See #2081. Supporto a ARC.

This commit is contained in:
Andrea Dell'Amico 2024-02-16 17:22:21 +01:00
parent cfc40d98ca
commit f24b5aaa98
Signed by: adellam
GPG Key ID: 147ABE6CEB9E20FF
9 changed files with 214 additions and 54 deletions

View File

@ -129,6 +129,22 @@ postfix_dkim_v_sendreports: 'no'
postfix_dkim_reportaddress: ''
postfix_dkim_canonicalization: 'relaxed/relaxed'
postfix_dkim_minkeybits: 1024
# ARC
# - domain: 'example.com'
# arc_selector: 'default'
# s: sign
# v: verify
# sv: sign and verify
postfix_arc_enabled: false
postfix_arc_domain: ""
postfix_arc_domain_selector: "arc-{{ ansible_hostname }}"
postfix_arc_trusted_hosts:
- "127.0.0.1"
postfix_arc_mode: 'v'
postfix_arc_socket: 'inet:8894@localhost'
postfix_arc_milter_socket: 'inet:[127.0.0.1]:8894'
postfix_arc_canonicalization: 'relaxed/relaxed'
# SRS
# Compute it with 'dd if=/dev/urandom bs=18 count=1 2>/dev/null | base64'
# postfix_srs_secret: 'use a vault'
@ -166,6 +182,7 @@ postfix_smtpd_mx_client_restrictions:
- reject_non_fqdn_recipient
- reject_invalid_hostname
- reject_unauth_destination
- reject_unauth_pipelining
- reject_unknown_recipient_domain
- reject_unlisted_recipient

View File

@ -1,32 +1,46 @@
---
- name: Update SASL hash
shell: postmap hash:/etc/postfix/sasl_passwd
ansible.builtin.command: postmap hash:/etc/postfix/sasl_passwd
- name: Reload postfix
service: name=postfix state=reloaded
ansible.builtin.service:
name: postfix
state: reloaded
when: postfix_enabled | bool
- name: Restart postfix
service: name=postfix state=restarted
ansible.builtin.service:
name: postfix
state: restarted
when: postfix_enabled | bool
- name: Update the network hash table
shell: postmap hash:/etc/postfix/network_table
ansible.builtin.command: postmap hash:/etc/postfix/network_table
- name: start saslauth daemon
service: name=saslauthd state=started enabled=yes
ansible.builtin.service:
name: saslauthd
state: started
enabled: true
when: postfix_enabled | bool
- name: restart saslauth daemon
service: name=saslauthd state=restarted
ansible.builtin.service:
name: saslauthd
state: restarted
when: postfix_enabled | bool
- name: restart opendkim
service:
ansible.builtin.service:
name: opendkim
state: restarted
- name: Restart openarc
ansible.builtin.service:
name: openarc
state: restarted
- name: restart postsrsd
service:
ansible.builtin.service:
name: postsrsd
state: restarted

78
tasks/arc.yml Normal file
View File

@ -0,0 +1,78 @@
---
- name: arc | Manage the arc packages in EL systems
when:
- ansible_distribution_file_variety == "RedHat"
- postfix_arc_enabled
tags: ['postfix', 'postfix_arc', 'arc']
block:
- name: arc | Install the arc packages on EL
ansible.builtin.yum:
pkg: '{{ postfix_arc_el_pkgs }}'
state: present
- name: arc | Manage the arc packages in DEB systems
when:
- ansible_distribution_file_variety == "Debian"
- postfix_arc_enabled
tags: ['postfix', 'postfix_arc', 'arc']
block:
- name: arc | Install the arc packages on DEB
ansible.builtin.apt:
pkg: '{{ postfix_arc_deb_pkgs }}'
state: present
cache_valid_time: 1800
- name: arc | ARC configuration
tags: ['postfix', 'postfix_arc', 'arc', 'postfix_conf', 'arc_conf']
block:
- name: arc | Ensure that the /var/run/openarc directory exists
ansible.builtin.file:
dest: /var/run/openarc
state: directory
mode: "0700"
owner: '{{ postfix_arc_user }}'
group: '{{ postfix_arc_group }}'
- name: arc | Create the arc domains subdirs
ansible.builtin.file:
dest: '{{ postfix_arc_base_dir }}/{{ postfix_arc_domain }}'
state: directory
mode: "0750"
owner: '{{ postfix_arc_user }}'
group: '{{ postfix_arc_group }}'
- name: arc | Create the arc signature (only one domain is supported)
become: true
become_user: '{{ postfix_arc_user }}'
ansible.builtin.command: opendkim-genkey -D {{ postfix_arc_key_dir }} -d {{ postfix_arc_domain }} -s {{ postfix_arc_domain_selector }}
args:
creates: '{{ postfix_arc_base_dir }}/{{ postfix_arc_domain }}/{{ postfix_arc_domain_selector }}.private'
notify: Restart openarc
- name: arc | Install the trustedhosts list when defined
ansible.builtin.template:
src: 'arc_trustedhosts.j2'
dest: '{{ postfix_arc_base_dir }}/trustedhosts'
owner: '{{ postfix_arc_user }}'
group: '{{ postfix_arc_group }}'
mode: "0600"
notify: Restart openarc
- name: arc | Install the openarc configuration
ansible.builtin.template:
src: openarc.conf.j2
dest: '{{ postfix_arc_conf }}'
owner: root
group: root
mode: "0644"
notify: Restart openarc
- name: arc | Manage the arc service
tags: ['postfix', 'postfix_arc', 'arc']
block:
- name: arc | Ensure that the openarc service is started and enabled
ansible.builtin.service:
name: openarc
state: started
enabled: true

