update mail - migrate from opendkim and opendmarc to rspamd

roles/mail/tasks/main.yaml

@@ -49,17 +49,19 @@
 - name: Deploy OpenDKIM
   import_role: 
     name: opendkim
+  when: opendkim_enabled | default(false)
   tags: opendkim
 
 - name: Deploy OpenDMARC
   import_role: 
     name: opendmarc
+  when: opendmarc_enabled | default(false)
   tags: opendmarc
 
 - name: Deploy Rspamd
   import_role: 
     name: rspamd
-  when: rspamd_enabled | default(false)
+  when: rspamd_enabled | default(true)
   tags: rspamd
 
 - name: Deploy Roundcube

roles/opendkim/defaults/main.yaml

@@ -5,8 +5,8 @@ opendkim_default_values:
     existingClaim: mailboxes
   opendkim:
     image:
-      repository: "{{ docker_registry }}/opendkim"
+      repository: "instrumentisto/opendkim"
-      tag: latest
+      tag: alpine
       pullPolicy: Always
     configmaps:
       opendkim: |

roles/opendmarc/defaults/main.yaml

@@ -6,16 +6,17 @@ opendmarc_default_values:
   
   opendmarc:
     image:
-      repository: "{{ docker_registry }}/opendmarc"
+      repository: "instrumentisto/opendmarc"
-      tag: latest
+      tag: alpine
       pullPolicy: Always
     configmaps:
       opendmarc: |
         AuthservID mail.{{ domain }}
         Socket inet:8893
         SoftwareHeader true
-        SPFIgnoreResults true
+        IgnoreAuthenticatedClients true
-        SPFSelfValidate true
+        SPFIgnoreResults false
+        SPFSelfValidate false
         RequiredHeaders true
         Syslog true
         UserID opendmarc:mail

roles/postfix/defaults/main.yaml

@@ -82,7 +82,7 @@ postfix_default_values:
         # Filters for mail
         smtpd_helo_required = yes
         #smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_sender_domain, reject_invalid_helo_hostname, reject_unauth_destination
-        smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unauth_destination, check_policy_service unix:private/policyd-spf
+        smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unauth_destination
         
         # SASL auth with dovecot options
         smtpd_sasl_auth_enable = yes
@@ -93,7 +93,8 @@ postfix_default_values:
         smtpd_sasl_local_domain = $myorigin
         
         milter_protocol = 6
-        smtpd_milters = inet:opendkim.{{ namespace }}.svc.cluster.local:8891, inet:opendmarc.{{ namespace }}.svc.cluster.local:8893
+        milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
+        smtpd_milters = inet:rspamd.{{ namespace }}.svc.cluster.local:11332
         non_smtpd_milters = $smtpd_milters
         milter_default_action = accept
         
@@ -194,6 +195,7 @@ postfix_default_values:
           -o smtpd_sasl_auth_enable=yes
           -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
           -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
+          -o milter_macro_daemon_name=ORIGINATING
           -o smtpd_sasl_type=dovecot
           -o smtpd_sasl_path=inet:dovecot.{{ namespace }}.svc.cluster.local:12345
           -o smtpd_upstream_proxy_protocol=haproxy
@@ -202,6 +204,7 @@ postfix_default_values:
           -o smtpd_tls_wrappermode=yes
           -o smtpd_sasl_auth_enable=yes
           -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
+          -o milter_macro_daemon_name=ORIGINATING
           -o smtpd_sasl_type=dovecot
           -o smtpd_sasl_path=inet:dovecot.{{ namespace }}.svc.cluster.local:12345
           -o smtpd_upstream_proxy_protocol=haproxy
@@ -274,7 +277,7 @@ postfix_default_values:
         #dane       unix  -       -       n       -       -       smtp
         #  -o smtp_dns_support_level=dnssec
         #  -o smtp_tls_security_level=dane
-        policyd-spf unix - n n - 0 spawn user=nobody argv=/usr/libexec/postfix/policyd-spf
+        #policyd-spf unix - n n - 0 spawn user=nobody argv=/usr/libexec/postfix/policyd-spf
       ldap-local-recipients: |
         debuglevel = 0
         version = 3

