See #2081. Supporto a ARC.

defaults/main.yml

@@ -129,6 +129,22 @@ postfix_dkim_v_sendreports: 'no'
 postfix_dkim_reportaddress: ''
 postfix_dkim_canonicalization: 'relaxed/relaxed'
 postfix_dkim_minkeybits: 1024
+# ARC
+#  - domain: 'example.com'
+#    arc_selector: 'default'
+# s: sign
+# v: verify
+# sv: sign and verify
+postfix_arc_enabled: false
+postfix_arc_domain: ""
+postfix_arc_domain_selector: "arc-{{ ansible_hostname }}"
+postfix_arc_trusted_hosts:
+  - "127.0.0.1"
+postfix_arc_mode: 'v'
+postfix_arc_socket: 'inet:8894@localhost'
+postfix_arc_milter_socket: 'inet:[127.0.0.1]:8894'
+postfix_arc_canonicalization: 'relaxed/relaxed'
+
 # SRS
 # Compute it with 'dd if=/dev/urandom bs=18 count=1 2>/dev/null | base64'
 # postfix_srs_secret: 'use a vault'
@@ -166,6 +182,7 @@ postfix_smtpd_mx_client_restrictions:
   - reject_non_fqdn_recipient
   - reject_invalid_hostname
   - reject_unauth_destination
+  - reject_unauth_pipelining
   - reject_unknown_recipient_domain
   - reject_unlisted_recipient
 

handlers/main.yml

@@ -1,32 +1,46 @@
 ---
 - name: Update SASL hash
-  shell: postmap hash:/etc/postfix/sasl_passwd
+  ansible.builtin.command: postmap hash:/etc/postfix/sasl_passwd
 
 - name: Reload postfix
-  service: name=postfix state=reloaded
+  ansible.builtin.service:
+    name: postfix
+    state: reloaded
   when: postfix_enabled | bool
 
 - name: Restart postfix
-  service: name=postfix state=restarted
+  ansible.builtin.service:
+    name: postfix
+    state: restarted
   when: postfix_enabled | bool
 
 - name: Update the network hash table
-  shell: postmap hash:/etc/postfix/network_table
+  ansible.builtin.command: postmap hash:/etc/postfix/network_table
 
 - name: start saslauth daemon
-  service: name=saslauthd state=started enabled=yes
+  ansible.builtin.service:
+    name: saslauthd
+    state: started
+    enabled: true
   when: postfix_enabled | bool
 
 - name: restart saslauth daemon
-  service: name=saslauthd state=restarted
+  ansible.builtin.service:
+    name: saslauthd
+    state: restarted
   when: postfix_enabled | bool
 
 - name: restart opendkim
-  service:
+  ansible.builtin.service:
     name: opendkim
     state: restarted
 
+- name: Restart openarc
+  ansible.builtin.service:
+    name: openarc
+    state: restarted
+
 - name: restart postsrsd
-  service:
+  ansible.builtin.service:
     name: postsrsd
     state: restarted

