Verified Commit d65e9739 authored by shirenn's avatar shirenn 🌊 Committed by ynerant
Browse files

WIP:

parent 67aa7744
......@@ -63,7 +63,6 @@ postfix:
tls:
cert: /etc/letsencrypt/live/crans.org/fullchain.pem
key: /etc/letsencrypt/live/crans.org/privkey.pem
sasl: true
smtp:
sender_login_maps:
- {entry: "@crans.org", owner: root}
......@@ -78,7 +77,7 @@ postfix:
- regex: '/^[ ]*(Content-Type:.*)?(Content-Disposition:.*)?(filename|name)=\"?(.*)\.(exe|com|pif|bat|scr|vbs|chm|cpl)\"?[ ]*$/'
action: 'REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.'
# - regex: '[ ]*(Content-Type:.*)?(Content-Disposition:.*)?(filename|name)=\"?(.*)\.(com|pif|bat|scr|vbs|chm)\"?[ ]*$/'
action: 'REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.'
# action: 'REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.'
milter: true
postscreen:
- comment: "Nice peoples"
......@@ -134,3 +133,7 @@ postfix:
- {entry: 109.237.103.41, action: REJECT Spammers are not welcome here!}
- {entry: 185.230.79.0/24, action: ACCEPT Coucou les serveurs du crans}
client_event_limit_exceptions: "172.16.10.0/24, [fd00:0:0:10::]/64, 185.230.79.0/26, [2a0c:700:2::]/64"
sender_login_maps:
- {sender: "@crans.org", owner: root}
- {sender: "@crans.fr", owner: root}
- {sender: "@crans.eu", owner: root}
---
debian_mirror: http://deb.debian.org/debian
postfix:
primary: false
secondary: true
public: true
dkim: true
titanic: false
#postfix:
# primary: false
# secondary: true
# public: true
# dkim: true
# titanic: false
loc_wireguard:
tunnels:
......@@ -111,3 +111,95 @@ loc_reverseproxy:
redirect_sites: []
static_sites: []
postfix:
hostname: sputnik.crans.org
shortname: sputnik
domain: crans.org
origin: crans.org
append_dot: true
my_networks: "172.16.10.0/24, [fd00:0:0:10::]/64"
relay: "$mydestination, lists.$mydomain, $mydomain, crans.ens-cachan.fr, clubs.ens-cachan.fr, install-party.ens-cachan.fr, crans.fr, crans.eu"
transport:
- method: smtp
comment: "Les mailing-listes sont délivrées localement"
params: "[172.16.10.110]"
targets: [lists.crans.org]
- method: smtp
comment: "Les mails sont délivrés par le serveur des adhérents"
params: "[172.16.10.31]"
targets: [crans.org, crans.eu, crans.fr, crans.ens-cachan.fr, clubs.ens-cachan.fr, install-party.ens-cachan.fr]
aliases: /var/local/services/mail/generated/aliases
virtual: /var/local/services/mail/generated/virtual
tls:
cert: /etc/letsencrypt/live/crans.org/fullchain.pem
key: /etc/letsencrypt/live/crans.org/privkey.pem
smtp:
sender_login_maps:
- {entry: "@crans.org", owner: root}
- {entry: "@crans.fr", owner: root}
- {entry: "@crans.eu", owner: root}
mime_header_checks:
- regex: '/^[ ]*(Content-Type:.*)?(Content-Disposition:.*)?(filename|name)=\"?(.*)\.(exe|com|pif|bat|scr|vbs|chm|cpl)\"?[ ]*$/'
action: 'REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.'
# - regex: '[ ]*(Content-Type:.*)?(Content-Disposition:.*)?(filename|name)=\"?(.*)\.(com|pif|bat|scr|vbs|chm)\"?[ ]*$/'
# action: 'REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.'
milter: true
postscreen:
- comment: "Nice peoples"
verdict: permit
targets: ["127.0.0.1","185.230.76.0/22","185.230.79.40","172.16.10.0/24","82.225.39.54","91.121.179.40","46.105.102.188","fd00:0:0:10::/64","fd00:0:0:11::/64","2a0c:700:0:2::/64","2a0c:700:0:3::/64","2a0c:700:0:12::/64","2a0c:700:0:13::/64","2a0c:700:0:21::/64","2a0c:700:0:22::/64","2a0c:700:0:23::/64","2a0c:700:0:24::/64","2a0c:700:2::ff:fe01:1002"]
- comment: "ecommercant qui remplace offrespourlespros, qui spammait le 29/05/2015"
verdict: reject
targets: ["149.202.29.192/28","37.187.141.230","2001:41d0:a:4ce6::/64"]
- comment: "gboxyw.net (reverse wasnh.net) le 05/11/2015, devenu vorange.net, vous le sentez le spam qui vient ?"
