nsd IN A 195.154.75.244
 jaysfoodventure.com. TXT "v=spf1 redirect=casperlefantom.net"
 
 
+201708._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; s=email; "
+          "p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3yavfAwZl2xEsTVzpH9IC/bIdzJB0am0f7wxOLoEii0AdxOh8/Tia5qqyPpOExepS5CugvY7drzXIZJafcsyasrs3tOwI6WafGeFl9jtiE+0iTMKMK6jNHRq91gLgBLfflBomVNtbKyDw9Agz1ABIvs7ASGJAHzBhY16N4BDYIE6HTMQNd9ocghbUtKexp4GAdA7Vlr7iR88KV"
+          "5EfTxSPRY5Pfs4XdXw+/So5QAB4eHo+fTexdcT3M+7de0Fv8jCeGrRPCfn3319W6xQgHA9GeLc1u5au56qmCo4o6nGh3mCxYQVgutRBbyM3Q8mY5I+KnKFR6u69Edb8lZrdaE2qcTtrzd0FdOUXJWO2sX1EesVNPC78Tz2XzqsfQJXH8pAtiymKCuG7pXJ6rTs0g7/yJIw179+40f1hc09El6DhJLlnnl05EayLTedULhkGCEkoUNNsizB"
+          "rF/Jb5ELfB2Fc2J4vIBfLHnRfLOBB13fNYmAtyShB9edhQDd/AnoGs37ymAkYK3PdDfdr9urjFroITaIa438UWU/ip5gYCk+23seT5bIkLsXUH7preUE7+K8pkSkF6oQR8V22B/kZX7GxkQEKAuuKTBzNTlDBp2ycJoOLyFGCWQZlnCKhCptzMPqEYd5mk4Ty9iB42/mYeSEMvFIs9luxgWYNAVCqLU0uhcCAwEAAQ==" )  ; ----- DKIM key 201708 for jaysfoodventure.com
+
+
+_dmarc IN TXT "v=DMARC1;p=reject;sp=reject;adkim=r;aspf=r"
diff --git a/roles/mtaserver/files/master.cf b/roles/mtaserver/files/master.cf
index 4fe9b2f..73c1c66 100644
--- a/roles/mtaserver/files/master.cf
+++ b/roles/mtaserver/files/master.cf
@@ -125,3 +125,5 @@ scache    unix  -       -       n       -       1       scache
 #mailman   unix  -       n       n       -       -       pipe
 #  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
 #  ${nexthop} ${user}
+policyd-spf  unix  -       n       n       -       0       spawn
+    user=nobody argv=/usr/libexec/postfix/policyd-spf
diff --git a/roles/mtaserver/templates/main.cf.j2 b/roles/mtaserver/templates/main.cf.j2
index d42c022..50133b1 100644
--- a/roles/mtaserver/templates/main.cf.j2
+++ b/roles/mtaserver/templates/main.cf.j2
@@ -348,7 +348,7 @@ mynetworks = hash:/etc/postfix/network_table
 #relayhost = uucphost
 #relayhost = [an.ip.add.ress]
 {% if is_mtamaster is defined %}
-relayhost = [smtp.free.fr]
+##relayhost = [smtp.free.fr]
 {% else %}
 relayhost = [mail.casperlefantom.net]:587
 smtp_sasl_auth_enable = yes
@@ -735,6 +735,33 @@ smtpd_tls_ciphers = high
 smtpd_sasl_security_options = noanonymous
 smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
 
+smtpd_recipient_restrictions =
+    permit_mynetworks,
+    check_policy_service unix:private/policyd-spf,
+    reject_unknown_client,
+    reject_unauth_pipelining,
+    reject_non_fqdn_recipient,
+    reject_unknown_recipient_domain
+
+# Milter configuration
+# OpenDKIM
+milter_default_action = accept
+# Postfix ≥ 2.6 milter_protocol = 6, Postfix ≤ 2.5 milter_protocol = 2
+milter_protocol = 6
+smtpd_milters = inet:localhost:8891
+non_smtpd_milters = inet:localhost:8891
+
+smtpd_sender_restrictions =
+    permit_mynetworks,
+    permit_sasl_authenticated,
+    reject_non_fqdn_sender,
+    reject_unknown_sender_domain
+
+smtpd_helo_restrictions =
+    permit_mynetworks,
+    reject_non_fqdn_helo_hostname,
+    reject_invalid_helo_hostname
+
 smtpd_relay_restrictions =
 	permit_mynetworks,
 	permit_sasl_authenticated,
@@ -751,6 +778,8 @@ smtpd_sasl_path = private/auth
 virtual_alias_maps = hash:/etc/postfix/virtual
 mailbox_size_limit = 5368709120
 message_size_limit = 5368709120
+
+policyd-spf_time_limit = 3600
 {% endif %}
 
 meta_directory = /etc/postfix