roles/roundcube/defaults/main.yaml

@@ -35,6 +35,9 @@ roundcube_default_values:
       cert-manager.io/acme-challenge-type: "dns01"
       kubernetes.io/ingress.class: "{{ external_ingress_class if roundcube_publish else internal_ingress_class }}" 
       kubernetes.io/tls-acme: "true"
+      nginx.ingress.kubernetes.io/proxy-body-size: "0"
+      nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+      nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
     path: /
     hosts:
       - webmail.{{ domain }}

roles/rspamd/defaults/main.yaml

@@ -1,15 +1,77 @@
+rspamd_enabled: true
 rspamd_default_values:
   replicaCount: 1
   persistence:
     enabled: false
     existingClaim: mailboxes
-  
+  redis:
+    enabled: true
+    usePassword: false
+    password: ""
+    cluster:
+      enabled: false
   rspamd:
-    image:
+    local.d:
-      repository: "{{ docker_registry }}/rspamd"
+      redis.conf: |
-      tag: latest
+        servers = "rspamd-redis-master";
-      pullPolicy: Always
+      worker-proxy.inc: |
-  
+        bind_socket = "0.0.0.0:11332";
-  service:
+      worker-normal.inc: |
-    type: ClusterIP
+        bind_socket = "0.0.0.0:11333";
-
+      worker-controller.inc: |
+        bind_socket = "0.0.0.0:11334";
+      worker-fuzzy.inc: |
+        bind_socket = "0.0.0.0:11335";
+      logging.inc: |
+        type = "console";
+      spf.conf: |
+        spf_cache_size = 1k; # cache up to 1000 of the most recent SPF records
+        spf_cache_expire = 1d; # default max expire for an element in this cache
+        max_dns_nesting = 10; # maximum number of recursive DNS subrequests
+        max_dns_requests = 30; # maximum count of DNS requests per record
+        min_cache_ttl = 5m; # minimum TTL enforced for all elements in SPF records
+      dkim_signing.conf: |
+        enabled = true;
+        # If `true` get pubkey from DNS record and check if it matches private key
+        check_pubkey = true;
+        # Set to `false` if you want to skip signing if public and private keys mismatch
+        allow_pubkey_mismatch = true;
+        # Domain specific settings
+        domain {
+          # Domain name is used as key
+          "{{ mail_domain | default(domain) }}" {
+            # Private key path
+            path = "/var/lib/rspamd/dkim/default.key";
+            # Selector
+            selector = "default";
+          }
+        }
+      arc.conf: |
+        domain {
+          # Domain name is used as key
+          "{{ mail_domain | default(domain) }}" {
+            # Private key path
+            path = "/var/lib/rspamd/dkim/default.key";
+            # Selector
+            selector = "default";
+          }
+        }
+      dmarc.conf: |
+        # Enables storing reporting information to redis
+        reporting = true;
+        # If Redis server is not configured below, settings from redis {} will be used
+        #servers = "127.0.0.1:6379"; # Servers to use for reads and writes (can be a list)
+        servers = "rspamd-redis-master";
+        # Alternatively set read_servers / write_servers to split reads and writes
+        # To set custom prefix for redis keys:
+        #key_prefix = "dmarc_";
+        # Actions to enforce based on DMARC disposition (empty by default)
+        actions = {
+          quarantine = "add_header";
+          reject = "reject";
+        }
+        # Ignore "pct" setting for some domains
+        # no_sampling_domains = "/etc/rspamd/dmarc_no_sampling.domains";
+    dkim-keys:
+      default: |
+        {{ dkim_private_key_base64 | b64decode }}