diff --git a/defaults/main.yml b/defaults/main.yml index 7feec4d..e6a6839 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -129,6 +129,22 @@ postfix_dkim_v_sendreports: 'no' postfix_dkim_reportaddress: '' postfix_dkim_canonicalization: 'relaxed/relaxed' postfix_dkim_minkeybits: 1024 +# ARC +# - domain: 'example.com' +# arc_selector: 'default' +# s: sign +# v: verify +# sv: sign and verify +postfix_arc_enabled: false +postfix_arc_domain: "" +postfix_arc_domain_selector: "arc-{{ ansible_hostname }}" +postfix_arc_trusted_hosts: + - "127.0.0.1" +postfix_arc_mode: 'v' +postfix_arc_socket: 'inet:8894@localhost' +postfix_arc_milter_socket: 'inet:[127.0.0.1]:8894' +postfix_arc_canonicalization: 'relaxed/relaxed' + # SRS # Compute it with 'dd if=/dev/urandom bs=18 count=1 2>/dev/null | base64' # postfix_srs_secret: 'use a vault' @@ -166,6 +182,7 @@ postfix_smtpd_mx_client_restrictions: - reject_non_fqdn_recipient - reject_invalid_hostname - reject_unauth_destination + - reject_unauth_pipelining - reject_unknown_recipient_domain - reject_unlisted_recipient diff --git a/handlers/main.yml b/handlers/main.yml index b5c5d23..6888590 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,32 +1,46 @@ --- - name: Update SASL hash - shell: postmap hash:/etc/postfix/sasl_passwd + ansible.builtin.command: postmap hash:/etc/postfix/sasl_passwd - name: Reload postfix - service: name=postfix state=reloaded + ansible.builtin.service: + name: postfix + state: reloaded when: postfix_enabled | bool - name: Restart postfix - service: name=postfix state=restarted + ansible.builtin.service: + name: postfix + state: restarted when: postfix_enabled | bool - name: Update the network hash table - shell: postmap hash:/etc/postfix/network_table + ansible.builtin.command: postmap hash:/etc/postfix/network_table - name: start saslauth daemon - service: name=saslauthd state=started enabled=yes + ansible.builtin.service: + name: saslauthd + state: started + enabled: true when: postfix_enabled | bool - name: restart saslauth daemon - service: name=saslauthd state=restarted + ansible.builtin.service: + name: saslauthd + state: restarted when: postfix_enabled | bool - name: restart opendkim - service: + ansible.builtin.service: name: opendkim state: restarted +- name: Restart openarc + ansible.builtin.service: + name: openarc + state: restarted + - name: restart postsrsd - service: + ansible.builtin.service: name: postsrsd state: restarted diff --git a/tasks/arc.yml b/tasks/arc.yml new file mode 100644 index 0000000..9d13034 --- /dev/null +++ b/tasks/arc.yml @@ -0,0 +1,78 @@ +--- +- name: arc | Manage the arc packages in EL systems + when: + - ansible_distribution_file_variety == "RedHat" + - postfix_arc_enabled + tags: ['postfix', 'postfix_arc', 'arc'] + block: + - name: arc | Install the arc packages on EL + ansible.builtin.yum: + pkg: '{{ postfix_arc_el_pkgs }}' + state: present + + +- name: arc | Manage the arc packages in DEB systems + when: + - ansible_distribution_file_variety == "Debian" + - postfix_arc_enabled + tags: ['postfix', 'postfix_arc', 'arc'] + block: + - name: arc | Install the arc packages on DEB + ansible.builtin.apt: + pkg: '{{ postfix_arc_deb_pkgs }}' + state: present + cache_valid_time: 1800 + +- name: arc | ARC configuration + tags: ['postfix', 'postfix_arc', 