From 5df4457b0e4e6786bd59060f8eda7b5bca577375 Mon Sep 17 00:00:00 2001
From: Kishi85 <git@eightyfive.net>
Date: Tue, 23 Jul 2019 15:53:52 +0200
Subject: [PATCH] mail: add postsrsd to stop breaking forwards for SPF domains

---
 group_vars/all/vault.yml                 | 51 +++++++++++++-----------
 roles/mail/defaults/main.yml             |  3 ++
 roles/mail/handlers/main.yml             |  3 ++
 roles/mail/tasks/main.yml                | 11 +++++
 roles/mail/templates/default/postsrsd.j2 | 45 +++++++++++++++++++++
 roles/mail/templates/postfix/main.cf.j2  |  8 +++-
 roles/mail/templates/postsrsd.secret.j2  |  1 +
 7 files changed, 97 insertions(+), 25 deletions(-)
 create mode 100644 roles/mail/defaults/main.yml
 create mode 100644 roles/mail/templates/default/postsrsd.j2
 create mode 100644 roles/mail/templates/postsrsd.secret.j2

diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml
index c4bdb34..ab93468 100644
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@@ -1,25 +1,28 @@
 $ANSIBLE_VAULT;1.1;AES256
-37623461646334336463353434343836326161626164393862386461646664383165646661626266
-3732623932366265396465376633613563386535663732630a393336623331306434326438383636
-61313032623264376131366162303831663066616236653439323737663938366462323039613162
-3535356231333131610a613466633666323762646630663461353135303934303231363938653338
-33653466333738373461396432303765313935396439366566303338313938616632363266343738
-33346538333531326636653236663062326435343164333839656663383466646364333637313565
-30393561383236353833316563336435363835363661616561353734623464333365393639633935
-31356339313133393634383938306536643932616131363834653461616635323330366534356530
-66373636373662616239376566396164323863383134613135623263326431353463616337363561
-39376431623330373036653534356339663665373766306433366164613430313032336636653331
-31353165353131616634303138363064333066393566663039393165363866363262386136646661
-64653332623436303666613063346534323037646462373663613436666362366266303463373931
-38306664643338623566626339666433636638383032353161383431623963336263363431363333
-35353166353630323534336162333432326639623961323364396666393431393435643937303434
-36343534626230396130303735343061343661666161663434383862613637636138346630386238
-34656666383363333139333539363535633637333764343866643061346434313265343466656238
-32626665343065376635633266333835386661343333616535376162623734623863323633623939
-31383830306163373565326531623838656266316663393863633738383961646466396631343933
-36316437316463326633326338366365663564646663306431303530313939336630653539363833
-37373232306338636634383062616231306261383939316132366533663334353038333539663330
-30303764383138616633313662393661316332646135666566633939623233373737303964363636
-36306230656362383763666562396666313933643339656665656266653861386435313231623331
-61373433313237303764643362363336623635316364653139383261616366376430643330656131
-66616661613866613064
+33346463653863326630313739393238353131306365373534303661383738313662323237363835
+6531663763306562396639663162376162316163646465620a646261663530393337373465323036
+61366539333364616533666331356334343436383731636564656462643962336631653732656233
+6339373936343963380a386532306663336234623563336661653830653362653661326166343765
+66313334373532636430353064373237353162326539393234636165313136396162633337306266
+32303835323763343131333364313863623531333338633133376233613561393761373763343964
+31396134623236393639373236393833663336376132623731663463386661303532643539356565
+64366366333533623763653162666164383766386635373866626638656362663330383164633533
+38646233356464316639353161623839623035343862393866393762336234613035363561363831
+35653666373836323464363636346264666537656363386431666530363031303935373331326232
+38613831383033623537656638303262396634373531373839306238613438376637616565633666
+65666430663639666230656135316430626534313939363338643064613338336363653939303166
+37333364363633316638353739643634623762633966666134646439376237323861313361393030
+62303666623935663530626632393830656437666530613030363131376264326334323137386161
+31636636313033326131313962396534336238303962656631653961396130303132306433363165
+65613232646365306262383263376165323462653636656535383039353133333765393036633530
+65376239633437643563636136333238306133313732373139633532663232336331326439396234
+36383362313739663631393266313363356434323461626137643039383661353532336237303966
+65393237613463626561643739363737313131393639383661303931343435383165663835633937
+63623066326536316134366461643737316263353235353961663364643634666661376564363531
+38323863613465613733653331623139663138616639626339373436666630306436386139663431
+38353036336435313238643664376633326665306433346265366636663635363031383939656539
+38393962356363646134346431663930346139326361613431613765363463353661313034616131
+64643831353639313030363763626133343736643433663732393730663466323535333939346233
+35396664336661613961393533346264623633643430633766346364366361356633336461366361
+63663735323630656238643962373036306466646330666334336664613834306362633562386334
+653164613435363436666361376364623461
diff --git a/roles/mail/defaults/main.yml b/roles/mail/defaults/main.yml
new file mode 100644
index 0000000..f063434
--- /dev/null
+++ b/roles/mail/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+mail_postsrsd_secret: "{{ vault_mail_postsrsd_secret }}"
+mail_srs_domain: "srs.{{ mail_domain }}"
diff --git a/roles/mail/handlers/main.yml b/roles/mail/handlers/main.yml
index ab3d510..939d219 100644
--- a/roles/mail/handlers/main.yml
+++ b/roles/mail/handlers/main.yml
@@ -8,6 +8,9 @@
 - name: Restart postfix
   service: name=postfix state=restarted
 
