commit - 60d751bbada07b8a02ff42e4828aabd10e4333ad
commit + de0346c2bbcd9bfda04399ba4d1fd4bdbf6839c1
blob - e185779d7e53deb6c81332606c8307bddacd802e
blob + 3579d216ac99b50ee6495c4ad6e7559c51bcb854
--- README.md
+++ README.md
Ansible role for a Mailserver
=============================
-Ansible role to create a Mailserver on OpenBSD (>=6.4 & -current) with OpenSMTPD, Dovecot, DKIMProxy and Rspamd.
+Ansible role to create a Mailserver on OpenBSD (>=6.6 & -current) with OpenSMTPD, Dovecot and Rspamd.
Requirements
------------
domain: 'foobar.com'
mail_dir: '/var/vmail'
mail_user: 'gonzalo'
- release: '6.5'
+ release: '6.6'
arch: 'amd64'
installurl_mirror: 'https://fastly.cdn.openbsd.org/pub/OpenBSD/'
pkg_path: 'https://fastly.cdn.openbsd.org/pub/OpenBSD/{{ release }}/packages/{{ arch }}/'
packages_list:
- dovecot
- dovecot-pigeonhole
- - dkimproxy
- - rspamd
- opensmtpd-extras
+ - opensmtpd-filter-rspamd
+ - opensmtpd-filter-senderscore
+ - rspamd
$ ansible-playbook -i hosts mailserver.yml
...MAGIC...
$
packages_list:
- dovecot
- dovecot-pigeonhole
- - dkimproxy
- - rspamd
- opensmtpd-extras
+ - opensmtpd-filter-rspamd
+ - opensmtpd-filter-senderscore
+ - rspamd
```
Enable Spam Learning with Dovecot Antispam
blob - 0892de2a7eb7e40568a3a38f8687d423c7500aa4
blob + bfa5b5b8071275e102a7479c097124aa16e4ccb0
--- templates/smtpd.conf.j2
+++ templates/smtpd.conf.j2
pki {{ domain }} cert "/etc/ssl/{{ domain }}_fullchain.pem"
pki {{ domain }} key "/etc/ssl/private/{{ domain }}_private.pem"
+## Filters
+filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*', '.*\.dsl\..*' } \
+ disconnect "550 no residential connections"
+
+filter check_rdns phase connect match !rdns \
+ disconnect "550 no rDNS"
+
+filter check_fcrdns phase connect match !fcrdns \
+ disconnect "550 no FCrDNS"
+
+#filter senderscore \
+# proc-exec "filter-senderscore -blockBelow 10 -junkBelow 70 -slowFactor 5000"
+
+filter rspamd proc-exec "filter-rspamd"
+
## Tables
table aliases file:/etc/mail/aliases
table domains file:/etc/mail/domains
smtp max-message-size 50M
## Ports
-listen on lo0
-listen on lo0 port 10028 tag DKIM
-listen on egress tls pki {{ domain }} hostname \
- {{ domain }}
-listen on egress smtps pki {{ domain }} hostname \
- {{ domain }}
-## If you use neomutt as a client
-## on the same server as me you need
-## this rule
-listen on lo0 port submission tls-require pki {{ domain }} \
- hostname {{ domain }} auth <passwd>
-##
-listen on egress port submission tls-require pki {{ domain }} \
- hostname {{ domain }} auth <passwd>
+listen on all tls pki {{ domain }} hostname {{ domain }} \
+ filter { check_dyndns, check_rdns, check_fcrdns, rspamd }
+listen on all smtps pki {{ domain }} hostname {{ domain }} \
+ auth <passwd> filter rspamd
+listen on all port submission tls-require pki {{ domain }} \
+ hostname {{ domain }} auth <passwd> mask-src filter rspamd
+## Actions
action "mda_with_aliases" mda \
"/usr/local/bin/rspamc --mime -e '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest}'" \
alias <aliases> user vmail
"/usr/local/bin/rspamc --mime -e '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest}'" \
virtual <virtuals> user vmail
+action "mda_without_rspamd" mda \
+ "/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest}" \
+ virtual <virtuals> user vmail
+
action "relay" relay
-action "dkim_relay" relay host smtp://127.0.0.1:10027
-
match from any mail-from <blacklist-recipients> for domain <domains> reject
-#match for local action "mda_with_aliases"
match for local action "mda_with_virtuals"
+match auth from any for domain <domains> action "mda_without_rspamd"
match from any for domain <domains> action "mda_with_virtuals"
-match tag DKIM for any action "relay"
-match from local for any action "dkim_relay"
-match auth from any for any action "dkim_relay"
+match from local for any action "relay"
+match auth from any for any action "relay"