tasks/arc.yml

@@ -0,0 +1,78 @@
+---
+- name: arc | Manage the arc packages in EL systems
+  when:
+    - ansible_distribution_file_variety == "RedHat"
+    - postfix_arc_enabled
+  tags: ['postfix', 'postfix_arc', 'arc']
+  block:
+    - name: arc | Install the arc packages on EL
+      ansible.builtin.yum:
+        pkg: '{{ postfix_arc_el_pkgs }}'
+        state: present
+
+
+- name: arc | Manage the arc packages in DEB systems
+  when:
+    - ansible_distribution_file_variety == "Debian"
+    - postfix_arc_enabled
+  tags: ['postfix', 'postfix_arc', 'arc']
+  block:
+    - name: arc | Install the arc packages on DEB
+      ansible.builtin.apt:
+        pkg: '{{ postfix_arc_deb_pkgs }}'
+        state: present
+        cache_valid_time: 1800
+
+- name: arc | ARC configuration
+  tags: ['postfix', 'postfix_arc', 'arc', 'postfix_conf', 'arc_conf']
+  block:
+    - name: arc | Ensure that the /var/run/openarc directory exists
+      ansible.builtin.file:
+        dest: /var/run/openarc
+        state: directory
+        mode: "0700"
+        owner: '{{ postfix_arc_user }}'
+        group: '{{ postfix_arc_group }}'
+
+    - name: arc | Create the arc domains subdirs
+      ansible.builtin.file:
+        dest: '{{ postfix_arc_base_dir }}/{{ postfix_arc_domain }}'
+        state: directory
+        mode: "0750"
+        owner: '{{ postfix_arc_user }}'
+        group: '{{ postfix_arc_group }}'
+
+    - name: arc | Create the arc signature (only one domain is supported)
+      become: true
+      become_user: '{{ postfix_arc_user }}'
+      ansible.builtin.command: opendkim-genkey -D {{ postfix_arc_key_dir }} -d {{ postfix_arc_domain }} -s {{ postfix_arc_domain_selector }}
+      args:
+        creates: '{{ postfix_arc_base_dir }}/{{ postfix_arc_domain }}/{{ postfix_arc_domain_selector }}.private'
+      notify: Restart openarc
+
+    - name: arc | Install the trustedhosts list when defined
+      ansible.builtin.template:
+        src: 'arc_trustedhosts.j2'
+        dest: '{{ postfix_arc_base_dir }}/trustedhosts'
+        owner: '{{ postfix_arc_user }}'
+        group: '{{ postfix_arc_group }}'
+        mode: "0600"
+      notify: Restart openarc
+
+    - name: arc | Install the openarc configuration
+      ansible.builtin.template:
+        src: openarc.conf.j2
+        dest: '{{ postfix_arc_conf }}'
+        owner: root
+        group: root
+        mode: "0644"
+      notify: Restart openarc
+
+- name: arc | Manage the arc service
+  tags: ['postfix', 'postfix_arc', 'arc']
+  block:
+    - name: arc | Ensure that the openarc service is started and enabled
+      ansible.builtin.service:
+        name: openarc
+        state: started
+        enabled: true

tasks/dkim.yml

@@ -1,88 +1,85 @@
 ---
-- name: Manage the DKIM packages in EL systems
+- name: dkim | Manage the DKIM packages in EL systems
-  block:
-    - name: Install the DKIM packages on EL
-      yum:
-        pkg: '{{ postfix_dkim_el_pkgs }}'
-        state: present
-
   when:
     - ansible_distribution_file_variety == "RedHat"
     - postfix_dkim_enabled
   tags: ['postfix', 'postfix_dkim', 'dkim']
-
-- name: Manage the DKIM packages in DEB systems
   block:
-    - name: Install the DKIM packages on DEB
+    - name: dkim | Install the DKIM packages on EL
-      apt:
+      ansible.builtin.yum:
-        pkg: '{{ postfix_dkim_deb_pkgs }}'
+        pkg: '{{ postfix_dkim_el_pkgs }}'
         state: present
-        cache_valid_time: 1800
 
+
+- name: dkim | Manage the DKIM packages in DEB systems
   when:
     - ansible_distribution_file_variety == "Debian"
     - postfix_dkim_enabled
   tags: ['postfix', 'postfix_dkim', 'dkim']
-
-- name: DKIM configuration
   block:
-    - name: Create the dkim domains subdirs
+    - name: dkim | Install the DKIM packages on DEB
-      file:
+      ansible.builtin.apt:
+        pkg: '{{ postfix_dkim_deb_pkgs }}'
+        state: present
+        cache_valid_time: 1800
+
+- name: dkim | DKIM configuration
+  tags: ['postfix', 'postfix_dkim', 'dkim', 'postfix_conf', 'dkim_conf']
+  block:
+    - name: dkim | Create the dkim domains subdirs
+      ansible.builtin.file:
         dest: '{{ postfix_dkim_base_dir }}/{{ item.domain }}'
         state: directory
-        mode: 0750
+        mode: "0750"
         owner: '{{ postfix_dkim_user }}'
         group: '{{ postfix_dkim_group }}'
       loop: '{{ postfix_dkim_domains }}'
 
