From dfba6fbd2d5b1a9117b26ee7097f824f54009de6 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sat, 1 Oct 2022 08:22:58 +0200 Subject: [PATCH 01/16] more bounce spammers --- roles/email/templates/postscreen_access.cidr | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/email/templates/postscreen_access.cidr b/roles/email/templates/postscreen_access.cidr index 613d7ad..07f4d9a 100644 --- a/roles/email/templates/postscreen_access.cidr +++ b/roles/email/templates/postscreen_access.cidr @@ -13,3 +13,5 @@ 188.166.20.128 reject please check mail server config, your server is sending bounce spam 159.203.188.91 reject please check mail server config, your server is sending bounce spam 159.203.190.197 reject please check mail server config, your server is sending bounce spam +159.65.138.221 reject please check mail server config, your server is sending bounce spam +128.199.206.172 reject please check mail server config, your server is sending bounce spam -- 2.30.2 From 55ed8162a42d0b5dba661bc95b809d398c61a9c1 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sat, 1 Oct 2022 14:38:43 +0200 Subject: [PATCH 02/16] tighter spam control needed --- roles/email/templates/main.cf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/email/templates/main.cf b/roles/email/templates/main.cf index e693641..e8538ce 100644 --- a/roles/email/templates/main.cf +++ b/roles/email/templates/main.cf @@ -36,10 +36,10 @@ smtp_tls_security_level = dane {% if postfix.postscreen | default(False) %} # postscreen config -postscreen_dnsbl_threshold = 3 +postscreen_dnsbl_threshold = 2 postscreen_dnsbl_whitelist_threshold = -2 postscreen_dnsbl_sites = - ix.dnsbl.manitu.net*2 sbl-xbl.spamhaus.org*2 + ix.dnsbl.manitu.net*2 sbl-xbl.spamhaus.org*2 truncate.gbudb.net*2 bl.spamcop.net bl.mailspike.net swl.spamhaus.org*-2 list.dnswl.org=127.0.[0..255].[0..254]*-2 postscreen_greet_action = enforce -- 2.30.2 From 54bc99178b93f4dea0a41bb2e12ec0ad07ae0801 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Fri, 7 Oct 2022 14:42:35 +0200 Subject: [PATCH 03/16] crank down spam protection a bit, it is affecting regular mail --- roles/email/templates/main.cf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/email/templates/main.cf b/roles/email/templates/main.cf index e8538ce..1cb7e27 100644 --- a/roles/email/templates/main.cf +++ b/roles/email/templates/main.cf @@ -36,7 +36,7 @@ smtp_tls_security_level = dane {% if postfix.postscreen | default(False) %} # postscreen config -postscreen_dnsbl_threshold = 2 +postscreen_dnsbl_threshold = 3 postscreen_dnsbl_whitelist_threshold = -2 postscreen_dnsbl_sites = ix.dnsbl.manitu.net*2 sbl-xbl.spamhaus.org*2 truncate.gbudb.net*2 -- 2.30.2 From b0a3d55a55872fe9f0a79d2cef263ca89f2698af Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sat, 8 Oct 2022 15:41:43 +0200 Subject: [PATCH 04/16] update openvpn pattern --- roles/journalwatch/templates/patterns | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/journalwatch/templates/patterns b/roles/journalwatch/templates/patterns index 5d37896..4a3ccc5 100644 --- a/roles/journalwatch/templates/patterns +++ b/roles/journalwatch/templates/patterns @@ -91,4 +91,4 @@ _SYSTEMD_UNIT = opendkim.service [A-Z0-9]+: key retrieval failed \(s=[\w._-]+, d=[\w._-]+\)(: '[\w._-]+' record not found)? _SYSTEMD_SLICE=system-openvpn.slice -(client/)?[0-9a-f.:]+ (peer info: .*|VERIFY OK: .*|Outgoing Data Channel: .*|Incoming Data Channel: .*|Control Channel: .*|TLS: .*|\[client\] .*|MULTI(_sva)?: .*|SIGUSR1.*|PUSH: .*|SENT CONTROL \[client\]: .*) +(client/)?[0-9a-f.:]+ (peer info: .*|VERIFY OK: .*|Outgoing Data Channel: .*|Incoming Data Channel: .*|Control Channel: .