Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
infra
ansible-shared
communication
Commits
ad67b8b4
Commit
ad67b8b4
authored
Feb 04, 2020
by
Lars Beckers
Browse files
postfix: implement SRS rewriting
parent
bf8cf986
Pipeline
#1805
failed with stage
in 1 minute and 28 seconds
Changes
5
Pipelines
1
Show whitespace changes
Inline
Side-by-side
postfix/defaults/main.yml
View file @
ad67b8b4
...
...
@@ -45,6 +45,7 @@ postfix_transport_maps: []
postfix_verify_spf
:
false
postfix_verify_spf_testmode
:
true
postfix_enable_srs
:
false
# Note: This requires at least buster-backports or newer.
postfix_enable_mta_sts
:
false
...
...
postfix/tasks/main.yml
View file @
ad67b8b4
...
...
@@ -80,6 +80,7 @@
-
import_tasks
:
mta-sts.yml
-
import_tasks
:
spf.yml
-
import_tasks
:
srs.yml
-
name
:
install rt-mailgate if needed
apt
:
...
...
postfix/tasks/srs.yml
0 → 100644
View file @
ad67b8b4
---
-
name
:
ensure we got the SRS daemon installed
apt
:
state
:
"
{{
'present'
if
postfix_enable_srs
else
'absent'
}}"
name
:
postsrsd
-
name
:
ensure there is an (Debian-generated) secrets file
file
:
path
:
/etc/postsrsd.secret
state
:
file
owner
:
root
group
:
root
mode
:
'
0600'
when
:
postfix_enable_srs
-
name
:
ensure the SRS daemon is configured
template
:
src
:
postsrsd.j2
dest
:
/etc/default/postsrsd
owner
:
root
group
:
root
mode
:
'
0644'
when
:
postfix_enable_srs
notify
:
-
restart postsrsd
-
name
:
ensure the SRS daemon is up and running
service
:
name
:
postsrsd
enabled
:
"
{{
postfix_enable_srs|string
}}"
state
:
"
{{
'started'
if
postfix_enable_srs
else
'stopped'
}}"
postfix/templates/main.cf.j2
View file @
ad67b8b4
...
...
@@ -52,6 +52,12 @@ smtpd_recipient_restrictions=
reject_unauth_destination
check_policy_service unix:private/policy-spf
{% endif %}
{% if postfix_enable_srs %}
sender_canonical_maps = tcp:127.0.0.1:10001
sender_canonical_classes = envelope_sender
recipient_canonical_maps = tcp:127.0.0.1:10002
recipient_canonical_classes= envelope_recipient,header_recipient
{% endif %}
smtpd_use_tls = yes
smtp_tls_security_level = may
...
...
postfix/templates/postsrsd.j2
0 → 100644
View file @
ad67b8b4
# Default settings for postsrsd
# Local domain name.
# Addresses are rewritten to originate from this domain. The default value
# is taken from `postconf -h mydomain` and probably okay.
#
SRS_DOMAIN={{ ansible_fqdn.split(".")[1:]|join(".") }}
# Exclude additional domains.
# You may list domains which shall not be subjected to address rewriting.
# If a domain name starts with a dot, it matches all subdomains, but not
# the domain itself. Separate multiple domains by space or comma.
#
#SRS_EXCLUDE_DOMAINS=.example.com,example.org
# First separator character after SRS0 or SRS1.
# Can be one of: -+=
SRS_SEPARATOR==
# Secret key to sign rewritten addresses.
# When postsrsd is installed for the first time, a random secret is generated
# and stored in /etc/postsrsd.secret. For most installations, that's just fine.
#
SRS_SECRET=/etc/postsrsd.secret
# Length of hash to be used in rewritten addresses
SRS_HASHLENGTH=4
# Minimum length of hash to accept when validating return addresses.
# When increasing SRS_HASHLENGTH, set this to its previous value and
# wait for the duration of SRS return address validity (21 days) before
# increading this value as well.
SRS_HASHMIN=4
# Local ports for TCP list.
# These ports are used to bind the TCP list for postfix. If you change
# these, you have to modify the postfix settings accordingly. The ports
# are bound to the loopback interface, and should never be exposed on
# the internet.
#
SRS_FORWARD_PORT=10001
SRS_REVERSE_PORT=10002
# Drop root privileges and run as another user after initialization.
# This is highly recommended as postsrsd handles untrusted input.
#
RUN_AS=postsrsd
# Bind to this address
#
SRS_LISTEN_ADDR=127.0.0.1
# Jail daemon in chroot environment
CHROOT=/var/lib/postsrsd
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment