mail: add postsrsd to stop breaking forwards for SPF domains

This commit is contained in:
Kishi85 2019-07-23 15:53:52 +02:00
parent 43f1633a22
commit 5df4457b0e
7 changed files with 97 additions and 25 deletions

View File

@ -1,25 +1,28 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
37623461646334336463353434343836326161626164393862386461646664383165646661626266 33346463653863326630313739393238353131306365373534303661383738313662323237363835
3732623932366265396465376633613563386535663732630a393336623331306434326438383636 6531663763306562396639663162376162316163646465620a646261663530393337373465323036
61313032623264376131366162303831663066616236653439323737663938366462323039613162 61366539333364616533666331356334343436383731636564656462643962336631653732656233
3535356231333131610a613466633666323762646630663461353135303934303231363938653338 6339373936343963380a386532306663336234623563336661653830653362653661326166343765
33653466333738373461396432303765313935396439366566303338313938616632363266343738 66313334373532636430353064373237353162326539393234636165313136396162633337306266
33346538333531326636653236663062326435343164333839656663383466646364333637313565 32303835323763343131333364313863623531333338633133376233613561393761373763343964
30393561383236353833316563336435363835363661616561353734623464333365393639633935 31396134623236393639373236393833663336376132623731663463386661303532643539356565
31356339313133393634383938306536643932616131363834653461616635323330366534356530 64366366333533623763653162666164383766386635373866626638656362663330383164633533
66373636373662616239376566396164323863383134613135623263326431353463616337363561 38646233356464316639353161623839623035343862393866393762336234613035363561363831
39376431623330373036653534356339663665373766306433366164613430313032336636653331 35653666373836323464363636346264666537656363386431666530363031303935373331326232
31353165353131616634303138363064333066393566663039393165363866363262386136646661 38613831383033623537656638303262396634373531373839306238613438376637616565633666
64653332623436303666613063346534323037646462373663613436666362366266303463373931 65666430663639666230656135316430626534313939363338643064613338336363653939303166
38306664643338623566626339666433636638383032353161383431623963336263363431363333 37333364363633316638353739643634623762633966666134646439376237323861313361393030
35353166353630323534336162333432326639623961323364396666393431393435643937303434 62303666623935663530626632393830656437666530613030363131376264326334323137386161
36343534626230396130303735343061343661666161663434383862613637636138346630386238 31636636313033326131313962396534336238303962656631653961396130303132306433363165
34656666383363333139333539363535633637333764343866643061346434313265343466656238 65613232646365306262383263376165323462653636656535383039353133333765393036633530
32626665343065376635633266333835386661343333616535376162623734623863323633623939 65376239633437643563636136333238306133313732373139633532663232336331326439396234
31383830306163373565326531623838656266316663393863633738383961646466396631343933 36383362313739663631393266313363356434323461626137643039383661353532336237303966
36316437316463326633326338366365663564646663306431303530313939336630653539363833 65393237613463626561643739363737313131393639383661303931343435383165663835633937
37373232306338636634383062616231306261383939316132366533663334353038333539663330 63623066326536316134366461643737316263353235353961663364643634666661376564363531
30303764383138616633313662393661316332646135666566633939623233373737303964363636 38323863613465613733653331623139663138616639626339373436666630306436386139663431
36306230656362383763666562396666313933643339656665656266653861386435313231623331 38353036336435313238643664376633326665306433346265366636663635363031383939656539
61373433313237303764643362363336623635316364653139383261616366376430643330656131 38393962356363646134346431663930346139326361613431613765363463353661313034616131
66616661613866613064 64643831353639313030363763626133343736643433663732393730663466323535333939346233
35396664336661613961393533346264623633643430633766346364366361356633336461366361
63663735323630656238643962373036306466646330666334336664613834306362633562386334
653164613435363436666361376364623461

View File

@ -0,0 +1,3 @@
---
mail_postsrsd_secret: "{{ vault_mail_postsrsd_secret }}"
mail_srs_domain: "srs.{{ mail_domain }}"

View File

@ -8,6 +8,9 @@
- name: Restart postfix - name: Restart postfix
service: name=postfix state=restarted service: name=postfix state=restarted
- name: Restart postsrsd
service: name=postsrsd state=restarted
- name: Restart redis - name: Restart redis
service: name=redis state=restarted service: name=redis state=restarted

