commit b6d0d169b540a5b73fe88fe777d5355faaa2da4d from: gonzalo date: Wed Aug 23 21:43:16 2023 UTC Move dkim to rspamd and adjust a bit for next release, also kill the redundant rspam usage in the mda setup of smtpd.conf commit - abb1813a45a07d82716954a5fc4142c7815145e2 commit + b6d0d169b540a5b73fe88fe777d5355faaa2da4d blob - c8ebab3524d1b2c6f6692ad80c7e0335c8b871fa blob + 3bdac2712a56d6ff6493f360b3384e5e67677f47 --- README.md +++ README.md @@ -1,7 +1,7 @@ Ansible role for a Mailserver ============================= -Ansible role to create a Mailserver on OpenBSD (>=7.2 & -current) with OpenSMTPD, Dovecot and Rspamd. +Ansible role to create a Mailserver on OpenBSD (>=7.4 & -current) with OpenSMTPD, Dovecot and Rspamd. Requirements ------------ @@ -11,8 +11,8 @@ OpenBSD, Python 3 (on client machine) and 10 minutes. Notes ----- -This is still a WIP, so far, you need to create DKIM keys, new users and DNS entrys. Also, you need -to enable dovecot, smtpd, rspamd and dkimproxy_{in,out} at boot. +This is still a WIP, so far, you need to create DKIM keys with rspamd (https://rspamd.com/doc/modules/dkim_signing.html), +new users and DNS entries. Also, you need to enable dovecot, smtpd and rspamd at boot. You need to adjust your pf.conf (example bellow). @@ -79,7 +79,7 @@ $ cat mailserver.yml domain: 'foobar.com' mail_dir: '/var/vmail' mail_user: 'gonzalo' - release: '7.2' + release: '7.4' arch: 'amd64' installurl_mirror: 'https://cdn.openbsd.org/pub/OpenBSD/' pkg_path: 'https://cdn.openbsd.org/pub/OpenBSD/{{ release }}/packages/{{ arch }}/' @@ -109,7 +109,7 @@ Example Playbook domain: 'foobar.com' mail_dir: '/var/vmail' mail_user: 'gonzalo' - release: '7.2' + release: '7.4' arch: 'amd64' installurl_mirror: 'https://cdn.openbsd.org/pub/OpenBSD/' pkg_path: 'https://cdn.openbsd.org/pub/OpenBSD/{{ release }}/packages/{{ arch }}/' @@ -145,4 +145,4 @@ and then restart dovecot with: ```rcctl restart doveco Author Information ------------------ -https://x61.sh/ +https://x61.ar/ blob - f514e2edf843eceefd81e8dcc1b4d490bf1da171 (mode 644) blob + /dev/null --- templates/dkimproxy_in.conf.j2 +++ /dev/null @@ -1,5 +0,0 @@ -# specify what address/port DKIMproxy should listen on -listen 127.0.0.1:10025 - -# specify what address/port DKIMproxy forwards mail to -relay 127.0.0.1:10026 blob - /dev/null blob + 5d1829f18a9539ef13fffdf21114fc4eed2f2b67 (mode 644) --- /dev/null +++ templates/dkim_signing.conf.j2 @@ -0,0 +1,9 @@ +allow_username_mismatch = true; + +domain { + ## https://rspamd.com/doc/modules/dkim_signing.html + {{ domain }} { + path = "/etc/mail/dkim/{{ domain }}.key"; + selector = "dkim"; + } +} blob - 7c567e61b52f5a003df3157e5cd918f3694f4475 (mode 644) blob + /dev/null --- templates/dkimproxy_out.conf.j2 +++ /dev/null @@ -1,28 +0,0 @@ -# specify what address/port DKIMproxy should listen on -listen 127.0.0.1:10027 - -# specify what address/port DKIMproxy forwards mail to -relay 127.0.0.1:10028 - -# specify what domains DKIMproxy can sign for (comma-separated, no spaces) -domain {{ domain }} - -# specify what signatures to add -signature dkim(c=relaxed) -signature domainkeys(c=nofws) - -# specify location of the private key -# mkdir /etc/ssl/dkim && cd /etc/ssl/dkim -# openssl genrsa -out {{ domain }}.key 1024 -# openssl rsa -in {{ domain }}.key -pubout -out {{ domain }}-public.key -# -keyfile /etc/ssl/dkim/{{ domain }}.key - -# specify the selector (i.e. the name of the key record put in DNS) -selector dkim - -# control how many processes DKIMproxy uses -# - more information on these options (and others) can be found by -# running `perldoc Net::Server::PreFork'. -#min_servers 5 -#min_spare_servers 2 blob - 674bca47a977ad6fad06d03a0827d200ac1cab38 blob + 13bd70b0dba6a347af95eeed6ab4f064b1babcec --- templates/smtpd.conf.j2 +++ templates/smtpd.conf.j2 @@ -16,11 +16,8 @@ filter check_rdns phase connect match !rdns \ filter check_fcrdns phase connect match !fcrdns \ disconnect "550 no FCrDNS" -## You can use this, but I suggest to have a close eye -## to it for a couple busy days, could give a lot of -## false positive cases -#filter senderscore \ -# proc-exec "filter-senderscore -blockBelow 10 -junkBelow 70 -slowFactor 5000" +filter senderscore \ + proc-exec "filter-senderscore -blockBelow 10 -junkBelow 70 -slowFactor 5000" filter rspamd proc-exec "filter-rspamd" @@ -37,7 +34,7 @@ smtp max-message-size 90M ## Ports listen on all tls pki {{ domain }} hostname {{ domain }} \ - filter { check_dyndns, check_rdns, check_fcrdns, rspamd } + filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd } listen on all smtps pki {{ domain }} hostname {{ domain }} \ auth filter rspamd listen on all port submission tls-require pki {{ domain }} \ @@ -45,11 +42,11 @@ listen on all port submission tls-require pki {{ domai ## Actions action "mda_with_aliases" mda \ - "/usr/local/bin/rspamc --mime -e '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest}'" \ + "/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest}" \ alias user vmail action "mda_with_virtuals" mda \ - "/usr/local/bin/rspamc --mime -e '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest}'" \ + "/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest}" \ virtual user vmail action "mda_without_rspamd" mda \