'arc', 'postfix_conf', 'arc_conf'] + block: + - name: arc | Ensure that the /var/run/openarc directory exists + ansible.builtin.file: + dest: /var/run/openarc + state: directory + mode: "0700" + owner: '{{ postfix_arc_user }}' + group: '{{ postfix_arc_group }}' + + - name: arc | Create the arc domains subdirs + ansible.builtin.file: + dest: '{{ postfix_arc_base_dir }}/{{ postfix_arc_domain }}' + state: directory + mode: "0750" + owner: '{{ postfix_arc_user }}' + group: '{{ postfix_arc_group }}' + + - name: arc | Create the arc signature (only one domain is supported) + become: true + become_user: '{{ postfix_arc_user }}' + ansible.builtin.command: opendkim-genkey -D {{ postfix_arc_key_dir }} -d {{ postfix_arc_domain }} -s {{ postfix_arc_domain_selector }} + args: + creates: '{{ postfix_arc_base_dir }}/{{ postfix_arc_domain }}/{{ postfix_arc_domain_selector }}.private' + notify: Restart openarc + + - name: arc | Install the trustedhosts list when defined + ansible.builtin.template: + src: 'arc_trustedhosts.j2' + dest: '{{ postfix_arc_base_dir }}/trustedhosts' + owner: '{{ postfix_arc_user }}' + group: '{{ postfix_arc_group }}' + mode: "0600" + notify: Restart openarc + + - name: arc | Install the openarc configuration + ansible.builtin.template: + src: openarc.conf.j2 + dest: '{{ postfix_arc_conf }}' + owner: root + group: root + mode: "0644" + notify: Restart openarc + +- name: arc | Manage the arc service + tags: ['postfix', 'postfix_arc', 'arc'] + block: + - name: arc | Ensure that the openarc service is started and enabled + ansible.builtin.service: + name: openarc + state: started + enabled: true diff --git a/tasks/dkim.yml b/tasks/dkim.yml index 03d7679..6cc58c4 100644 --- a/tasks/dkim.yml +++ b/tasks/dkim.yml @@ -1,88 +1,85 @@ --- -- name: Manage the DKIM packages in EL systems - block: - - name: Install the DKIM packages on EL - yum: - pkg: '{{ postfix_dkim_el_pkgs }}' - state: present - +- name: dkim | Manage the DKIM packages in EL systems when: - ansible_distribution_file_variety == "RedHat" - postfix_dkim_enabled tags: ['postfix', 'postfix_dkim', 'dkim'] - -- name: Manage the DKIM packages in DEB systems block: - - name: Install the DKIM packages on DEB - apt: - pkg: '{{ postfix_dkim_deb_pkgs }}' + - name: dkim | Install the DKIM packages on EL + ansible.builtin.yum: + pkg: '{{ postfix_dkim_el_pkgs }}' state: present - cache_valid_time: 1800 + +- name: dkim | Manage the DKIM packages in DEB systems when: - ansible_distribution_file_variety == "Debian" - postfix_dkim_enabled tags: ['postfix', 'postfix_dkim', 'dkim'] - -- name: DKIM configuration block: - - name: Create the dkim domains subdirs - file: + - name: dkim | Install the DKIM packages on DEB + ansible.builtin.apt: + pkg: '{{ postfix_dkim_deb_pkgs }}' + state: present + cache_valid_time: 1800 + +- name: dkim | DKIM configuration + tags: ['postfix', 'postfix_dkim', 'dkim', 'postfix_conf', 'dkim_conf'] + block: + - name: dkim | Create the dkim domains subdirs + ansible.builtin.file: dest: '{{ postfix_dkim_base_dir }}/{{ item.domain }}' state: directory - mode: 0750 + mode: "0750" owner: '{{ postfix_dkim_user }}' group: '{{ postfix_dkim_group }}' loop: '{{ postfix_dkim_domains }}' - - name: Create the dkim signatures + - name: dkim | Create the dkim signatures become: true become_user: '{{ postfix_dkim_user }}' - shell: opendkim-genkey -D {{ postfix_dkim_base_dir }}/{{ item.domain }} -d {{ item.domain }} -s {{ item.dkim_selector }} + ansible.builtin.command: opendkim-genkey -D {{ postfix_dkim_base_dir }}/{{ item.domain }} -d {{ item.domain }} -s {{ item.dkim_selector }} args: creates: '{{ postfix_dkim_base_dir }}/{{ item.domain }}/{{ item.dkim_selector }}.private' loop: '{{ postfix_dkim_domains }}' notify: restart opendkim - - name: Update the keytable and signitable files - template: + - name: dkim | Update the keytable and signitable files + ansible.builtin.template: src: 'dkim_{{ item }}.j2' dest: '{{ postfix_dkim_base_dir }}/{{ item }}' owner: '{{ postfix_dkim_user }}' group: '{{ postfix_dkim_group }}' - mode: 0600 + mode: "0600" loop: - keytable - signingtable notify: restart opendkim - - name: Install the trustedhosts list when defined - template: + - name: dkim | Install the trustedhosts list when defined + ansible.builtin.template: src: 'dkim_trustedhosts.j2' dest: '{{ postfix_dkim_base_dir }}/trustedhosts' owner: '{{ postfix_dkim_user }}' group: '{{ postfix_dkim_group }}' - mode: 0600 + mode: "0600" notify: restart opendkim when: postfix_dkim_trusted_hosts_enabled - - name: Install the opendkim configuration - template: + - name: dkim | Install the opendkim configuration + ansible.builtin.template: src: opendkim.conf.j2 dest: '{{ postfix_dkim_conf }}' owner: root group: root - mode: 0644 + mode: "0644" notify: restart opendkim - tags: ['postfix', 'postfix_dkim', 'dkim', 'postfix_conf', 'dkim_conf'] - -- name: Manage the DKIM service +- name: dkim | Manage the DKIM service + tags: ['postfix', 'postfix_dkim', 'dkim'] block: - - name: Ensure that the opendkim service is started and enabled - service: + - name: dkim | Ensure that the opendkim service is started and enabled + ansible.builtin.service: name: opendkim state: started enabled: true - - tags: ['postfix', 'postfix_dkim', 'dkim'] diff --git a/tasks/main.yml b/tasks/main.yml index 272a76e..0dadad6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,20 +1,33 @@ --- -- import_tasks: smtp-common-packages.yml -- import_tasks: dkim.yml +- name: SMTP packages + ansible.builtin.import_tasks: smtp-common-packages.yml +- name: DKIM management + ansible.builtin.import_tasks: dkim.yml when: postfix_dkim_enabled -- import_tasks: postsrsd.yml +- name: ARC management + ansible.builtin.import_tasks: arc.yml + when: postfix_arc_enabled +- name: SRS support + ansible.builtin.import_tasks: postsrsd.yml when: postfix_srs_sender_enabled or postfix_srs_receiver_enabled -- import_tasks: postfix_spf_policy.yml +- name: SPF policy check + ansible.builtin.import_tasks: postfix_spf_policy.yml when: postfix_spf_policy_install -- import_tasks: smtp-configuration.yml -- import_tasks: postfix_pflogsumm.yml -- import_tasks: postfix_firewalld.yml +- name: Postfix configuration + ansible.builtin.import_tasks: smtp-configuration.yml +- name: Install and configure pflogsumm + ansible.builtin.import_tasks: postfix_pflogsumm.yml +- name: EL firewalld rules + ansible.builtin.import_tasks: postfix_firewalld.yml when: ansible_distribution_file_variety == "RedHat" -- import_tasks: smtp-sasl-auth.yml +- name: SASL auth + ansible.builtin.import_tasks: smtp-sasl-auth.yml when: - postfix_use_sasl_auth | bool - postfix_relay_client | bool -- import_tasks: postfix-relay-server.yml +- name: Postfix as a relay server + ansible.builtin.import_tasks: postfix-relay-server.yml when: postfix_smtpd_server | bool -- import_tasks: postfix-letsencrypt-hook.yml +- name: Manage the letsencrypt certificates + ansible.builtin.import_tasks: postfix-letsencrypt-hook.yml when: postfix_use_letsencrypt | bool diff --git a/templates/arc_trustedhosts.j2 b/templates/arc_trustedhosts.j2 new file mode 100644 index 0000000..e71100a --- /dev/null +++ b/templates/arc_trustedhosts.j2 @@ -0,0 +1,3 @@ +{% for item in postfix_arc_trusted_hosts %} +{{ item }} +{% endfor %} diff --git a/templates/main.cf.j2 b/templates/main.cf.j2 index 121ecf2..0681856 100644 --- a/templates/main.cf.j2 +++ b/templates/main.cf.j2 @@ -579,6 +579,9 @@ milter_connect_macros = j {daemon_name} v _ {% endif %} # What to do in case of errors? Specify accept, reject, tempfail, # or quarantine (Postfix 2.6 or later). +# DMARC/ARC order +# * sending: dkim before arc +# * receiving: arc before dmarc milter_default_action = {{ postfix_milter_action }} smtpd_milters = {% if postfix_clamav_milter %} @@ -590,9 +593,15 @@ smtpd_milters = {% if postfix_dkim_enabled %} {{ postfix_dkim_milter_socket }} {% endif %} +{% if postfix_arc_enabled %} + {{ postfix_arc_milter_socket }} +{% endif %} {% if postfix_dkim_enabled %} non_smtpd_milters = {{ postfix_dkim_milter_socket }} +{% if postfix_arc_enabled %} + {{ postfix_arc_milter_socket }} +{% endif %} {% endif %} {% endif %} @@ -677,6 +686,7 @@ smtpd_sender_restrictions = {% if postfix_reject_unknown_sender_domain %} reject_unknown_sender_domain reject_non_fqdn_sender + reject_unauth_pipelining {% endif %} {% if postfix_reject_sender_login_mismatch %} reject_sender_login_mismatch diff --git a/templates/openarc.conf.j2 b/templates/openarc.conf.j2 new file mode 100644 index 0000000..c180f73 --- /dev/null +++ b/templates/openarc.conf.j2 @@ -0,0 +1,17 @@ +## See openarc.conf(5) or /usr/share/doc/openarc-1.0.0/openarc.conf.sample for more +PidFile /var/run/openarc/openarc.pid +Syslog yes +#Umask 002 +UserID {{ postfix_arc_user }}:{{ postfix_arc_group }} +Socket {{ postfix_arc_socket }} + +## After setting Mode to "sv", running +## opendkim-genkey -D /etc/openarc -s key -d phx2.fedoraproject.org +## and putting /etc/openarc +Canonicalization {{ postfix_arc_canonicalization }} +Domain {{ postfix_arc_domain }} +Selector {{ postfix_arc_domain_selector }} +KeyFile {{ postfix_arc_base_dir }}/{{ postfix_arc_domain }}/{{ postfix_arc_domain_selector }}.private +SignatureAlgorithm rsa-sha256 +InternalHosts {{ postfix_arc_base_dir }}/trustedhosts +Mode {{ postfix_arc_mode }} diff --git a/vars/main.yml b/vars/main.yml index 4861881..2a46e16 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -11,6 +11,17 @@ postfix_dkim_user: opendkim postfix_dkim_group: opendkim postfix_dkim_conf: /etc/opendkim.conf +postfix_arc_el_pkgs: + - openarc + +postfix_arc_deb_pkgs: [] + +postfix_arc_base_dir: /etc/openarc +postfix_arc_key_dir: "{{ postfix_arc_base_dir }}/{{ postfix_arc_domain }}" +postfix_arc_user: openarc +postfix_arc_group: openarc +postfix_arc_conf: /etc/openarc.conf + # Conf files and data files postfix_srs_secret_file: '/etc/postsrsd.secret' postfix_srs_conf_file: '/etc/default/postsrsd'