View File

@ -22,6 +22,7 @@
- redis-server - redis-server
- redis-tools - redis-tools
- rspamd - rspamd
- postsrsd
- name: Create vmail group - name: Create vmail group
group: name=vmail gid=500 state=present group: name=vmail gid=500 state=present
@ -131,6 +132,13 @@
- postfix/master.cf - postfix/master.cf
notify: Restart postfix notify: Restart postfix
- name: Configure postsrsd
template: src={{ item }}.j2 dest=/etc/{{ item }}
with_items:
- default/postsrsd
- postsrsd.secret
notify: Restart postsrsd
- name: Configure postfix maps - name: Configure postfix maps
template: src={{ item }}.j2 dest=/etc/{{ item }} template: src={{ item }}.j2 dest=/etc/{{ item }}
with_items: with_items:
@ -167,6 +175,9 @@
- name: Start postfix - name: Start postfix
service: name=postfix state=started enabled=yes service: name=postfix state=started enabled=yes
- name: Start postsrsd
service: name=postfix state=started enabled=yes
- name: Start redis - name: Start redis
service: name=rspamd state=started enabled=yes service: name=rspamd state=started enabled=yes

View File

@ -0,0 +1,45 @@
# Default settings for postsrsd
# Local domain name.
# Addresses are rewritten to originate from this domain. The default value
# is taken from `postconf -h mydomain` and probably okay.
#
SRS_DOMAIN={{ mail_srs_domain }}
# Exclude additional domains.
# You may list domains which shall not be subjected to address rewriting.
# If a domain name starts with a dot, it matches all subdomains, but not
# the domain itself. Separate multiple domains by space or comma.
#
SRS_EXCLUDE_DOMAINS=.{{ mail_domain }} {{ mail_domain }}
{%- for domain in mail_domains %}
.{{ domain }} {{ domain }}
{%- endfor %}
# First separator character after SRS0 or SRS1.
# Can be one of: -+=
SRS_SEPARATOR==
# Secret key to sign rewritten addresses.
# When postsrsd is installed for the first time, a random secret is generated
# and stored in /etc/postsrsd.secret. For most installations, that's just fine.
#
SRS_SECRET=/etc/postsrsd.secret
# Local ports for TCP list.
# These ports are used to bind the TCP list for postfix. If you change
# these, you have to modify the postfix settings accordingly. The ports
# are bound to the loopback interface, and should never be exposed on
# the internet.
#
SRS_FORWARD_PORT=10001
SRS_REVERSE_PORT=10002
# Drop root privileges and run as another user after initialization.
# This is highly recommended as postsrsd handles untrusted input.
#
RUN_AS=postsrsd
# Jail daemon in chroot environment
CHROOT=/var/lib/postsrsd

View File

@ -26,7 +26,7 @@ postscreen_greet_action = enforce
mydomain = {{ mail_domain }} mydomain = {{ mail_domain }}
myhostname = {{ ansible_fqdn }} myhostname = {{ ansible_fqdn }}
myorigin = $myhostname myorigin = $myhostname
mydestination = localhost.$mydomain, localhost mydestination = localhost.$mydomain, localhost, {{ mail_srs_domain }}
mynetworks = mynetworks =
127.0.0.0/8 127.0.0.0/8
[::ffff:127.0.0.0]/104 [::ffff:127.0.0.0]/104
@ -119,3 +119,9 @@ relay_domains = {{ mailman_domain }}
relay_recipient_maps = hash:/var/lib/mailman/data/virtual-mailman relay_recipient_maps = hash:/var/lib/mailman/data/virtual-mailman
transport_maps = hash:/etc/postfix/transport transport_maps = hash:/etc/postfix/transport
mailman_destination_recipient_limit = 1 mailman_destination_recipient_limit = 1
# postsrsd
sender_canonical_maps = tcp:localhost:10001
sender_canonical_classes = envelope_sender
recipient_canonical_maps = tcp:localhost:10002
recipient_canonical_classes = envelope_recipient

View File

@ -0,0 +1 @@
{{ mail_postsrsd_secret }}