View File

@ -1,88 +1,85 @@
---
- name: Manage the DKIM packages in EL systems
block:
- name: Install the DKIM packages on EL
yum:
pkg: '{{ postfix_dkim_el_pkgs }}'
state: present
- name: dkim | Manage the DKIM packages in EL systems
when:
- ansible_distribution_file_variety == "RedHat"
- postfix_dkim_enabled
tags: ['postfix', 'postfix_dkim', 'dkim']
- name: Manage the DKIM packages in DEB systems
block:
- name: Install the DKIM packages on DEB
apt:
pkg: '{{ postfix_dkim_deb_pkgs }}'
- name: dkim | Install the DKIM packages on EL
ansible.builtin.yum:
pkg: '{{ postfix_dkim_el_pkgs }}'
state: present
cache_valid_time: 1800
- name: dkim | Manage the DKIM packages in DEB systems
when:
- ansible_distribution_file_variety == "Debian"
- postfix_dkim_enabled
tags: ['postfix', 'postfix_dkim', 'dkim']
- name: DKIM configuration
block:
- name: Create the dkim domains subdirs
file:
- name: dkim | Install the DKIM packages on DEB
ansible.builtin.apt:
pkg: '{{ postfix_dkim_deb_pkgs }}'
state: present
cache_valid_time: 1800
- name: dkim | DKIM configuration
tags: ['postfix', 'postfix_dkim', 'dkim', 'postfix_conf', 'dkim_conf']
block:
- name: dkim | Create the dkim domains subdirs
ansible.builtin.file:
dest: '{{ postfix_dkim_base_dir }}/{{ item.domain }}'
state: directory
mode: 0750
mode: "0750"
owner: '{{ postfix_dkim_user }}'
group: '{{ postfix_dkim_group }}'
loop: '{{ postfix_dkim_domains }}'
- name: Create the dkim signatures
- name: dkim | Create the dkim signatures
become: true
become_user: '{{ postfix_dkim_user }}'
shell: opendkim-genkey -D {{ postfix_dkim_base_dir }}/{{ item.domain }} -d {{ item.domain }} -s {{ item.dkim_selector }}
ansible.builtin.command: opendkim-genkey -D {{ postfix_dkim_base_dir }}/{{ item.domain }} -d {{ item.domain }} -s {{ item.dkim_selector }}
args:
creates: '{{ postfix_dkim_base_dir }}/{{ item.domain }}/{{ item.dkim_selector }}.private'
loop: '{{ postfix_dkim_domains }}'
notify: restart opendkim
- name: Update the keytable and signitable files
template:
- name: dkim | Update the keytable and signitable files
ansible.builtin.template:
src: 'dkim_{{ item }}.j2'
dest: '{{ postfix_dkim_base_dir }}/{{ item }}'
owner: '{{ postfix_dkim_user }}'
group: '{{ postfix_dkim_group }}'
mode: 0600
mode: "0600"
loop:
- keytable
- signingtable
notify: restart opendkim
- name: Install the trustedhosts list when defined
template:
- name: dkim | Install the trustedhosts list when defined
ansible.builtin.template:
src: 'dkim_trustedhosts.j2'
dest: '{{ postfix_dkim_base_dir }}/trustedhosts'
owner: '{{ postfix_dkim_user }}'
group: '{{ postfix_dkim_group }}'
mode: 0600
mode: "0600"
notify: restart opendkim
when: postfix_dkim_trusted_hosts_enabled
- name: Install the opendkim configuration
template:
- name: dkim | Install the opendkim configuration
ansible.builtin.template:
src: opendkim.conf.j2
dest: '{{ postfix_dkim_conf }}'
owner: root
group: root
mode: 0644
mode: "0644"
notify: restart opendkim
tags: ['postfix', 'postfix_dkim', 'dkim', 'postfix_conf', 'dkim_conf']
- name: Manage the DKIM service
- name: dkim | Manage the DKIM service
tags: ['postfix', 'postfix_dkim', 'dkim']
block:
- name: Ensure that the opendkim service is started and enabled
service:
- name: dkim | Ensure that the opendkim service is started and enabled
ansible.builtin.service:
name: opendkim
state: started
enabled: true
tags: ['postfix', 'postfix_dkim', 'dkim']

View File

@ -1,20 +1,33 @@
---
- import_tasks: smtp-common-packages.yml
- import_tasks: dkim.yml
- name: SMTP packages
ansible.builtin.import_tasks: smtp-common-packages.yml
- name: DKIM management
ansible.builtin.import_tasks: dkim.yml
when: postfix_dkim_enabled
- import_tasks: postsrsd.yml
- name: ARC management
ansible.builtin.import_tasks: arc.yml
when: postfix_arc_enabled
- name: SRS support
ansible.builtin.import_tasks: postsrsd.yml
when: postfix_srs_sender_enabled or postfix_srs_receiver_enabled
- import_tasks: postfix_spf_policy.yml
- name: SPF policy check
ansible.builtin.import_tasks: postfix_spf_policy.yml
when: postfix_spf_policy_install
- import_tasks: smtp-configuration.yml
- import_tasks: postfix_pflogsumm.yml
- import_tasks: postfix_firewalld.yml
- name: Postfix configuration
ansible.builtin.import_tasks: smtp-configuration.yml
- name: Install and configure pflogsumm
ansible.builtin.import_tasks: postfix_pflogsumm.yml
- name: EL firewalld rules
ansible.builtin.import_tasks: postfix_firewalld.yml
when: ansible_distribution_file_variety == "RedHat"
- import_tasks: smtp-sasl-auth.yml
- name: SASL auth
ansible.builtin.import_tasks: smtp-sasl-auth.yml
when:
- postfix_use_sasl_auth | bool
- postfix_relay_client | bool
- import_tasks: postfix-relay-server.yml
- name: Postfix as a relay server
ansible.builtin.import_tasks: postfix-relay-server.yml
when: postfix_smtpd_server | bool
- import_tasks: postfix-letsencrypt-hook.yml
- name: Manage the letsencrypt certificates
ansible.builtin.import_tasks: postfix-letsencrypt-hook.yml
when: postfix_use_letsencrypt | bool

View File

@ -0,0 +1,3 @@
{% for item in postfix_arc_trusted_hosts %}
{{ item }}
{% endfor %}

View File

@ -579,6 +579,9 @@ milter_connect_macros = j {daemon_name} v _
{% endif %}
# What to do in case of errors? Specify accept, reject, tempfail,
# or quarantine (Postfix 2.6 or later).
# DMARC/ARC order
# * sending: dkim before arc
# * receiving: arc before dmarc
milter_default_action = {{ postfix_milter_action }}
smtpd_milters =
{% if postfix_clamav_milter %}
@ -590,9 +593,15 @@ smtpd_milters =
{% if postfix_dkim_enabled %}
{{ postfix_dkim_milter_socket }}
{% endif %}
{% if postfix_arc_enabled %}
{{ postfix_arc_milter_socket }}
{% endif %}
{% if postfix_dkim_enabled %}
non_smtpd_milters =
{{ postfix_dkim_milter_socket }}
{% if postfix_arc_enabled %}
{{ postfix_arc_milter_socket }}
{% endif %}
{% endif %}
{% endif %}
@ -677,6 +686,7 @@ smtpd_sender_restrictions =
{% if postfix_reject_unknown_sender_domain %}
reject_unknown_sender_domain
reject_non_fqdn_sender
reject_unauth_pipelining
{% endif %}
{% if postfix_reject_sender_login_mismatch %}
reject_sender_login_mismatch

17
templates/openarc.conf.j2 Normal file
View File

@ -0,0 +1,17 @@
## See openarc.conf(5) or /usr/share/doc/openarc-1.0.0/openarc.conf.sample for more
PidFile /var/run/openarc/openarc.pid
Syslog yes
#Umask 002
UserID {{ postfix_arc_user }}:{{ postfix_arc_group }}
Socket {{ postfix_arc_socket }}
## After setting Mode to "sv", running
## opendkim-genkey -D /etc/openarc -s key -d phx2.fedoraproject.org
## and putting /etc/openarc
Canonicalization {{ postfix_arc_canonicalization }}
Domain {{ postfix_arc_domain }}
Selector {{ postfix_arc_domain_selector }}
KeyFile {{ postfix_arc_base_dir }}/{{ postfix_arc_domain }}/{{ postfix_arc_domain_selector }}.private
SignatureAlgorithm rsa-sha256
InternalHosts {{ postfix_arc_base_dir }}/trustedhosts
Mode {{ postfix_arc_mode }}

View File

@ -11,6 +11,17 @@ postfix_dkim_user: opendkim
postfix_dkim_group: opendkim
postfix_dkim_conf: /etc/opendkim.conf
postfix_arc_el_pkgs:
- openarc
postfix_arc_deb_pkgs: []
postfix_arc_base_dir: /etc/openarc
postfix_arc_key_dir: "{{ postfix_arc_base_dir }}/{{ postfix_arc_domain }}"
postfix_arc_user: openarc
postfix_arc_group: openarc
postfix_arc_conf: /etc/openarc.conf
# Conf files and data files
postfix_srs_secret_file: '/etc/postsrsd.secret'
postfix_srs_conf_file: '/etc/default/postsrsd'