*|TLS: .*|\[client\] .*|MULTI(_sva)?: .*|SIGUSR1.*|PUSH: .*|SENT CONTROL \[client\]: .*|WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu \d+', remote='tun-mtu \d+') -- 2.30.2 From dcd9ca756d6d00fb87a5879293c03b64e49d78ac Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Wed, 26 Oct 2022 16:28:02 +0200 Subject: [PATCH 05/16] ignore some more common warnings --- roles/journalwatch/templates/patterns | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/journalwatch/templates/patterns b/roles/journalwatch/templates/patterns index 4a3ccc5..c14886e 100644 --- a/roles/journalwatch/templates/patterns +++ b/roles/journalwatch/templates/patterns @@ -66,6 +66,8 @@ warning: hostname [\w._-]+ does not resolve to address [\da-fA-F.:]+(: .*)? warning: [._\w-]+\[[\da-fA-F.:]+\]: SASL (LOGIN|PLAIN) authentication failed:.* warning: non-SMTP command from [._\w-]+\[[\da-fA-F.:]+\]: .* warning: TLS library problem: error:[0-9A-F]+:SSL routines:\w+:(no shared cipher|decryption failed or bad record mac|unknown protocol|version too low):[\w./]+:\d+: +warning: dnsblog reply timeout \d+s for .* +warning: dnsblog_query: lookup error for DNS query .*: Host or domain name not found. Name service error .* {% if journalwatch is defined and journalwatch.postfix_slow | default(False) %} warning: psc_cache_update: btree:/var/lib/postfix/[a-z_]+ (update|lookup) average delay is \d\d\d ms {% endif %} @@ -84,11 +86,11 @@ error: maximum authentication attempts exceeded for (invalid user \w*|\w+) from fatal: ssh_packet_get_string: string is too large \[preauth\] _SYSTEMD_UNIT = bind9.service -client [\da-fA-F.:]+#\d+( \([\w.-]+\))?: (zone transfer '[\w.-]+/AXFR/IN' denied|message parsing failed: (bad compression pointer|bad label type|unexpected end of input)) +client (@0x[a-f0-9]+ )?[\da-fA-F.:]+#\d+( \([\w.-]+\))?: (zone transfer '[\w.-]+/AXFR/IN' denied|message parsing failed: (bad compression pointer|bad label type|unexpected end of input)) _SYSTEMD_UNIT = opendkim.service [A-Z0-9]+: (bad signature data|failed to parse [Aa]uthentication-[Rr]esults: header field) [A-Z0-9]+: key retrieval failed \(s=[\w._-]+, d=[\w._-]+\)(: '[\w._-]+' record not found)? _SYSTEMD_SLICE=system-openvpn.slice -(client/)?[0-9a-f.:]+ (peer info: .*|VERIFY OK: .*|Outgoing Data Channel: .*|Incoming Data Channel: .*|Control Channel: .*|TLS: .*|\[client\] .*|MULTI(_sva)?: .*|SIGUSR1.*|PUSH: .*|SENT CONTROL \[client\]: .*|WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu \d+', remote='tun-mtu \d+') +(client/)?[0-9a-f.:]+ (peer info: .*|VERIFY OK: .*|Outgoing Data Channel: .*|Incoming Data Channel: .*|Control Channel: .*|TLS: .*|\[client\] .*|MULTI(_sva)?: .*|SIGUSR1.*|PUSH: .*|SENT CONTROL \[client\]: .*|WARNING: '(tun|link)-mtu' is used inconsistently, local='(tun|link)-mtu \d+', remote='(tun|link)-mtu \d+') -- 2.30.2 From 56ca0272407682a13f27dfce7d73b668984e0b6b Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Wed, 2 Nov 2022 08:50:28 +0100 Subject: [PATCH 06/16] more bounce spammers --- roles/email/templates/postscreen_access.cidr | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/email/templates/postscreen_access.cidr b/roles/email/templates/postscreen_access.cidr index 07f4d9a..94bdaee 100644 --- a/roles/email/templates/postscreen_access.cidr +++ b/roles/email/templates/postscreen_access.cidr @@ -15,3 +15,4 @@ 159.203.190.197 reject please check mail server config, your server is sending bounce spam 159.65.138.221 reject please check mail server config, your server is sending bounce spam 128.199.206.172 reject please check mail server config, your server is sending bounce spam +142.93.223.22 reject please check mail server