make dmarc more aggressive, fix unresolved mail addresses

2024-01-07 02:38:42 -05:00 · 2024-01-07 02:38:42 -05:00 · ce4c85dd6f
commit ce4c85dd6f
parent ae64628958
4 changed files with 20 additions and 2 deletions
--- a/roles/mail/files/postmaster-main.cf
+++ b/roles/mail/files/postmaster-main.cf
@ -0,0 +1,3 @@
+virtual_mailbox_domains = /etc/postfix/vhost
+virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf
+virtual_alias_maps =
--- a/roles/mail/tasks/main.yml
+++ b/roles/mail/tasks/main.yml
@ -42,6 +42,20 @@
    group: root
    mode: 0700

+- name: ensure mail docker/compose volume exist
+  file:
+    path: /etc/docker/compose/mail/docker-data/dms/config
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+
+# https://github.com/docker-mailserver/docker-mailserver/issues/1562
+- name: ensure mail docker/compose ldap overrides exist
+  copy:
+    src: ../files/postmaster-main.cf
+    dest: /etc/docker/compose/mail/docker-data/dms/config/postfix-main.cf
+
 - name: build mail docker-compose.yml.j2
  template:
    src: ../templates/docker-compose.yml.j2
--- a/roles/nameservers/templates/db.simponic.xyz.j2
+++ b/roles/nameservers/templates/db.simponic.xyz.j2
@ -38,5 +38,5 @@ simponic.xyz.	1	IN	MX	10 mail.simponic.xyz.
 mail._domainkey.simponic.xyz. 1 IN      TXT    ( "v=DKIM1; h=sha256; k=rsa; "
          "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2ktysbZaewsAo1Uk+FfLvVeL9ii6ejTDxxYE1RoGTxFDulFYXdpvO+MErDq62IvaQ6E4TYTc0RULoqp3BjuVVG6IG85SmhWME9XYSrxLm1pq7yRN1s1b6pBqNC6+yiyxwSjThS7RzH3sxwBL7R8AHRuEV+2UKsvT2wOCyRXAth+lrB7t9S9niWNOB3lvDqe0/oPf9JDrKjpuO6"
          "lKZ3nglGzPfdJEpfLyXBP4l5UlxqWYUIrCzqHY9bNmyPepb1CJT97AD5jGGngCrnMCmllAdyOKa1ds5uoPjjGaLO8bOoBWXQuacn++hDsdyQ78Y673T2935CN/uGgrLBs9UiA0BQIDAQAB" )  ; ----- DKIM key mail for simponic.xyz 
-_dmarc.simponic.xyz. IN TXT "v=DMARC1; p=none; sp=none; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; rua=mailto:dmarc.report@simponic.xyz; ruf=mailto:dmarc.report@simponic.xyz"
+_dmarc.simponic.xyz.  1 IN TXT "v=DMARC1; p=quarantine; sp=quarantine; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; rua=mailto:dmarc.report@simponic.xyz; ruf=mailto:dmarc.report@simponic.xyz"
 simponic.xyz.	1	IN	TXT	"v=spf1 mx ip4:192.3.248.205 ~all"
--- a/roles/private/tasks/main.yml
+++ b/roles/private/tasks/main.yml
@ -87,7 +87,8 @@
 - name: add daily letsencrypt cronjob for cert renewal based on hash of domain name to prevent hitting LE rate limits
  cron:
    name: "letsencrypt_renewal_{{ item.stdout }}"
-    special_time: "daily"
+    minute: "0"
+    hour: "5,17"
    job: "REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/{{ step_bootstrap_ca_url }}.crt letsencrypt renew --server https://{{ step_bootstrap_ca_url }}:{{ step_ca_port }}/acme/ACME/directory --cert-name {{ item.stdout }} -n --webroot -w /var/www/letsencrypt --agree-tos --email {{ step_acme_cert_contact }} && service nginx reload"
  loop: "{{ extracted_domains.results }}"
  when: item.stdout != ""