From ce4c85dd6f99506128bb125e26728a7416660397 Mon Sep 17 00:00:00 2001 From: Elizabeth Hunt Date: Sun, 7 Jan 2024 02:38:42 -0500 Subject: [PATCH] make dmarc more aggressive, fix unresolved mail addresses --- roles/mail/files/postmaster-main.cf | 3 +++ roles/mail/tasks/main.yml | 14 ++++++++++++++ roles/nameservers/templates/db.simponic.xyz.j2 | 2 +- roles/private/tasks/main.yml | 3 ++- 4 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 roles/mail/files/postmaster-main.cf diff --git a/roles/mail/files/postmaster-main.cf b/roles/mail/files/postmaster-main.cf new file mode 100644 index 0000000..1bfb761 --- /dev/null +++ b/roles/mail/files/postmaster-main.cf @@ -0,0 +1,3 @@ +virtual_mailbox_domains = /etc/postfix/vhost +virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf +virtual_alias_maps = diff --git a/roles/mail/tasks/main.yml b/roles/mail/tasks/main.yml index 4233f68..cef06f5 100644 --- a/roles/mail/tasks/main.yml +++ b/roles/mail/tasks/main.yml @@ -42,6 +42,20 @@ group: root mode: 0700 +- name: ensure mail docker/compose volume exist + file: + path: /etc/docker/compose/mail/docker-data/dms/config + state: directory + owner: root + group: root + mode: 0700 + +# https://github.com/docker-mailserver/docker-mailserver/issues/1562 +- name: ensure mail docker/compose ldap overrides exist + copy: + src: ../files/postmaster-main.cf + dest: /etc/docker/compose/mail/docker-data/dms/config/postfix-main.cf + - name: build mail docker-compose.yml.j2 template: src: ../templates/docker-compose.yml.j2 diff --git a/roles/nameservers/templates/db.simponic.xyz.j2 b/roles/nameservers/templates/db.simponic.xyz.j2 index 72ff58f..e154765 100644 --- a/roles/nameservers/templates/db.simponic.xyz.j2 +++ b/roles/nameservers/templates/db.simponic.xyz.j2 @@ -38,5 +38,5 @@ simponic.xyz. 1 IN MX 10 mail.simponic.xyz. mail._domainkey.simponic.xyz. 1 IN TXT ( "v=DKIM1; h=sha256; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2ktysbZaewsAo1Uk+FfLvVeL9ii6ejTDxxYE1RoGTxFDulFYXdpvO+MErDq62IvaQ6E4TYTc0RULoqp3BjuVVG6IG85SmhWME9XYSrxLm1pq7yRN1s1b6pBqNC6+yiyxwSjThS7RzH3sxwBL7R8AHRuEV+2UKsvT2wOCyRXAth+lrB7t9S9niWNOB3lvDqe0/oPf9JDrKjpuO6" "lKZ3nglGzPfdJEpfLyXBP4l5UlxqWYUIrCzqHY9bNmyPepb1CJT97AD5jGGngCrnMCmllAdyOKa1ds5uoPjjGaLO8bOoBWXQuacn++hDsdyQ78Y673T2935CN/uGgrLBs9UiA0BQIDAQAB" ) ; ----- DKIM key mail for simponic.xyz -_dmarc.simponic.xyz. IN TXT "v=DMARC1; p=none; sp=none; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; rua=mailto:dmarc.report@simponic.xyz; ruf=mailto:dmarc.report@simponic.xyz" +_dmarc.simponic.xyz. 1 IN TXT "v=DMARC1; p=quarantine; sp=quarantine; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; rua=mailto:dmarc.report@simponic.xyz; ruf=mailto:dmarc.report@simponic.xyz" simponic.xyz. 1 IN TXT "v=spf1 mx ip4:192.3.248.205 ~all" diff --git a/roles/private/tasks/main.yml b/roles/private/tasks/main.yml index 65f544b..dabebeb 100644 --- a/roles/private/tasks/main.yml +++ b/roles/private/tasks/main.yml @@ -87,7 +87,8 @@ - name: add daily letsencrypt cronjob for cert renewal based on hash of domain name to prevent hitting LE rate limits cron: name: "letsencrypt_renewal_{{ item.stdout }}" - special_time: "daily" + minute: "0" + hour: "5,17" job: "REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/{{ step_bootstrap_ca_url }}.crt letsencrypt renew --server https://{{ step_bootstrap_ca_url }}:{{ step_ca_port }}/acme/ACME/directory --cert-name {{ item.stdout }} -n --webroot -w /var/www/letsencrypt --agree-tos --email {{ step_acme_cert_contact }} && service nginx reload" loop: "{{ extracted_domains.results }}" when: item.stdout != ""