config, your server is sending bounce spam -- 2.30.2 From 39f6252efaaf80f7db3807a37ab4ce3d61b41cbe Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Wed, 16 Nov 2022 14:41:56 +0100 Subject: [PATCH 07/16] whitelist sparkpost --- roles/email/templates/postscreen_access.cidr | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/email/templates/postscreen_access.cidr b/roles/email/templates/postscreen_access.cidr index 94bdaee..34915e7 100644 --- a/roles/email/templates/postscreen_access.cidr +++ b/roles/email/templates/postscreen_access.cidr @@ -5,6 +5,9 @@ 40.104.0.0/15 permit 52.96.0.0/14 permit 2603:1000::/24 permit +# And Sparkpost. +156.70.4.0/23 permit +156.70.2.0/23 permit # Some hosts that send bounces to the wrong guy (i.e., me) 192.241.146.138 reject please check mail server config, your server is sending bounce spam -- 2.30.2 From ac2e20667e4b818abf702f8436b464ac7c1e6019 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Wed, 16 Nov 2022 14:42:17 +0100 Subject: [PATCH 08/16] make spamhaus enough to block (getting so much NDR spam again) --- roles/email/templates/main.cf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/email/templates/main.cf b/roles/email/templates/main.cf index 1cb7e27..45c77d3 100644 --- a/roles/email/templates/main.cf +++ b/roles/email/templates/main.cf @@ -39,7 +39,7 @@ smtp_tls_security_level = dane postscreen_dnsbl_threshold = 3 postscreen_dnsbl_whitelist_threshold = -2 postscreen_dnsbl_sites = - ix.dnsbl.manitu.net*2 sbl-xbl.spamhaus.org*2 truncate.gbudb.net*2 + ix.dnsbl.manitu.net*2 sbl-xbl.spamhaus.org*3 truncate.gbudb.net*2 bl.spamcop.net bl.mailspike.net swl.spamhaus.org*-2 list.dnswl.org=127.0.[0..255].[0..254]*-2 postscreen_greet_action = enforce -- 2.30.2 From 187c60cec533f1fb2a3f8b2339be2e9a4e199e00 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sun, 20 Nov 2022 13:19:20 +0100 Subject: [PATCH 09/16] apache: configure cache-control header --- roles/apache/tasks/main.yml | 2 ++ roles/apache/templates/caching.conf | 7 +++++++ 2 files changed, 9 insertions(+) create mode 100644 roles/apache/templates/caching.conf diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml index fee26ef..6878845 100644 --- a/roles/apache/tasks/main.yml +++ b/roles/apache/tasks/main.yml @@ -35,6 +35,7 @@ - php5.conf - security.conf - defaults.conf + - caching.conf notify: apache - name: enable config files command: a2enconf {{ item }} @@ -44,6 +45,7 @@ - ssl - security - defaults + - caching notify: apache - name: disable config files command: a2disconf {{ item }} diff --git a/roles/apache/templates/caching.conf b/roles/apache/templates/caching.conf new file mode 100644 index 0000000..7880aec --- /dev/null +++ b/roles/apache/templates/caching.conf @@ -0,0 +1,7 @@ + + Header set Cache-Control "max-age=86400, public" + + + + Header set Cache-Control "no-cache" + -- 2.30.2 From b27fc4d59ed5db0b480b1e1a1b915908d1bf10d8 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Tue, 22 Nov 2022 18:58:55 +0100 Subject: [PATCH 10/16] more bounce spam --- roles/email/templates/postscreen_access.cidr | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/email/templates/postscreen_access.cidr b/roles/email/templates/postscreen_access.cidr index 34915e7..38ab26d 100644 --- a/roles/email/templates/postscreen_access.cidr +++ b/roles/email/templates/postscreen_access.cidr @@ -19,3 +19,4 @@ 159.65.138.221 reject please check mail server config, your server is sending bounce spam 128.199.206.172 reject please check mail server config, your server is sending bounce spam 142.93.223.22 reject please check mail server config, your server is sending bounce spam +59.106.209.178 reject please check mail server config, your server is sending bounce spam -- 2.30.2 From 659716f4e84b7801eb8ace8bfcffa96d75d30d22 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Wed, 7 Dec 2022 14:35:42 +0100 Subject: [PATCH 11/16] sparkpost has tons of IPs and none of them can handle greylisting... bad service for their customers --- roles/email/templates/postscreen_access.cidr | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/email/templates/postscreen_access.cidr b/roles/email/templates/postscreen_access.cidr index 38ab26d..91acb4c 100644 --- a/roles/email/templates/postscreen_access.cidr +++ b/roles/email/templates/postscreen_access.cidr @@ -8,6 +8,7 @@ # And Sparkpost. 156.70.4.0/23 permit 156.70.2.0/23 permit +147.253.208.0/20 permit # Some hosts that send bounces to the wrong guy (i.e., me) 192.241.146.138 reject please check mail server config, your server is sending bounce spam -- 2.30.2 From de2bcefecfadd77f4bf53758b88c7fa688665b62 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Mon, 2 Jan 2023 17:07:49 +0100 Subject: [PATCH 12/16] ignore more postfix TLS warnings --- roles/journalwatch/templates/patterns | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/journalwatch/templates/patterns b/roles/journalwatch/templates/patterns index c14886e..2dc428d 100644 --- a/roles/journalwatch/templates/patterns +++ b/roles/journalwatch/templates/patterns @@ -68,6 +68,7 @@ warning: non-SMTP command from [._\w-]+\[[\da-fA-F.:]+\]: .* warning: TLS library problem: error:[0-9A-F]+:SSL routines:\w+:(no shared cipher|decryption failed or bad record mac|unknown protocol|version too low):[\w./]+:\d+: warning: dnsblog reply timeout \d+s for .* warning: dnsblog_query: lookup error for DNS query .*: Host or domain name not found. Name service error .* +warning: ciphertext read/write timeout for \[[\da-fA-F.:]+\] {% if journalwatch is defined and journalwatch.postfix_slow | default(False) %} warning: psc_cache_update: btree:/var/lib/postfix/[a-z_]+ (update|lookup) average delay is \d\d\d ms {% endif %} -- 2.30.2 From df4112b71d363f6a4d5834966d08f939ce0aa70f Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Mon, 2 Jan 2023 22:53:18 +0100 Subject: [PATCH 13/16] fix pattern --- roles/journalwatch/templates/patterns | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/journalwatch/templates/patterns b/roles/journalwatch/templates/patterns index 2dc428d..f81f6f7 100644 --- a/roles/journalwatch/templates/patterns +++ b/roles/journalwatch/templates/patterns @@ -68,7 +68,7 @@ warning: non-SMTP command from [._\w-]+\[[\da-fA-F.:]+\]: .* warning: TLS library problem: error:[0-9A-F]+:SSL routines:\w+:(no shared cipher|decryption failed or bad record mac|unknown protocol|version too low):[\w./]+:\d+: warning: dnsblog reply timeout \d+s for .* warning: dnsblog_query: lookup error for DNS query .*: Host or domain name not found. Name service error .* -warning: ciphertext read/write timeout for \[[\da-fA-F.:]+\] +warning: ciphertext read/write timeout for \[[\da-fA-F.:]+\]:\d+ {% if journalwatch is defined and journalwatch.postfix_slow | default(False) %} warning: psc_cache_update: btree:/var/lib/postfix/[a-z_]+ (update|lookup) average delay is \d\d\d ms {% endif %} -- 2.30.2 From c25c1262b872581c73ee985a11cf3a1b877761d4 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Tue, 3 Jan 2023 12:55:40 +0100 Subject: [PATCH 14/16] comment regarding opendkim config, and fix ansible error --- roles/email/tasks/opendkim.yml | 1 - roles/email/templates/opendkim.conf | 5 +++++ roles/email/templates/opendkim.env | 3 +++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/roles/email/tasks/opendkim.yml