Gotweb

Commit Diff

Commit:: b6d0d169b540a5b73fe88fe777d5355faaa2da4d
From:: gonzalo <gonzalo@x61.com.ar>
Date:: Wed Aug 23 21:43:16 2023 UTC
Message:: Move dkim to rspamd and adjust a bit for next release, also kill the redundant rspam usage in the mda setup of smtpd.conf
Actions:: Patch | Tree
commit - abb1813a45a07d82716954a5fc4142c7815145e2
commit + b6d0d169b540a5b73fe88fe777d5355faaa2da4d
blob - c8ebab3524d1b2c6f6692ad80c7e0335c8b871fa
blob + 3bdac2712a56d6ff6493f360b3384e5e67677f47
--- README.md
+++ README.md
@@ -1,7 +1,7 @@
 Ansible role for a Mailserver
 =============================
 
-Ansible role to create a Mailserver on OpenBSD (>=7.2 & -current) with OpenSMTPD, Dovecot and Rspamd.
+Ansible role to create a Mailserver on OpenBSD (>=7.4 & -current) with OpenSMTPD, Dovecot and Rspamd.
 
 Requirements
 ------------
@@ -11,8 +11,8 @@ OpenBSD, Python 3 (on client machine) and 10 minutes.
 Notes
 -----
 
-This is still a WIP, so far, you need to create DKIM keys, new users and DNS entrys. Also, you need
-to enable dovecot, smtpd, rspamd and dkimproxy_{in,out} at boot.
+This is still a WIP, so far, you need to create DKIM keys with rspamd (https://rspamd.com/doc/modules/dkim_signing.html),
+new users and DNS entries. Also, you need to enable dovecot, smtpd and rspamd at boot.
 
 You need to adjust your pf.conf (example bellow).
 
@@ -79,7 +79,7 @@ $ cat mailserver.yml
    domain: 'foobar.com'
    mail_dir: '/var/vmail'
    mail_user: 'gonzalo'
-   release: '7.2'
+   release: '7.4'
    arch: 'amd64'
    installurl_mirror: 'https://cdn.openbsd.org/pub/OpenBSD/'
    pkg_path: 'https://cdn.openbsd.org/pub/OpenBSD/{{ release }}/packages/{{ arch }}/'
@@ -109,7 +109,7 @@ Example Playbook
    domain: 'foobar.com'
    mail_dir: '/var/vmail'
    mail_user: 'gonzalo'
-   release: '7.2'
+   release: '7.4'
    arch: 'amd64'
    installurl_mirror: 'https://cdn.openbsd.org/pub/OpenBSD/'
    pkg_path: 'https://cdn.openbsd.org/pub/OpenBSD/{{ release }}/packages/{{ arch }}/'
@@ -145,4 +145,4 @@ and then restart dovecot with: ```rcctl restart doveco
 Author Information
 ------------------
 
-https://x61.sh/
+https://x61.ar/
blob - f514e2edf843eceefd81e8dcc1b4d490bf1da171 (mode 644)
blob + /dev/null
--- templates/dkimproxy_in.conf.j2
+++ /dev/null
@@ -1,5 +0,0 @@
-# specify what address/port DKIMproxy should listen on
-listen    127.0.0.1:10025
-
-# specify what address/port DKIMproxy forwards mail to
-relay     127.0.0.1:10026
blob - /dev/null
blob + 5d1829f18a9539ef13fffdf21114fc4eed2f2b67 (mode 644)
--- /dev/null
+++ templates/dkim_signing.conf.j2
@@ -0,0 +1,9 @@
+allow_username_mismatch = true;
+
+domain {
+	## https://rspamd.com/doc/modules/dkim_signing.html
+	{{ domain }} {
+		path = "/etc/mail/dkim/{{ domain }}.key";
+		selector = "dkim";
+	}
+}
blob - 7c567e61b52f5a003df3157e5cd918f3694f4475 (mode 644)
blob + /dev/null
--- templates/dkimproxy_out.conf.j2
+++ /dev/null
@@ -1,28 +0,0 @@
-# specify what address/port DKIMproxy should listen on
-listen    127.0.0.1:10027
-
-# specify what address/port DKIMproxy forwards mail to
-relay     127.0.0.1:10028
-
-# specify what domains DKIMproxy can sign for (comma-separated, no spaces)
-domain	  {{ domain }}
-
-# specify what signatures to add
-signature dkim(c=relaxed)
-signature domainkeys(c=nofws)
-
-# specify location of the private key
-# mkdir /etc/ssl/dkim && cd /etc/ssl/dkim
-# openssl genrsa -out {{ domain }}.key 1024
-# openssl rsa -in {{ domain }}.key -pubout -out {{ domain }}-public.key
-# 
-keyfile		/etc/ssl/dkim/{{ domain }}.key
-
-# specify the selector (i.e. the name of the key record put in DNS)
-selector  dkim
-
-# control how many processes DKIMproxy uses
-#  - more information on these options (and others) can be found by
-#    running `perldoc Net::Server::PreFork'.
-#min_servers 5
-#min_spare_servers 2
blob - 674bca47a977ad6fad06d03a0827d200ac1cab38
blob + 13bd70b0dba6a347af95eeed6ab4f064b1babcec
--- templates/smtpd.conf.j2
+++ templates/smtpd.conf.j2
@@ -16,11 +16,8 @@ filter check_rdns phase connect match !rdns \
 filter check_fcrdns phase connect match !fcrdns \
 	disconnect "550 no FCrDNS"
 
-## You can use this, but I suggest to have a close eye
-## to it for a couple busy days, could give a lot of
-## false positive cases
-#filter senderscore \
-#	proc-exec "filter-senderscore -blockBelow 10 -junkBelow 70 -slowFactor 5000"
+filter senderscore \
+	proc-exec "filter-senderscore -blockBelow 10 -junkBelow 70 -slowFactor 5000"
 
 filter rspamd proc-exec "filter-rspamd"
 
@@ -37,7 +34,7 @@ smtp max-message-size 90M
 
 ## Ports
 listen on all tls pki {{ domain }} hostname {{ domain }} \
-        filter { check_dyndns, check_rdns, check_fcrdns, rspamd }
+	filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd }
 listen on all smtps pki {{ domain }} hostname {{ domain }} \
         auth <passwd> filter rspamd
 listen on all port submission tls-require pki {{ domain }} \
@@ -45,11 +42,11 @@ listen on all port submission tls-require pki {{ domai
 
 ## Actions
 action "mda_with_aliases" mda \
-	"/usr/local/bin/rspamc --mime -e '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest}'" \
+	"/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest}" \
 	alias <aliases> user vmail
 
 action "mda_with_virtuals" mda \
-	"/usr/local/bin/rspamc --mime -e '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest}'" \
+	"/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest}" \
 	virtual <virtuals> user vmail
 
 action "mda_without_rspamd" mda \