+- name: Restart postsrsd
+  service: name=postsrsd state=restarted
+
 - name: Restart redis
   service: name=redis state=restarted
 
diff --git a/roles/mail/tasks/main.yml b/roles/mail/tasks/main.yml
index 6105189..1798733 100644
--- a/roles/mail/tasks/main.yml
+++ b/roles/mail/tasks/main.yml
@@ -22,6 +22,7 @@
   - redis-server
   - redis-tools
   - rspamd
+  - postsrsd
 
 - name: Create vmail group
   group: name=vmail gid=500 state=present
@@ -131,6 +132,13 @@
   - postfix/master.cf
   notify: Restart postfix
 
+- name: Configure postsrsd
+  template: src={{ item }}.j2 dest=/etc/{{ item }}
+  with_items:
+  - default/postsrsd
+  - postsrsd.secret
+  notify: Restart postsrsd
+
 - name: Configure postfix maps
   template: src={{ item }}.j2 dest=/etc/{{ item }}
   with_items:
@@ -167,6 +175,9 @@
 - name: Start postfix
   service: name=postfix state=started enabled=yes
 
+- name: Start postsrsd
+  service: name=postfix state=started enabled=yes
+
 - name: Start redis
   service: name=rspamd state=started enabled=yes
 
diff --git a/roles/mail/templates/default/postsrsd.j2 b/roles/mail/templates/default/postsrsd.j2
new file mode 100644
index 0000000..af41681
--- /dev/null
+++ b/roles/mail/templates/default/postsrsd.j2
@@ -0,0 +1,45 @@
+# Default settings for postsrsd
+
+# Local domain name.
+# Addresses are rewritten to originate from this domain. The default value
+# is taken from `postconf -h mydomain` and probably okay.
+#
+SRS_DOMAIN={{ mail_srs_domain }}
+
+# Exclude additional domains.
+# You may list domains which shall not be subjected to address rewriting.
+# If a domain name starts with a dot, it matches all subdomains, but not
+# the domain itself. Separate multiple domains by space or comma.
+#
+SRS_EXCLUDE_DOMAINS=.{{ mail_domain }} {{ mail_domain }}
+{%- for domain in mail_domains %}
+ .{{ domain }} {{ domain }}
+{%- endfor %}
+
+# First separator character after SRS0 or SRS1.
+# Can be one of: -+=
+SRS_SEPARATOR==
+
+# Secret key to sign rewritten addresses.
+# When postsrsd is installed for the first time, a random secret is generated
+# and stored in /etc/postsrsd.secret. For most installations, that's just fine.
+#
+SRS_SECRET=/etc/postsrsd.secret
+
+# Local ports for TCP list.
+# These ports are used to bind the TCP list for postfix. If you change
+# these, you have to modify the postfix settings accordingly. The ports
+# are bound to the loopback interface, and should never be exposed on
+# the internet.
+#
+SRS_FORWARD_PORT=10001
+SRS_REVERSE_PORT=10002
+
+# Drop root privileges and run as another user after initialization.
+# This is highly recommended as postsrsd handles untrusted input.
+#
+RUN_AS=postsrsd
+
+# Jail daemon in chroot environment
+CHROOT=/var/lib/postsrsd
+
diff --git a/roles/mail/templates/postfix/main.cf.j2 b/roles/mail/templates/postfix/main.cf.j2
index 5898f48..ca692c4 100644
--- a/roles/mail/templates/postfix/main.cf.j2
+++ b/roles/mail/templates/postfix/main.cf.j2
@@ -26,7 +26,7 @@ postscreen_greet_action = enforce
 mydomain = {{ mail_domain }}
 myhostname = {{ ansible_fqdn }}
 myorigin = $myhostname
-mydestination = localhost.$mydomain, localhost
+mydestination = localhost.$mydomain, localhost, {{ mail_srs_domain }}
 mynetworks = 
 	127.0.0.0/8
 	[::ffff:127.0.0.0]/104
@@ -119,3 +119,9 @@ relay_domains = {{ mailman_domain }}
 relay_recipient_maps = hash:/var/lib/mailman/data/virtual-mailman
 transport_maps = hash:/etc/postfix/transport
 mailman_destination_recipient_limit = 1
+
+# postsrsd
+sender_canonical_maps = tcp:localhost:10001
+sender_canonical_classes = envelope_sender
+recipient_canonical_maps = tcp:localhost:10002
+recipient_canonical_classes = envelope_recipient
diff --git a/roles/mail/templates/postsrsd.secret.j2 b/roles/mail/templates/postsrsd.secret.j2
new file mode 100644
index 0000000..b67dc7b
--- /dev/null
+++ b/roles/mail/templates/postsrsd.secret.j2
@@ -0,0 +1 @@
+{{ mail_postsrsd_secret }}