verdict: reject
targets: ["37.187.132.105","92.222.109.0/27"]
- comment: "mail.alkar.net spam le 26/06/2016"
verdict: reject
targets: ["195.248.191.95"]
- comment: "mail.testfast.eu spam en juin 2016"
verdict: reject
targets: ["176.20.27.0/24"]
- comment: "Spam depuis des adresses en .ua"
verdict: reject
targets: ["91.194.84.10","213.186.200.70","185.117.89.15","62.141.42.44"]
- comment: "installio.co.ua"
verdict: reject
targets: ["217.79.181.5"]
- comment: Scam
verdict: reject
targets: ["180.137.106.59","169.255.7.5","110.159.122.90","37.104.198.10","46.62.146.206"]
- comment: "Spam alcoolisme 16/09/2018"
verdict: reject
targets: ["46.249.59.89"]
- comment: 'Spam "Pastoral shit"'
verdict: reject
targets: ["198.84.107.98","198.84.74.66","104.168.178.132","104.168.178.156","158.69.253.33"]
- comment: "Spam overdue payment"
verdict: reject
targets: ["193.56.28.114"]
- comment: "Non, nous ne voulons pas traiter l'alcoolisme à l'insu du patient."
verdict: reject
targets: ["94.242.206.15","91.188.222.33"]
- comment: "Et les russes ils dégagent aussi"
verdict: reject
targets: ["185.50.149.0/24"]
- comment: "2021/11/13: vague de spam"
verdict: reject
targets: ["139.162.150.93","130.255.78.23","85.171.248.149","37.59.38.218"]
recipient_access:
- {entry: "crans@crans.fr", action: "REJECT Le Crans se fiche du basket. Veuillez supprimer l'adresse crans@crans.fr de votre carnet."}
- {entry: "crans.org", action: OK}
- {entry: "crans.fr", action: OK}
- {entry: "crans.eu", action: OK}
client_checks:
- {entry: 185.50.149.0/24, action: REJECT Spammers are not welcome here!}
- {entry: 74.201.31.175, action: REJECT Spammers are not welcome here!}
- {entry: 109.237.103.41, action: REJECT Spammers are not welcome here!}
- {entry: 185.230.79.0/24, action: ACCEPT Coucou les serveurs du crans}
client_event_limit_exceptions: "172.16.10.0/24, [fd00:0:0:10::]/64"
sender_login_maps:
- {sender: "@crans.org", owner: root}
- {sender: "@crans.fr", owner: root}
- {sender: "@crans.eu", owner: root}
......@@ -23,6 +23,7 @@
- recipient_access
- postscreen_access.cidr
- client_checks
- sender_login_maps
notify:
- generate postmaps
......
......@@ -30,13 +30,6 @@ biff = {% if postfix.biff is defined and postfix.biff %}yes{% else %}no{% endif
mail_spool_directory = {{ postfix.deliver.spool }}
{% endif %}
# Pour pouvoir tester sans tout casser, on active les soft bounces.
# Ca permet aux mails de ne pas etre bounces en cas d'erreur, mais
# a la place, de renvoyer une erreur non permanente. En production
# il faut enlever ca.
soft_bounce = no
# smtpd_reject_unlisted_sender = yes
# +--------+
# | Divers |
# +--------+
......@@ -103,11 +96,10 @@ smtpd_sasl_auth_enable=yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
{% if postfix.submission %}
{% if postfix.submission is defined %}
permit_sasl_authenticated
{% endif %}
reject_invalid_helo_hostname
# reject_non_fqdn_helo_hostname
{% if postfix.client_checks is defined %}
# Vérifie que le client n'est pas dans un / d'ips blacklistées
check_client_access cidr:/etc/postfix/client_checks
......@@ -171,7 +163,7 @@ submission_sender_restrictions = permit_mynetworks
smtpd_policy_service_request_limit = 1
## Filtrage au RCPT TO
smtpd_recipient_restrictions =
{% if postfix.policy %}
{% if postfix.policy is defined and postfix.policy %}
# Test avec policyd-rate-limit pour limiter le nombre de mails par utilisateur SASL
check_policy_service { unix:ratelimit/policy, default_action=DUNNO }
{% endif %}
......@@ -179,7 +171,7 @@ smtpd_recipient_restrictions =
permit_mynetworks
# rejette les recipients sans nom de domaine totalement qualifie
reject_non_fqdn_recipient
{% if postfix.submission %}
{% if postfix.submission is defined %}
# permet si le client est authentifie
permit_sasl_authenticated
{% endif %}
......@@ -189,15 +181,13 @@ smtpd_recipient_restrictions =
# accepte si on est sur un destinaire en @crans
check_recipient_access hash:/etc/postfix/recipient_access
{% endif %}
# pour les @lists.crans.org, accepte si la greylist est d'accord
# check_policy_service inet:127.0.0.1:2501
# jette le reste
#smtpd_end_of_data_restrictions=check_policy_service inet:127.0.0.1:10031
# Tailles maximales : 20Mo pour les msgs et 75 pour les mbox
message_size_limit = 20971520
mailbox_size_limit = 78643000
{% if postfix.append_dot is defined and postfix.append_dot %}
# Obligation de specifier le nom de domaine complet
append_dot_mydomain = yes
{% else %}
# Obligation de specifier le nom de domaine complet
......
......@@ -83,7 +83,7 @@ smtp inet n - - - - smtpd
{% if postfix.postscreen %}
dnsblog unix - - - - 0 dnsblog
{% endif %}
{% if postfix.sasl %}
{% if postfix.submission is defined %}
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
......
{{ ansible_header | comment }}
@crans.org root
@crans.fr root
@crans.eu root
{% for entry in postfix.sender_login_maps %}
{{ '{:<16}{}'.format(entry.sender,entry.owner) }}
{% endfor %}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment