agrego postscreen
This commit is contained in:
Mauro Torrez
parent
1d221ef908
commit
1c086ec057
128
tasks/postscreen.yml
Normal file
128
tasks/postscreen.yml
Normal file
@ -0,0 +1,128 @@
|
||||
---
|
||||
# configurar postscreen en master.cf
|
||||
# habilito smtpd pass ... smtpd para postscreen (paso 2)
|
||||
- name: "postscreen: enable smtpd/pass service"
|
||||
postconf:
|
||||
service: smtpd
|
||||
type: pass
|
||||
chroot: 'y'
|
||||
command: smtpd
|
||||
notify: reload postfix
|
||||
|
||||
# habilito smtp inet ... postscreen para postscreen (pasos 1,3)
|
||||
- name: "postscreen: configure smtp/inet service"
|
||||
postconf:
|
||||
service: smtp
|
||||
type: inet
|
||||
private: 'n'
|
||||
chroot: 'y'
|
||||
process_limit: 1
|
||||
command: postscreen
|
||||
notify: reload postfix
|
||||
|
||||
# habilito tlsproxy para soporte TLS en postscreen (paso 4)
|
||||
- name: "postscreen: enable tlsproxy/unix service"
|
||||
postconf:
|
||||
service: tlsproxy
|
||||
type: unix
|
||||
chroot: 'y'
|
||||
process_limit: 0
|
||||
command: tlsproxy
|
||||
notify: reload postfix
|
||||
|
||||
# habilito dnsblog para que loguee bloqueos DNSBL en postscreen (paso 5)
|
||||
- name: "postscreen: enable dnsblog/unix service"
|
||||
postconf:
|
||||
service: dnsblog
|
||||
type: unix
|
||||
chroot: 'y'
|
||||
process_limit: 0
|
||||
command: dnsblog
|
||||
notify: reload postfix
|
||||
|
||||
# compilar tabla CIDR con las listas blancas
|
||||
- name: "postscreen: template access list"
|
||||
copy:
|
||||
content: |
|
||||
# Ansible-generated postscreen CIDR access table. You can change this
|
||||
# file by setting the host variable `postfix_postscreen_access_list`
|
||||
{% for entry in postfix_postscreen_access_list -%}
|
||||
{{ entry.address }} {{ entry.action }}
|
||||
{% endfor %}
|
||||
dest: "/etc/postfix/rules/postscreen_access_list.cidr"
|
||||
|
||||
- name: "postscreen: set postscreen_access_list parameter"
|
||||
postconf:
|
||||
parameter: postscreen_access_list
|
||||
value: "cidr:/etc/postfix/rules/postscreen_access_list.cidr, permit_mynetworks"
|
||||
notify: reload postfix
|
||||
|
||||
- name: "postscreen: enable/disable after-220 SMTP greeting tests"
|
||||
postconf:
|
||||
parameter:
|
||||
postscreen_bare_newline_enable:
|
||||
"{{ 'yes' if postfix_postscreen_bare_newline_enable else 'no' }}"
|
||||
postscreen_non_smtp_command_enable:
|
||||
"{{ 'yes' if postfix_postscreen_non_smtp_command_enable else 'no' }}"
|
||||
postscreen_pipelining_enable:
|
||||
"{{ 'yes' if postfix_postscreen_pipelining_enable else 'no' }}"
|
||||
notify: reload postfix
|
||||
|
||||
- name: "postscreen: configure dnsbl sites"
|
||||
postconf:
|
||||
parameter: postscreen_dnsbl_sites
|
||||
value: "\
|
||||
{% for entry in postfix_postscreen_dnsbl_sites|belist -%}\
|
||||
{% if entry is string -%}{{ entry }}{% elif entry is mapping -%}\
|
||||
{{ entry.site }}{{ '*' if entry.score is defined else '' }}\
|
||||
{{ entry.score | default('') }}{% endif %}\
|
||||
{{ '' if loop.last else ', ' }}{% endfor %}"
|
||||
notify: reload postfix
|
||||
|
||||
- name: "postscreen: template masking table for dnsbl sites"
|
||||
copy:
|
||||
content: |
|
||||
# postscreen reply map, matching entries will be replaced
|
||||
# with the resulting text when telling the source of DNS
|
||||
# blacklisting to the remote client.
|
||||
# used to mask passwords contained in dnsbl names
|
||||
# edit this file by setting the "mask" option for items
|
||||
# in the host variable postfix_postscreen_dnsbl_sites
|
||||
{% for entry in postfix_postscreen_dnsbl_sites -%}
|
||||
{% if entry is mapping -%}{% if entry.mask is defined -%}
|
||||
{% if entry.mask is string and entry.mask != "" -%}
|
||||
/^{{ entry.site }}$/ {{ entry.mask }}
|
||||
{% else %}
|
||||
/^{{ entry.site }}$/ dnsbl blacklist
|
||||
{% endif %}{% endif %}{% endif %}{% endfor %}
|
||||
dest: /etc/postfix/rules/postscreen_dnsbl_mask.pcre
|
||||
notify: reload postfix
|
||||
|
||||
- name: "postscreen: configure masking table parameter"
|
||||
postconf:
|
||||
parameter: postscreen_dnsbl_reply_map
|
||||
value: "pcre:/etc/postfix/rules/postscreen_dnsbl_mask.pcre"
|
||||
notify: reload postfix
|
||||
|
||||
- name: "postscreen: set misc. parameters"
|
||||
postconf:
|
||||
parameter:
|
||||
postscreen_blacklist_action:
|
||||
"{{ postfix_postscreen_blacklist_action }}"
|
||||
postscreen_bare_newline_action:
|
||||
"{{ postfix_postscreen_bare_newline_action }}"
|
||||
postscreen_dnsbl_action:
|
||||
"{{ postfix_postscreen_dnsbl_action }}"
|
||||
postscreen_dnsbl_threshold:
|
||||
"{{ postfix_postscreen_dnsbl_threshold }}"
|
||||
postscreen_dnsbl_whitelist_threshold:
|
||||
"{{ postfix_postscreen_dnsbl_whitelist_threshold }}"
|
||||
postscreen_greet_action:
|
||||
"{{ postfix_postscreen_greet_action }}"
|
||||
postscreen_greet_wait:
|
||||
"{{ postfix_postscreen_greet_wait }}"
|
||||
postscreen_non_smtp_command_action:
|
||||
"{{ postfix_postscreen_non_smtp_command_action }}"
|
||||
postscreen_pipelining_action:
|
||||
"{{ postfix_postscreen_pipelining_action }}"
|
||||
notify: reload postfix
|
||||
24
tasks/postscreen_disable.yml
Normal file
24
tasks/postscreen_disable.yml
Normal file
@ -0,0 +1,24 @@
|
||||
---
|
||||
- name: "postscreen_disable: disable smtpd/pass service"
|
||||
postconf:
|
||||
service: smtpd
|
||||
type: pass
|
||||
state: absent
|
||||
notify: reload postfix
|
||||
|
||||
- name: "postscreen_disable: configure smtp/inet service"
|
||||
postconf:
|
||||
service: smtp
|
||||
type: inet
|
||||
private: 'n'
|
||||
chroot: '-'
|
||||
process_limit: '-'
|
||||
command: smtpd
|
||||
notify: reload postfix
|
||||
|
||||
- name: "postscreen_disable: disable dnsblog/unix service"
|
||||
postconf:
|
||||
service: dnsblog
|
||||
type: unix
|
||||
state: absent
|
||||
notify: reload postfix
|
||||
Loading…
x
Reference in New Issue
Block a user