update mail - migrate from opendkim and opendmarc to rspamd
This commit is contained in:
parent
2cd9fc4fd5
commit
814a48e3a7
@ -49,17 +49,19 @@
|
||||
- name: Deploy OpenDKIM
|
||||
import_role:
|
||||
name: opendkim
|
||||
when: opendkim_enabled | default(false)
|
||||
tags: opendkim
|
||||
|
||||
- name: Deploy OpenDMARC
|
||||
import_role:
|
||||
name: opendmarc
|
||||
when: opendmarc_enabled | default(false)
|
||||
tags: opendmarc
|
||||
|
||||
- name: Deploy Rspamd
|
||||
import_role:
|
||||
name: rspamd
|
||||
when: rspamd_enabled | default(false)
|
||||
when: rspamd_enabled | default(true)
|
||||
tags: rspamd
|
||||
|
||||
- name: Deploy Roundcube
|
||||
|
||||
@ -5,8 +5,8 @@ opendkim_default_values:
|
||||
existingClaim: mailboxes
|
||||
opendkim:
|
||||
image:
|
||||
repository: "{{ docker_registry }}/opendkim"
|
||||
tag: latest
|
||||
repository: "instrumentisto/opendkim"
|
||||
tag: alpine
|
||||
pullPolicy: Always
|
||||
configmaps:
|
||||
opendkim: |
|
||||
|
||||
@ -6,16 +6,17 @@ opendmarc_default_values:
|
||||
|
||||
opendmarc:
|
||||
image:
|
||||
repository: "{{ docker_registry }}/opendmarc"
|
||||
tag: latest
|
||||
repository: "instrumentisto/opendmarc"
|
||||
tag: alpine
|
||||
pullPolicy: Always
|
||||
configmaps:
|
||||
opendmarc: |
|
||||
AuthservID mail.{{ domain }}
|
||||
Socket inet:8893
|
||||
SoftwareHeader true
|
||||
SPFIgnoreResults true
|
||||
SPFSelfValidate true
|
||||
IgnoreAuthenticatedClients true
|
||||
SPFIgnoreResults false
|
||||
SPFSelfValidate false
|
||||
RequiredHeaders true
|
||||
Syslog true
|
||||
UserID opendmarc:mail
|
||||
|
||||
@ -82,7 +82,7 @@ postfix_default_values:
|
||||
# Filters for mail
|
||||
smtpd_helo_required = yes
|
||||
#smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_sender_domain, reject_invalid_helo_hostname, reject_unauth_destination
|
||||
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unauth_destination, check_policy_service unix:private/policyd-spf
|
||||
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unauth_destination
|
||||
|
||||
# SASL auth with dovecot options
|
||||
smtpd_sasl_auth_enable = yes
|
||||
@ -93,7 +93,8 @@ postfix_default_values:
|
||||
smtpd_sasl_local_domain = $myorigin
|
||||
|
||||
milter_protocol = 6
|
||||
smtpd_milters = inet:opendkim.{{ namespace }}.svc.cluster.local:8891, inet:opendmarc.{{ namespace }}.svc.cluster.local:8893
|
||||
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
|
||||
smtpd_milters = inet:rspamd.{{ namespace }}.svc.cluster.local:11332
|
||||
non_smtpd_milters = $smtpd_milters
|
||||
milter_default_action = accept
|
||||
|
||||
@ -194,6 +195,7 @@ postfix_default_values:
|
||||
-o smtpd_sasl_auth_enable=yes
|
||||
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
|
||||
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
|
||||
-o milter_macro_daemon_name=ORIGINATING
|
||||
-o smtpd_sasl_type=dovecot
|
||||
-o smtpd_sasl_path=inet:dovecot.{{ namespace }}.svc.cluster.local:12345
|
||||
-o smtpd_upstream_proxy_protocol=haproxy
|
||||
@ -202,6 +204,7 @@ postfix_default_values:
|
||||
-o smtpd_tls_wrappermode=yes
|
||||
-o smtpd_sasl_auth_enable=yes
|
||||
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
|
||||
-o milter_macro_daemon_name=ORIGINATING
|
||||
-o smtpd_sasl_type=dovecot
|
||||
-o smtpd_sasl_path=inet:dovecot.{{ namespace }}.svc.cluster.local:12345
|
||||
-o smtpd_upstream_proxy_protocol=haproxy
|
||||
@ -274,7 +277,7 @@ postfix_default_values:
|
||||
#dane unix - - n - - smtp
|
||||
# -o smtp_dns_support_level=dnssec
|
||||
# -o smtp_tls_security_level=dane
|
||||
policyd-spf unix - n n - 0 spawn user=nobody argv=/usr/libexec/postfix/policyd-spf