-    - name: Create the dkim signatures
+    - name: dkim | Create the dkim signatures
       become: true
       become_user: '{{ postfix_dkim_user }}'
-      shell: opendkim-genkey -D {{ postfix_dkim_base_dir }}/{{ item.domain }} -d {{ item.domain }} -s {{ item.dkim_selector }}
+      ansible.builtin.command: opendkim-genkey -D {{ postfix_dkim_base_dir }}/{{ item.domain }} -d {{ item.domain }} -s {{ item.dkim_selector }}
       args:
         creates: '{{ postfix_dkim_base_dir }}/{{ item.domain }}/{{ item.dkim_selector }}.private'
       loop: '{{ postfix_dkim_domains }}'
       notify: restart opendkim
 
-    - name: Update the keytable and signitable files
+    - name: dkim | Update the keytable and signitable files
-      template:
+      ansible.builtin.template:
         src: 'dkim_{{ item }}.j2'
         dest: '{{ postfix_dkim_base_dir }}/{{ item }}'
         owner: '{{ postfix_dkim_user }}'
         group: '{{ postfix_dkim_group }}'
-        mode: 0600
+        mode: "0600"
       loop:
         - keytable
         - signingtable
       notify: restart opendkim
 
-    - name: Install the trustedhosts list when defined
+    - name: dkim | Install the trustedhosts list when defined
-      template:
+      ansible.builtin.template:
         src: 'dkim_trustedhosts.j2'
         dest: '{{ postfix_dkim_base_dir }}/trustedhosts'
         owner: '{{ postfix_dkim_user }}'
         group: '{{ postfix_dkim_group }}'
-        mode: 0600
+        mode: "0600"
       notify: restart opendkim
       when: postfix_dkim_trusted_hosts_enabled
 
-    - name: Install the opendkim configuration
+    - name: dkim | Install the opendkim configuration
-      template:
+      ansible.builtin.template:
         src: opendkim.conf.j2
         dest: '{{ postfix_dkim_conf }}'
         owner: root
         group: root
-        mode: 0644
+        mode: "0644"
       notify: restart opendkim
 
-  tags: ['postfix', 'postfix_dkim', 'dkim', 'postfix_conf', 'dkim_conf']
+- name: dkim | Manage the DKIM service
-
+  tags: ['postfix', 'postfix_dkim', 'dkim']
-- name: Manage the DKIM service
   block:
-    - name: Ensure that the opendkim service is started and enabled
+    - name: dkim | Ensure that the opendkim service is started and enabled
-      service:
+      ansible.builtin.service:
         name: opendkim
         state: started
         enabled: true
-
-  tags: ['postfix', 'postfix_dkim', 'dkim']

tasks/main.yml

@@ -1,20 +1,33 @@
 ---
-- import_tasks: smtp-common-packages.yml
+- name: SMTP packages
-- import_tasks: dkim.yml
+  ansible.builtin.import_tasks: smtp-common-packages.yml
+- name: DKIM management
+  ansible.builtin.import_tasks: dkim.yml
   when: postfix_dkim_enabled
-- import_tasks: postsrsd.yml
+- name: ARC management
+  ansible.builtin.import_tasks: arc.yml
+  when: postfix_arc_enabled
+- name: SRS support
+  ansible.builtin.import_tasks: postsrsd.yml
   when: postfix_srs_sender_enabled or postfix_srs_receiver_enabled
-- import_tasks: postfix_spf_policy.yml
+- name: SPF policy check
+  ansible.builtin.import_tasks: postfix_spf_policy.yml
   when: postfix_spf_policy_install
-- import_tasks: smtp-configuration.yml
+- name: Postfix configuration
-- import_tasks: postfix_pflogsumm.yml
+  ansible.builtin.import_tasks: smtp-configuration.yml
-- import_tasks: postfix_firewalld.yml
+- name: Install and configure pflogsumm
+  ansible.builtin.import_tasks: postfix_pflogsumm.yml
+- name: EL firewalld rules
+  ansible.builtin.import_tasks: postfix_firewalld.yml
   when: ansible_distribution_file_variety == "RedHat"
-- import_tasks: smtp-sasl-auth.yml
+- name: SASL auth
+  ansible.builtin.import_tasks: smtp-sasl-auth.yml
   when:
     - postfix_use_sasl_auth | bool
     - postfix_relay_client | bool
-- import_tasks: postfix-relay-server.yml
+- name: Postfix as a relay server
+  ansible.builtin.import_tasks: postfix-relay-server.yml
   when: postfix_smtpd_server | bool
-- import_tasks: postfix-letsencrypt-hook.yml
+- name: Manage the letsencrypt certificates
+  ansible.builtin.import_tasks: postfix-letsencrypt-hook.yml
   when: postfix_use_letsencrypt | bool

