Initial commit

2023-03-20 20:01:04 +01:00 · 2023-03-20 20:01:04 +01:00 · 11b84aa872
commit 11b84aa872
40 changed files with 995 additions and 0 deletions
--- a/files/fail2ban/postfix-sasl.conf
+++ b/files/fail2ban/postfix-sasl.conf
@ -0,0 +1,7 @@
+[sasl]
+enabled  = true
+findtime = 3600
+bantime  = 3600
+port     = submission
+filter   = postfix-sasl
+logpath  = /var/log/mail-sasl.log
--- a/files/fail2ban/postfix-sasl.local
+++ b/files/fail2ban/postfix-sasl.local
@ -0,0 +1,21 @@
+# Fail2Ban filter for postfix authentication failures
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
+
+failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*$
+
+ignoreregex = authentication failed: Connection lost to authentication server$
+
+[Init]
+
+journalmatch = _SYSTEMD_UNIT=postfix.service
+
+
+# Author: Yaroslav Halchenko
--- a/files/mail-tls-helper/readme.txt
+++ b/files/mail-tls-helper/readme.txt
@ -0,0 +1,4 @@
+Logrotat runs with hardening features (/lib/systemd/system/logrotate.service)
+which prevents write access to /etc.
+
+You will find the tls_domains file at /var/lib.
--- a/files/monit/mta-sts-daemon
+++ b/files/monit/mta-sts-daemon
@ -0,0 +1,9 @@
+# Managed by Ansible
+
+check process mta-sts-daemon
+  matching "/usr/bin/python3 /usr/bin/mta-sts-daemon"
+  group mailserver
+  start program = "/usr/sbin/service postfix-mta-sts-resolver start"
+  stop program = "/usr/sbin/service postfix-mta-sts-resolver stop"
+  if 2 restarts within 3 cycles then timeout
+  if failed host 127.0.0.1 port 8461 for 3 cycles then restart
--- a/files/monit/postfix
+++ b/files/monit/postfix
@ -0,0 +1,7 @@
+# Managed by Ansible
+
+check process postfix with pidfile /var/spool/postfix/pid/master.pid
+  group mailserver
+  start program = "/usr/sbin/service postfix@- start"
+  stop program = "/usr/sbin/service postfix@- stop"
+  if failed port 25 protocol smtp with timeout 15 seconds for 3 cycles then restart
--- a/files/postfix/conf.d/bogus_mx
+++ b/files/postfix/conf.d/bogus_mx
@ -0,0 +1,10 @@
+# Manages by Ansible
+
+# bogus networks
+0.0.0.0/8       550 Mail server in broadcast network
+1.0.0.0/8       550 Mail server in IANA reserved network
+#10.0.0.0/8      550 No route to your RFC 1918 network
+127.0.0.0/8     550 Mail server in loopback network
+224.0.0.0/4     550 Mail server in class D multicast network
+#172.16.0.0/12   550 No route to your RFC 1918 network
+192.168.0.0/16  550 No route to your RFC 1918 network
--- a/files/postfix/conf.d/header_checks
+++ b/files/postfix/conf.d/header_checks
@ -0,0 +1,10 @@
+# Managed by Ansible
+
+/^Content-(Disposition|Type).*name\s*=\s*"?([^;]*(\.|=2E)(
+  ade|adp|asp|bas|bat|chm|cmd|com|cpl|dll|exe|
+  hlp|ht[at]|
+  inf|ins|isp|js|jse?|lnk|md[betw]|ms[cipt]|nws|
+  \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
+  ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
+  vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
+  REJECT Attachment name "$2" may not end with ".$4"
--- a/files/postfix/conf.d/header_checks_inbound
+++ b/files/postfix/conf.d/header_checks_inbound
@ -0,0 +1,7 @@
+#  Managed by Ansible
+
+# Remove external mail processing headers
+/^X-Spam-.*: .*$/               IGNORE
+/^X-Amavis-.*: .*$/             IGNORE
+/^X-Virus-.*: .*$/              IGNORE
+/^X-Rc-(Spam|Virus)+: .*$/      IGNORE
--- a/files/smtp_tor
+++ b/files/smtp_tor
@ -0,0 +1,6 @@
+#!/bin/sh
+
+# This script will be called by Postfix master.cf.
+# It runs a service for OnionMX.
+
+exec /usr/bin/torsocks -i /usr/lib/postfix/sbin/smtp "$@"