bundles/rspamd: do not try to resolve faults in items.py

dns: add comment about why kunbox.net does not use DMARC
bundles/rspamd: add alias for dmarc reports
2021-09-06 09:28:30 +02:00 · 2021-09-06 09:24:40 +02:00 · 2021-09-06 09:14:18 +02:00 · 2021-09-06 09:13:11 +02:00 · 2021-09-06 09:12:15 +02:00 · 2021-09-06 09:11:36 +02:00
8 changed files with 69 additions and 5 deletions
--- a/bundles/rspamd/files/local.d/dmarc.conf
+++ b/bundles/rspamd/files/local.d/dmarc.conf
@ -0,0 +1,10 @@
+reporting {
+    # Required attributes
+    enabled = true; # Enable reports in general
+    email = 'dmarc@${node.metadata.get('hostname')}'; # Source of DMARC reports
+    domain = '${node.metadata.get('hostname')}'; # Domain to serve
+    org_name = 'kunbox.net'; # Organisation
+    smtp = '127.0.0.1'; # SMTP server IP
+    smtp_port = 25; # SMTP server port
+    from_name = 'rspamd @ ${node.metadata.get('hostname')}'; # SMTP FROM
+}
--- a/bundles/rspamd/files/local.d/options.inc
+++ b/bundles/rspamd/files/local.d/options.inc
@ -0,0 +1,7 @@
+dmarc {
+    reporting = true;
+    actions = {
+        quarantine = "add_header";
+        reject = "reject";
+    }
+}
--- a/bundles/rspamd/files/rspamd-dmarc-report.service
+++ b/bundles/rspamd/files/rspamd-dmarc-report.service
@ -0,0 +1,9 @@
+[Unit]
+Description=Send rspamd dmarc reports
+After=network.target
+Requires=rspamd.service
+
+[Service]
+User=_rspamd
+Group=_rspamd
+ExecStart=/usr/bin/rspamadm dmarc_report
--- a/bundles/rspamd/files/rspamd-dmarc-report.timer
+++ b/bundles/rspamd/files/rspamd-dmarc-report.timer
@ -0,0 +1,9 @@
+[Unit]
+Description=Trigger sending dmarc reports
+
+[Timer]
+OnCalendar=*-*-* ${hour}:${minute}:00
+Persistent=true
+
+[Install]
+WantedBy=timers.target
--- a/bundles/rspamd/items.py
+++ b/bundles/rspamd/items.py
@ -49,6 +49,12 @@ svc_systemd = {
            'pkg_apt:clamav-freshclam',
        },
    },
+    'rspamd-dmarc-report.timer': {
+        'needs': {
+            'file:/etc/systemd/system/rspamd-dmarc-report.service',
+            'file:/etc/systemd/system/rspamd-dmarc-report.timer',
+        },
+    },
 }

 files = {
@ -58,6 +64,22 @@ files = {
    '/usr/local/bin/telegraf-rspamd-plugin': {
        'mode': '0755',
    },
+    '/etc/systemd/system/rspamd-dmarc-report.timer': {
+        'content_type': 'mako',
+        'context': {
+            'hour': node.magic_number%24,
+            'minute': node.magic_number%60,
+        },
+        'triggers': {
+            'action:systemd-reload',
+            'svc_systemd:rspamd-dmarc-report.timer:restart',
+        },
+    },
+    '/etc/systemd/system/rspamd-dmarc-report.service': {
+        'triggers': {
+            'action:systemd-reload',
+        },
+    },
 }


@ -95,7 +117,7 @@ if 'dkim' in node.metadata.get('rspamd', {}):
        },
    }

-if node.metadata.get('rspamd/password', None):
+if 'password' in node.metadata.get('rspamd', {}):
    files['/etc/rspamd/local.d/worker-controller.inc'] = {
        'content_type': 'mako',
        'triggers': {
@ -107,6 +129,7 @@ local_config_path = join(repo.path, 'bundles', 'rspamd', 'files', 'local.d')
 for f in listdir(local_config_path):
    files[f'/etc/rspamd/local.d/{f}'] = {
        'source': f'local.d/{f}',
+        'content_type': 'mako',
        'triggers': {
            'svc_systemd:rspamd:restart',
        },
--- a/bundles/rspamd/metadata.py
+++ b/bundles/rspamd/metadata.py
@ -52,6 +52,9 @@ defaults = {
            'clamav': {
                'root',
            },
+            'dmarc': {
+                'root',
+            },
        },
    },
    'rspamd': {
--- a/data/powerdns/files/bind-zones/kunbox.net
+++ b/data/powerdns/files/bind-zones/kunbox.net
@ -29,7 +29,10 @@ ns-3                IN  A       35.228.143.71
 ${record}
 % endfor

-;_dmarc              IN  TXT     "v=DMARC1; p=quarantine; rua=mailto:hostmaster@kunbox.net; ruf=mailto:postmaster@kunsmann.eu; fo=0:d:s; adkim=r; aspf=r"
+; Please note there's no _dmarc record in here. We use this domain to
+; send out dmarc reports to other domains, so there shouldn't be a
+; record here to avoid creating loops.
+; We're still publishing DKIM keys and have enabled TLSRPT, though.
 _mta-sts            IN  TXT     "v=STSv1;id=20201111;"
 _smtp._tls          IN  TXT     "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net"
 _token._dnswl       IN  TXT     "6akc10htbgmg56e072w0w2n0wql4oezu"
--- a/nodes/rx300.py
+++ b/nodes/rx300.py
@ -131,8 +131,8 @@ nodes['rx300'] = {
            },
        },
        'gitea': {
-            'version': '1.15.0',
-            'sha256': '4789c7b9f0610102129ced87a4977386e493a67383eebad80cfce66b42a6f2cc',
+            'version': '1.15.2',
+            'sha256': '9a7fae605dc182e0c7b1d380647518aaa8736ad5a42f7e9299099317f1e614c9',
            'domain': 'git.franzi.business',
            'email_domain_blocklist': {
                'gmail.com',
@ -485,7 +485,7 @@ nodes['rx300'] = {
            },
        },
        'travelynx': {
-            'version': '1.21.0',
+            'version': '1.21.1',
            'mail_from': 'travelynx@franzi.business',
            'domain': 'travelynx.franzi.business',
        },
Author	SHA1	Message	Date
Franzi	78fda4f9e9	bundles/rspamd: do not try to resolve faults in items.py kunsi/bundlewrap/pipeline/head This commit looks good Details	2021-09-06 09:28:30 +02:00
Franzi	e743de5404	dns: add comment about why kunbox.net does not use DMARC	2021-09-06 09:24:40 +02:00
Franzi	3039a0900e	bundles/rspamd: add alias for dmarc reports	2021-09-06 09:14:18 +02:00
Franzi	e78c4ed056	update gitea to 1.15.2	2021-09-06 09:13:11 +02:00
Franzi	97ae55427d	update travelynx to 1.21.1	2021-09-06 09:12:15 +02:00
Franzi	4ca0926546	bundles/rspamd: send dmarc reports	2021-09-06 09:11:36 +02:00