From 954a746947b7395fe3252e9df371da30546ee762 Mon Sep 17 00:00:00 2001 From: Micah Date: Thu, 2 Jun 2016 12:42:10 -0400 Subject: Fix opendkim milter location (#8163). The unix socket method for connecting to the milter was incorrectly reverted, this puts it back to how it should be. Change-Id: Ifde669c920a249c782f577a112f4d45e60a889a2 --- puppet/modules/site_postfix/manifests/mx.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index c269946b..e743118e 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -69,10 +69,10 @@ class site_postfix::mx { value => '$alias_maps'; # setup clamav and opendkim on smtpd 'smtpd_milters': - value => 'unix:/run/clamav/milter.ctl,inet:localhost:8891'; + value => 'unix:/run/clamav/milter.ctl,unix:/run/opendkim/opendkim.sock'; # setup opendkim for smtp (non-smtpd) outgoing mail 'non_smtpd_milters': - value => 'inet:localhost:8891'; + value => 'unix:/run/opendkim/opendkim.sock'; 'milter_default_action': value => 'accept'; # Make sure that the right values are set, these could be set to different -- cgit v1.2.3 From 12b00fbf578d88281d3a00f268ffeda460d383d8 Mon Sep 17 00:00:00 2001 From: Micah Date: Thu, 16 Jun 2016 11:39:11 -0400 Subject: Fix matching for cleanup check. The onlyif check was incorrectly specified in the original implementation in commit id: 15b83d88dcedab496a19cef57f11c5c8e091dd4a this inverts it so it is properly detected. Change-Id: I531e206fff1ca61780adcd195e1f917011e50fb4 --- puppet/modules/site_postfix/manifests/mx.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index e743118e..0b760eb4 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -96,7 +96,7 @@ class site_postfix::mx { # access the opendkim milter socket (#8020) exec { 'unset_cleanup_chroot': command => '/usr/sbin/postconf -F "cleanup/unix/chroot=n"', - onlyif => '/usr/sbin/postconf -h -F "cleanup/unix/chroot" | egrep -q ^n', + onlyif => '/usr/sbin/postconf -h -F "cleanup/unix/chroot" | egrep -qv ^n', notify => Service['postfix'], require => File['/etc/postfix/master.cf'] } -- cgit v1.2.3 From f294ddcca7fbe20de788053bfba1cc9c8417ddd8 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 5 Jul 2016 11:50:41 -0400 Subject: Use DANE/TLSA validation in postfix (#8141). Configure DNSSEC validation for client verification, giving us a stronger form of opportunistic TLS Change-Id: Iab92d4f593c4a5a44e3b694295096b0d7f687a37 --- puppet/modules/site_postfix/manifests/mx.pp | 33 +++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 0b760eb4..2dac85f5 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -57,10 +57,6 @@ class site_postfix::mx { value => 'sha1'; 'relay_clientcerts': value => 'tcp:localhost:2424'; - # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls - # because the satellites need to have a different value - 'smtp_tls_security_level': - value => 'may'; # reject inbound mail to system users # see https://leap.se/code/issues/6829 # this blocks *only* mails to system users, that don't appear in the @@ -90,6 +86,35 @@ class site_postfix::mx { value => 'permit_mynetworks'; 'postscreen_greet_action': value => 'enforce'; + # Level of DNS support in the Postfix SMTP client. Enable DNS lookups + # (default: empty). When empty, then the legacy "disable_dns_lookups" + # (default: no) parameter is used. Setting 'smtp_dns_support_level' to + # enabled sets the previous behavior with the new parameter. When set to + # 'dnssec" this enables DNSSEC lookups. + 'smtp_dns_support_level': + value => 'dnssec'; + + # http://www.postfix.org/TLS_README.html#client_tls_dane The "dane" level is + # a stronger form of opportunistic TLS that is resistant to man in the + # middle and downgrade attacks when the destination domain uses DNSSEC to + # publish DANE TLSA records for its MX hosts. If a remote SMTP server has + # "usable" (see RFC 6698) DANE TLSA records, the server connection will be + # authenticated. When DANE authentication fails, there is no fallback to + # unauthenticated or