commit de0346c2bbcd9bfda04399ba4d1fd4bdbf6839c1 from: gonzalo date: Tue Nov 19 14:20:14 2019 UTC Update playbook to the current smtpd changes commit - 60d751bbada07b8a02ff42e4828aabd10e4333ad commit + de0346c2bbcd9bfda04399ba4d1fd4bdbf6839c1 blob - e185779d7e53deb6c81332606c8307bddacd802e blob + 3579d216ac99b50ee6495c4ad6e7559c51bcb854 --- README.md +++ README.md @@ -1,7 +1,7 @@ Ansible role for a Mailserver ============================= -Ansible role to create a Mailserver on OpenBSD (>=6.4 & -current) with OpenSMTPD, Dovecot, DKIMProxy and Rspamd. +Ansible role to create a Mailserver on OpenBSD (>=6.6 & -current) with OpenSMTPD, Dovecot and Rspamd. Requirements ------------ @@ -83,16 +83,17 @@ $ cat mailserver.yml domain: 'foobar.com' mail_dir: '/var/vmail' mail_user: 'gonzalo' - release: '6.5' + release: '6.6' arch: 'amd64' installurl_mirror: 'https://fastly.cdn.openbsd.org/pub/OpenBSD/' pkg_path: 'https://fastly.cdn.openbsd.org/pub/OpenBSD/{{ release }}/packages/{{ arch }}/' packages_list: - dovecot - dovecot-pigeonhole - - dkimproxy - - rspamd - opensmtpd-extras + - opensmtpd-filter-rspamd + - opensmtpd-filter-senderscore + - rspamd $ ansible-playbook -i hosts mailserver.yml ...MAGIC... $ @@ -119,9 +120,10 @@ Example Playbook packages_list: - dovecot - dovecot-pigeonhole - - dkimproxy - - rspamd - opensmtpd-extras + - opensmtpd-filter-rspamd + - opensmtpd-filter-senderscore + - rspamd ``` Enable Spam Learning with Dovecot Antispam blob - 0892de2a7eb7e40568a3a38f8687d423c7500aa4 blob + bfa5b5b8071275e102a7479c097124aa16e4ccb0 --- templates/smtpd.conf.j2 +++ templates/smtpd.conf.j2 @@ -2,6 +2,21 @@ pki {{ domain }} cert "/etc/ssl/{{ domain }}_fullchain.pem" pki {{ domain }} key "/etc/ssl/private/{{ domain }}_private.pem" +## Filters +filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*', '.*\.dsl\..*' } \ + disconnect "550 no residential connections" + +filter check_rdns phase connect match !rdns \ + disconnect "550 no rDNS" + +filter check_fcrdns phase connect match !fcrdns \ + disconnect "550 no FCrDNS" + +#filter senderscore \ +# proc-exec "filter-senderscore -blockBelow 10 -junkBelow 70 -slowFactor 5000" + +filter rspamd proc-exec "filter-rspamd" + ## Tables table aliases file:/etc/mail/aliases table domains file:/etc/mail/domains @@ -13,21 +28,14 @@ table blacklist-recipients file:/etc/mail/blacklist-re smtp max-message-size 50M ## Ports -listen on lo0 -listen on lo0 port 10028 tag DKIM -listen on egress tls pki {{ domain }} hostname \ - {{ domain }} -listen on egress smtps pki {{ domain }} hostname \ - {{ domain }} -## If you use neomutt as a client -## on the same server as me you need -## this rule -listen on lo0 port submission tls-require pki {{ domain }} \ - hostname {{ domain }} auth -## -listen on egress port submission tls-require pki {{ domain }} \ - hostname {{ domain }} auth +listen on all tls pki {{ domain }} hostname {{ domain }} \ + filter { check_dyndns, check_rdns, check_fcrdns, rspamd } +listen on all smtps pki {{ domain }} hostname {{ domain }} \ + auth filter rspamd +listen on all port submission tls-require pki {{ domain }} \ + hostname {{ domain }} auth mask-src filter rspamd +## Actions action "mda_with_aliases" mda \ "/usr/local/bin/rspamc --mime -e '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest}'" \ alias user vmail @@ -36,14 +44,15 @@ action "mda_with_virtuals" mda \ "/usr/local/bin/rspamc --mime -e '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest}'" \ virtual user vmail +action "mda_without_rspamd" mda \ + "/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest}" \ + virtual user vmail + action "relay" relay -action "dkim_relay" relay host smtp://127.0.0.1:10027 - match from any mail-from for domain reject -#match for local action "mda_with_aliases" match for local action "mda_with_virtuals" +match auth from any for domain action "mda_without_rspamd" match from any for domain action "mda_with_virtuals" -match tag DKIM for any action "relay" -match from local for any action "dkim_relay" -match auth from any for any action "dkim_relay" +match from local for any action "relay" +match auth from any for any action "relay"