From: Ralf Jung Date: Sat, 7 Apr 2018 17:01:29 +0000 (+0200) Subject: add postfix and journalwatch roles X-Git-Url: https://git.ralfj.de/ansible.git/commitdiff_plain/d281db9defd2e0c0e6b9761736ff38a9df7391b0 add postfix and journalwatch roles --- diff --git a/email.yml b/email.yml new file mode 100644 index 0000000..a4bb8e8 --- /dev/null +++ b/email.yml @@ -0,0 +1,4 @@ +- hosts: all + roles: + - postfix + - journalwatch diff --git a/roles/journalwatch/tasks/main.yml b/roles/journalwatch/tasks/main.yml new file mode 100644 index 0000000..773a2b2 --- /dev/null +++ b/roles/journalwatch/tasks/main.yml @@ -0,0 +1,23 @@ +- name: install journalwatch dependencies + apt: name=python3-systemd state=latest +- name: install journalwatch + git: + repo: 'https://github.com/The-Compiler/journalwatch.git' + version: b62f223bc36eabc193cfcf0d309d284da4f66463 + dest: /root/journalwatch +- name: create journalwatch config dir + file: path=/root/.config/journalwatch state=directory +- name: install journalwatch config files + template: + src: templates/{{item}} + dest: /root/.config/journalwatch/{{item}} + with_items: + - config + - patterns +- name: delete old journalwatch crontab entry + file: path=/etc/cron.d/journalwatch state=absent +- name: create journalwatch crontab entry + cron: + name: "journalwatch" + minute: "*/10" + job: "/root/journalwatch/journalwatch.py mail" diff --git a/roles/journalwatch/templates/config b/roles/journalwatch/templates/config new file mode 100644 index 0000000..8da85b8 --- /dev/null +++ b/roles/journalwatch/templates/config @@ -0,0 +1,15 @@ +# vim: ft=dosini +# +# This is the config for journalwatch. All options are defined in the [DEFAULT] +# section. +# +# You can add any commandline argument to the config, without the '--'. +# See journalwatch --help for all arguments and their description. + +[DEFAULT] +# priority 5: notice +priority=5 +mail_from=root +mail_to=root +mail_subject={hostname}: {count} system events +mail_binary=/usr/sbin/sendmail diff --git a/roles/journalwatch/templates/patterns b/roles/journalwatch/templates/patterns new file mode 100644 index 0000000..8b5d7d2 --- /dev/null +++ b/roles/journalwatch/templates/patterns @@ -0,0 +1,67 @@ +# In this file, patterns for journalwatch are defined to blacklist all journal +# messages which are not errors. +# +# Lines starting with '#' are comments. Inline-comments are not permitted. +# +# The patterns are separated into blocks delimited by empty lines. Each block +# matches on a log entry field, and the patterns in that block then are matched +# against all messages with a matching log entry field. +# +# The syntax of a block looks like this: +# +# = +# +# [] +# [...] +# +# If starts and ends with a slash, it is interpreted as a regular +# expression, if not, it's an exact match. Patterns are always regular +# expressions. +# +# Below are some useful examples. If you have a small set of users, you might +# want to adjust things like "user \w" to something like "user (root|foo|bar)". +# +# The regular expressions are extended Python regular expressions, for details +# see: +# +# https://docs.python.org/3.4/library/re.html#regular-expression-syntax +# https://docs.python.org/3.4/howto/regex.html +# http://doc.pyschools.com/html/regex.html +# +# The journal fields are explained in systemd.journal-fields(7). + +_SYSTEMD_UNIT = systemd-logind.service +New session [a-z]?\d+ of user \w+\. +Removed session [a-z]?\d+\. + +SYSLOG_IDENTIFIER = /(CROND|crond)/ +pam_unix\(crond:session\): session (opened|closed) for user \w+ +\(\w+\) CMD .* + +SYSLOG_IDENTIFIER = systemd +(Stopped|Stopping|Starting|Started) .* +(Created slice|Removed slice) user-\d+\.slice\. +Received SIGRTMIN\+24 from PID .* +(Reached target|Stopped target) .* +Startup finished in \d+ms\. + +_SYSTEMD_UNIT = init.scope +user@\d+\.service: Killing process \d+ \(kill\) with signal SIGKILL\. + +SYSLOG_IDENTIFIER = sudo +\s*[_\w.-]+ : TTY=(unknown|console|(pts/|ttyp?|vc/)\d+) ; PWD=[^;]+ ; USER=[._\w-]+ ; COMMAND=.