plaintext delivery. + # + # If TLSA records are published for a given remote SMTP server (implying TLS + # support), but are all "unusable" due to unsupported parameters or + # malformed data, the Postfix SMTP client will use mandatory unauthenticated + # TLS. Otherwise, when no TLSA records are published, the Postfix SMTP + # client behavior is the same as with may. + # + # This requires postfix to be able to send its DNS queries to a recursive + # DNS nameserver that is able to validate the signed records + # + # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls + # because the satellites need to have a different value + 'smtp_tls_security_level': + value => 'dane'; } # Make sure that the cleanup serivce is not chrooted, otherwise it cannot -- cgit v1.2.3 From 68544ba2ffdfa988c060b3b4c5bd075f7304a022 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 12 Jul 2016 11:11:56 -0400 Subject: Block MTAs that claim they are 'localhost'. Nobody should be claiming that they are localhost when they are connecting over smtpd Change-Id: Ifb7df855b4e12021c58b89b2053e31fb10806096 --- puppet/modules/site_postfix/templates/checks/helo_access.erb | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/templates/checks/helo_access.erb b/puppet/modules/site_postfix/templates/checks/helo_access.erb index bac2c45a..e0708605 100644 --- a/puppet/modules/site_postfix/templates/checks/helo_access.erb +++ b/puppet/modules/site_postfix/templates/checks/helo_access.erb @@ -19,3 +19,5 @@ # Reject anybody that HELO's as being in our own domain(s) # anyone who identifies themselves as us is a virus/spammer <%= @domain %> 554 You are not in domain <%= @domain %> +localhost 554 You are not localhost + -- cgit v1.2.3 From bbdc193f05cb2f1624d6c7bbffd27f8060de35c8 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 12 Jul 2016 11:20:58 -0400 Subject: Block ip-based helo at MTA (#8139). Numeric helo is a very strong indicator of spam. When this is blocked, a very significant amount of spam stops. Change-Id: Ieb340190faf37638950d1aa60b52268659e0b7f6 --- puppet/modules/site_postfix/files/checks/helo_access.pcre | 2 ++ puppet/modules/site_postfix/manifests/mx/checks.pp | 7 +++++++ puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 2 +- 3 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/files/checks/helo_access.pcre (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/files/checks/helo_access.pcre b/puppet/modules/site_postfix/files/checks/helo_access.pcre new file mode 100644 index 00000000..4ebd42e6 --- /dev/null +++ b/puppet/modules/site_postfix/files/checks/helo_access.pcre @@ -0,0 +1,2 @@ +!/[[:alpha:]]/ REJECT Numeric HELO is a sign of spam, please contact us if this is in error + diff --git a/puppet/modules/site_postfix/manifests/mx/checks.pp b/puppet/modules/site_postfix/manifests/mx/checks.pp index f406ad34..9678c205 100644 --- a/puppet/modules/site_postfix/manifests/mx/checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/checks.pp @@ -1,3 +1,4 @@ +# management of specific MTA checks class site_postfix::mx::checks { file { @@ -13,6 +14,12 @@ class site_postfix::mx::checks { mode => '0644', owner => root, group => root; + + '/etc/postfix/checks/helo_checks.pcre': + source => 'puppet:///modules/site_postfix/checks/helo_access.pcre', + mode => '0644', + owner => root, + group => root; } exec { diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 291d7ee4..162e6d86 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -28,7 +28,7 @@ class site_postfix::mx::smtpd_checks { 'smtps_relay_restrictions': value => 'permit_mynetworks, permit_tls_clientcerts, defer_unauth_destination'; 'smtps_helo_restrictions': - value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit'; + value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, check_helo_access pcre:$checks_dir/helo_checks.pcre, permit'; 'smtpd_sender_restrictions': value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; } -- cgit v1.2.3