b/roles/email/tasks/opendkim.yml index 8da35b3..5b76b02 100644 --- a/roles/email/tasks/opendkim.yml +++ b/roles/email/tasks/opendkim.yml @@ -20,7 +20,6 @@ become_user: opendkim args: creates: /etc/opendkim/{{ item }}/mail.private - warn: False loop: "{{ postfix.opendkim.private_keys }}" - name: generate opendkim tables template: diff --git a/roles/email/templates/opendkim.conf b/roles/email/templates/opendkim.conf index 6fccfc2..b603f87 100644 --- a/roles/email/templates/opendkim.conf +++ b/roles/email/templates/opendkim.conf @@ -36,3 +36,8 @@ OversignHeaders From ## at http://unbound.net for the expected format of this file. TrustAnchorFile /usr/share/dns/root.key + + +# Path must match postfix main.cf +Socket local:/var/spool/postfix/opendkim/sock +PidFile /var/spool/postfix/opendkim/opendkim.pid diff --git a/roles/email/templates/opendkim.env b/roles/email/templates/opendkim.env index 02fadef..f56a2b9 100644 --- a/roles/email/templates/opendkim.env +++ b/roles/email/templates/opendkim.env @@ -1,5 +1,8 @@ # Command-line options specified here will override the contents of # /etc/opendkim.conf. See opendkim(8) for a complete list of options. +# RJ: This might seem redundant with the opendkim.conf settings, +# but the script in /lib/opendkim/opendkim.service.generate also helps by +# generating tmpfiles.d/opendkim.conf so replacing it seems like a hassle. #DAEMON_OPTS="" RUNDIR=/var/spool/postfix/opendkim -- 2.30.2 From f95ae12f32d451750876153716f75f553c86d603 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Tue, 3 Jan 2023 13:11:45 +0100 Subject: [PATCH 15/16] dovecot: small adjustments for debian update --- roles/email/templates/dovecot/conf.d/10-auth.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/email/templates/dovecot/conf.d/10-auth.conf b/roles/email/templates/dovecot/conf.d/10-auth.conf index 7c814e0..a6634cf 100644 --- a/roles/email/templates/dovecot/conf.d/10-auth.conf +++ b/roles/email/templates/dovecot/conf.d/10-auth.conf @@ -124,5 +124,4 @@ auth_mechanisms = plain login #!include auth-ldap.conf.ext #!include auth-passwdfile.conf.ext #!include auth-checkpassword.conf.ext -#!include auth-vpopmail.conf.ext #!include auth-static.conf.ext -- 2.30.2 From 2f2bd6804c18cdddc86cb3883ff8482c7cc7612f Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Tue, 3 Jan 2023 13:11:55 +0100 Subject: [PATCH 16/16] unbound: small adjustments for debian update --- roles/unbound/tasks/main.yml | 7 +++++-- roles/unbound/templates/fix-dns | 4 ++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index d8d03e3..f3aacac 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -32,8 +32,11 @@ src: files/dhclient.conf - name: configure system DNS copy: - dest: /etc/resolv.conf - content: "nameserver 127.0.0.2\n" + dest: "{{ item }}" + content: "nameserver 127.0.0.2\noptions trust-ad\noptions edns0\n" + loop: + - /etc/resolv.conf.unbound + - /etc/resolv.conf # some providers need extra hacks to make our DNS persistent - name: install DNS-fix cronjob template: diff --git a/roles/unbound/templates/fix-dns b/roles/unbound/templates/fix-dns index ca7f860..f7b4bf2 100644 --- a/roles/unbound/templates/fix-dns +++ b/roles/unbound/templates/fix-dns @@ -2,9 +2,9 @@ set -e # Fix for some providers messing with DNS settings -if ! diff /etc/resolv.conf <(echo "nameserver 127.0.0.2") > /dev/null; then +if ! diff /etc/resolv.conf /etc/resolv.conf.unbound > /dev/null; then echo "Someone messed up our DNS! Fixing it..." - echo "nameserver 127.0.0.2" > /etc/resolv.conf + cp /etc/resolv.conf.unbound /etc/resolv.conf {% if 'email' in group_names %} # Just to make sure postfix uses the new settings systemctl restart postfix -- 2.30.2