templates/arc_trustedhosts.j2

@@ -0,0 +1,3 @@
+{% for item in postfix_arc_trusted_hosts %}
+{{ item }}
+{% endfor %}

templates/main.cf.j2

@@ -579,6 +579,9 @@ milter_connect_macros = j {daemon_name} v _
 {% endif %}
 # What to do in case of errors? Specify accept, reject, tempfail,
 # or quarantine (Postfix 2.6 or later).
+# DMARC/ARC order
+# * sending: dkim before arc
+# * receiving: arc before dmarc
 milter_default_action = {{ postfix_milter_action }}
 smtpd_milters =
 {% if postfix_clamav_milter %}
@@ -590,9 +593,15 @@ smtpd_milters =
 {% if postfix_dkim_enabled %}
         {{ postfix_dkim_milter_socket }}
 {% endif %}
+{% if postfix_arc_enabled %}
+        {{ postfix_arc_milter_socket }}
+{% endif %}
 {% if postfix_dkim_enabled %}
 non_smtpd_milters =
         {{ postfix_dkim_milter_socket }}
+{% if postfix_arc_enabled %}
+        {{ postfix_arc_milter_socket }}
+{% endif %}
 {% endif %}
 {% endif %}
 
@@ -677,6 +686,7 @@ smtpd_sender_restrictions =
 {% if postfix_reject_unknown_sender_domain %}
         reject_unknown_sender_domain
         reject_non_fqdn_sender
+        reject_unauth_pipelining
 {% endif %}
 {% if postfix_reject_sender_login_mismatch %}
         reject_sender_login_mismatch

templates/openarc.conf.j2

@@ -0,0 +1,17 @@
+## See openarc.conf(5) or /usr/share/doc/openarc-1.0.0/openarc.conf.sample for more
+PidFile /var/run/openarc/openarc.pid
+Syslog  yes
+#Umask   002
+UserID  {{ postfix_arc_user }}:{{ postfix_arc_group }}
+Socket  {{ postfix_arc_socket }}
+
+## After setting Mode to "sv", running
+## opendkim-genkey -D /etc/openarc -s key -d phx2.fedoraproject.org
+## and putting /etc/openarc
+Canonicalization        {{ postfix_arc_canonicalization }}
+Domain                  {{ postfix_arc_domain }}
+Selector                {{ postfix_arc_domain_selector }}
+KeyFile                 {{ postfix_arc_base_dir }}/{{ postfix_arc_domain }}/{{ postfix_arc_domain_selector }}.private
+SignatureAlgorithm      rsa-sha256
+InternalHosts           {{ postfix_arc_base_dir }}/trustedhosts
+Mode                    {{ postfix_arc_mode }}

vars/main.yml

@@ -11,6 +11,17 @@ postfix_dkim_user: opendkim
 postfix_dkim_group: opendkim
 postfix_dkim_conf: /etc/opendkim.conf
 
+postfix_arc_el_pkgs:
+  - openarc
+
+postfix_arc_deb_pkgs: []
+
+postfix_arc_base_dir: /etc/openarc
+postfix_arc_key_dir: "{{ postfix_arc_base_dir }}/{{ postfix_arc_domain }}"
+postfix_arc_user: openarc
+postfix_arc_group: openarc
+postfix_arc_conf: /etc/openarc.conf
+
 # Conf files and data files
 postfix_srs_secret_file: '/etc/postsrsd.secret'
 postfix_srs_conf_file: '/etc/default/postsrsd'