|
||||
#policyd-spf unix - n n - 0 spawn user=nobody argv=/usr/libexec/postfix/policyd-spf
|
||||
ldap-local-recipients: |
|
||||
debuglevel = 0
|
||||
version = 3
|
||||
|
||||
@ -35,6 +35,9 @@ roundcube_default_values:
|
||||
cert-manager.io/acme-challenge-type: "dns01"
|
||||
kubernetes.io/ingress.class: "{{ external_ingress_class if roundcube_publish else internal_ingress_class }}"
|
||||
kubernetes.io/tls-acme: "true"
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: "0"
|
||||
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
|
||||
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
|
||||
path: /
|
||||
hosts:
|
||||
- webmail.{{ domain }}
|
||||
|
||||
@ -1,15 +1,77 @@
|
||||
rspamd_enabled: true
|
||||
rspamd_default_values:
|
||||
replicaCount: 1
|
||||
persistence:
|
||||
enabled: false
|
||||
existingClaim: mailboxes
|
||||
|
||||
redis:
|
||||
enabled: true
|
||||
usePassword: false
|
||||
password: ""
|
||||
cluster:
|
||||
enabled: false
|
||||
rspamd:
|
||||
image:
|
||||
repository: "{{ docker_registry }}/rspamd"
|
||||
tag: latest
|
||||
pullPolicy: Always
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
|
||||
local.d:
|
||||
redis.conf: |
|
||||
servers = "rspamd-redis-master";
|
||||
worker-proxy.inc: |
|
||||
bind_socket = "0.0.0.0:11332";
|
||||
worker-normal.inc: |
|
||||
bind_socket = "0.0.0.0:11333";
|
||||
worker-controller.inc: |
|
||||
bind_socket = "0.0.0.0:11334";
|
||||
worker-fuzzy.inc: |
|
||||
bind_socket = "0.0.0.0:11335";
|
||||
logging.inc: |
|
||||
type = "console";
|
||||
spf.conf: |
|
||||
spf_cache_size = 1k; # cache up to 1000 of the most recent SPF records
|
||||
spf_cache_expire = 1d; # default max expire for an element in this cache
|
||||
max_dns_nesting = 10; # maximum number of recursive DNS subrequests
|
||||
max_dns_requests = 30; # maximum count of DNS requests per record
|
||||
min_cache_ttl = 5m; # minimum TTL enforced for all elements in SPF records
|
||||
dkim_signing.conf: |
|
||||
enabled = true;
|
||||
# If `true` get pubkey from DNS record and check if it matches private key
|
||||
check_pubkey = true;
|
||||
# Set to `false` if you want to skip signing if public and private keys mismatch
|
||||
allow_pubkey_mismatch = true;
|
||||
# Domain specific settings
|
||||
domain {
|
||||
# Domain name is used as key
|
||||
"{{ mail_domain | default(domain) }}" {
|
||||
# Private key path
|
||||
path = "/var/lib/rspamd/dkim/default.key";
|
||||
# Selector
|
||||
selector = "default";
|
||||
}
|
||||
}
|
||||
arc.conf: |
|
||||
domain {
|
||||
# Domain name is used as key
|
||||
"{{ mail_domain | default(domain) }}" {
|
||||
# Private key path
|
||||
path = "/var/lib/rspamd/dkim/default.key";
|
||||
# Selector
|
||||
selector = "default";
|
||||
}
|
||||
}
|
||||
dmarc.conf: |
|
||||
# Enables storing reporting information to redis
|
||||
reporting = true;
|
||||
# If Redis server is not configured below, settings from redis {} will be used
|
||||
#servers = "127.0.0.1:6379"; # Servers to use for reads and writes (can be a list)
|
||||
servers = "rspamd-redis-master";
|
||||
# Alternatively set read_servers / write_servers to split reads and writes
|
||||
# To set custom prefix for redis keys:
|
||||
#key_prefix = "dmarc_";
|
||||
# Actions to enforce based on DMARC disposition (empty by default)
|
||||
actions = {
|
||||
quarantine = "add_header";
|
||||
reject = "reject";
|
||||
}
|
||||
# Ignore "pct" setting for some domains
|
||||
# no_sampling_domains = "/etc/rspamd/dmarc_no_sampling.domains";
|
||||
dkim-keys:
|
||||
default: |
|
||||
{{ dkim_private_key_base64 | b64decode }}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user