* + +_SYSTEMD_UNIT = postfix@-.service +warning: hostname [^\s]+ does not resolve to address [\da-fA-F.:]+(: Name or service not known)? +warning: [._\w-]+\[[\da-fA-F.:]+\]: SASL LOGIN authentication failed: [._\w-]+ +warning: non-SMTP command from \w+\[[\da-fA-F.:]+\]: .* + +SYSLOG_IDENTIFIER = sshd +error: Received disconnect from [\da-fA-F.:]+ port \d+:\d+: .* +error: maximum authentication attempts exceeded for invalid user \w+ from [\da-fA-F.:]+ port \d+ ssh2( \[preauth\])? + +_SYSTEMD_UNIT = bind9.service +client [\da-fA-F.:]+#\d+ \([\w.-]+\): (zone transfer '[\w.-]+/AXFR/IN' denied|message parsing failed: (bad compression pointer|bad label type)) + +_SYSTEMD_UNIT = opendkim.service +[A-Z0-9]+: bad signature data diff --git a/roles/postfix/files/check-for-local-mail b/roles/postfix/files/check-for-local-mail new file mode 100644 index 0000000..4f70a66 --- /dev/null +++ b/roles/postfix/files/check-for-local-mail @@ -0,0 +1,8 @@ +#!/bin/bash +exists() { + [ -e "$1" ] +} + +if exists /var/mail/*; then + echo "There is mail for some users in /var/mail!" +fi diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml new file mode 100644 index 0000000..69f8317 --- /dev/null +++ b/roles/postfix/tasks/main.yml @@ -0,0 +1,17 @@ +- name: install postfix + apt: name=postfix,bsd-mailx state=latest +- name: install postfix main.cf + register: config_main + template: + src: templates/main.cf + dest: /etc/postfix/main.cf +- name: reload postfix + service: name=postfix state=restarted enabled=yes + when: config_main.changed +- name: delete old local-mail cronjob + file: path=/etc/cron.daily/local-mail state=absent +- name: install check-for-local-mail cronjob + copy: + src: files/check-for-local-mail + dest: /etc/cron.daily/check-for-local-mail + mode: u=rwx,g=rx,o=rx diff --git a/roles/postfix/templates/main.cf b/roles/postfix/templates/main.cf new file mode 100644 index 0000000..ac40750 --- /dev/null +++ b/roles/postfix/templates/main.cf @@ -0,0 +1,61 @@ +# local delivery: aliases only +alias_maps = hash:/etc/aliases +local_recipient_maps = $alias_maps +# explicitly UNSET relay domains to prevent implicit domains +relay_domains = +# only consider ourselves local +mynetworks_style = host +{% if postfix.mynetworks is defined %} +mynetworks = {{ postfix.mynetworks }} +{% endif %} + +# TLS server parameters +smtpd_tls_cert_file=/etc/ssl/mycerts/letsencrypt/live.crt+chain +smtpd_tls_key_file=/etc/ssl/private/letsencrypt/live.key +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtpd_tls_security_level = may +smtpd_tls_loglevel = 1 +smtpd_tls_dh1024_param_file = /etc/ssl/dh2048.pem +smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 +smtpd_tls_ciphers = low +smtpd_tls_mandatory_ciphers = high +# TLS client parameters +smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 +smtp_tls_ciphers = low +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +smtp_tls_security_level = dane +smtp_dns_support_level = dnssec +smtp_tls_loglevel = 1 + +# postscreen config +postscreen_dnsbl_threshold = 3 +postscreen_dnsbl_whitelist_threshold = -2 +postscreen_dnsbl_sites = + ix.dnsbl.manitu.net*2 sbl-xbl.spamhaus.org*2 + bl.spamcop.net dnsbl.sorbs.net bl.mailspike.net + swl.spamhaus.org*-2 list.dnswl.org=127.0.[0..255].[0..254]*-2 +postscreen_greet_action = enforce +postscreen_dnsbl_action = enforce +postscreen_pipelining_enable = yes +postscreen_non_smtp_command_enable = yes +postscreen_bare_newline_enable = yes +# control relay access +smtpd_relay_restrictions = permit_mynetworks, permit_tls_clientcerts, + # allow nobody else + defer_unauth_destination +# spam-protection restrictions +smtpd_helo_required = yes +smtpd_recipient_restrictions = permit_mynetworks, permit_tls_clientcerts, + # check everybody else + reject_unauth_pipelining, + reject_invalid_helo_hostname, + reject_non_fqdn_recipient, + reject_non_fqdn_sender, + +# misc +smtpd_delay_reject = yes +disable_vrfy_command = yes +recipient_delimiter = + +delay_warning_time = 4h +message_size_limit = 21384000 +append_dot_mydomain = no