From 72cee2ef907981df4356253ab76e94327a311615 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Sun, 19 Mar 2017 17:07:40 +0200 Subject: Add greylisting with postgrey The whitelisted example.com domain is needed for server-yarns. --- .../roles/mail-server/files/whitelist_clients.local | 1 + .../roles/mail-server/files/whitelist_recipients.local | 1 + ansible/roles/mail-server/handlers/main.yml | 5 +++++ ansible/roles/mail-server/tasks/postfix.yml | 18 ++++++++++++++++++ ansible/roles/mail-server/templates/postfix.main.cf.j2 | 6 ++++++ 5 files changed, 31 insertions(+) create mode 100644 ansible/roles/mail-server/files/whitelist_clients.local create mode 100644 ansible/roles/mail-server/files/whitelist_recipients.local (limited to 'ansible/roles/mail-server') diff --git a/ansible/roles/mail-server/files/whitelist_clients.local b/ansible/roles/mail-server/files/whitelist_clients.local new file mode 100644 index 0000000..de54ac6 --- /dev/null +++ b/ansible/roles/mail-server/files/whitelist_clients.local @@ -0,0 +1 @@ +example.com diff --git a/ansible/roles/mail-server/files/whitelist_recipients.local b/ansible/roles/mail-server/files/whitelist_recipients.local new file mode 100644 index 0000000..fc37f9d --- /dev/null +++ b/ansible/roles/mail-server/files/whitelist_recipients.local @@ -0,0 +1 @@ +root@ diff --git a/ansible/roles/mail-server/handlers/main.yml b/ansible/roles/mail-server/handlers/main.yml index c23f773..6cfdfaa 100644 --- a/ansible/roles/mail-server/handlers/main.yml +++ b/ansible/roles/mail-server/handlers/main.yml @@ -3,6 +3,11 @@ name: postfix state: restarted +- name: restart postgrey + systemd: + name: postgrey + state: restarted + - name: restart dovecot systemd: name: dovecot diff --git a/ansible/roles/mail-server/tasks/postfix.yml b/ansible/roles/mail-server/tasks/postfix.yml index 79bfacb..79ed2bb 100644 --- a/ansible/roles/mail-server/tasks/postfix.yml +++ b/ansible/roles/mail-server/tasks/postfix.yml @@ -46,3 +46,21 @@ ) | sponge /etc/postfix/master.cf fi notify: restart postfix + +- name: install whitelisted recipients for postgrey + copy: + src: whitelist_recipients.local + dest: /etc/postgrey/whitelist_recipients.local + owner: root + group: root + mode: 0644 + notify: restart postgrey + +- name: install whitelisted sender domains for postgrey + copy: + src: whitelist_clients.local + dest: /etc/postgrey/whitelist_clients.local + owner: root + group: root + mode: 0644 + notify: restart postgrey diff --git a/ansible/roles/mail-server/templates/postfix.main.cf.j2 b/ansible/roles/mail-server/templates/postfix.main.cf.j2 index 67cefe0..6fcb852 100644 --- a/ansible/roles/mail-server/templates/postfix.main.cf.j2 +++ b/ansible/roles/mail-server/templates/postfix.main.cf.j2 @@ -37,3 +37,9 @@ smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination + +# Enable postgrey. +smtpd_recipient_restrictions = permit_sasl_authenticated, + permit_mynetworks, + reject_unauth_destination, + check_policy_service inet:127.0.0.1:10023 \ No newline at end of file -- cgit v1.2.1