postfix: implement SRS rewriting

postfix/defaults/main.yml

@@ -45,6 +45,7 @@ postfix_transport_maps: []
 
 postfix_verify_spf: false
 postfix_verify_spf_testmode: true
+postfix_enable_srs: false
 # Note: This requires at least buster-backports or newer.
 postfix_enable_mta_sts: false
 

postfix/tasks/main.yml

@@ -80,6 +80,7 @@
 
 - import_tasks: mta-sts.yml
 - import_tasks: spf.yml
+- import_tasks: srs.yml
 
 - name: install rt-mailgate if needed
   apt:

postfix/tasks/srs.yml

+---
+
+- name: ensure we got the SRS daemon installed
+  apt:
+    state: "{{ 'present' if postfix_enable_srs else 'absent' }}"
+    name: postsrsd
+
+- name: ensure there is an (Debian-generated) secrets file
+  file:
+    path: /etc/postsrsd.secret
+    state: file
+    owner: root
+    group: root
+    mode: '0600'
+  when: postfix_enable_srs
+
+- name: ensure the SRS daemon is configured
+  template:
+    src: postsrsd.j2
+    dest: /etc/default/postsrsd
+    owner: root
+    group: root
+    mode: '0644'
+  when: postfix_enable_srs
+  notify:
+    - restart postsrsd
+
+- name: ensure the SRS daemon is up and running
+  service:
+    name: postsrsd
+    enabled: "{{ postfix_enable_srs|string }}"
+    state: "{{ 'started' if postfix_enable_srs else 'stopped' }}"

postfix/templates/main.cf.j2

@@ -52,6 +52,12 @@ smtpd_recipient_restrictions=
      reject_unauth_destination
      check_policy_service unix:private/policy-spf
 {% endif %}
+{% if postfix_enable_srs %}
+sender_canonical_maps = tcp:127.0.0.1:10001
+sender_canonical_classes = envelope_sender
+recipient_canonical_maps = tcp:127.0.0.1:10002
+recipient_canonical_classes= envelope_recipient,header_recipient
+{% endif %}
 
 smtpd_use_tls = yes
 smtp_tls_security_level = may

postfix/templates/postsrsd.j2

+# Default settings for postsrsd
+
+# Local domain name.
+# Addresses are rewritten to originate from this domain. The default value
+# is taken from `postconf -h mydomain` and probably okay.
+#
+SRS_DOMAIN={{ ansible_fqdn.split(".")[1:]|join(".") }}
+
+# Exclude additional domains.
+# You may list domains which shall not be subjected to address rewriting.
+# If a domain name starts with a dot, it matches all subdomains, but not
+# the domain itself. Separate multiple domains by space or comma.
+#
+#SRS_EXCLUDE_DOMAINS=.example.com,example.org
+
+# First separator character after SRS0 or SRS1.
+# Can be one of: -+=
+SRS_SEPARATOR==
+
+# Secret key to sign rewritten addresses.
+# When postsrsd is installed for the first time, a random secret is generated
+# and stored in /etc/postsrsd.secret. For most installations, that's just fine.
+#
+SRS_SECRET=/etc/postsrsd.secret
+
+# Length of hash to be used in rewritten addresses
+SRS_HASHLENGTH=4
+
+# Minimum length of hash to accept when validating return addresses.
+# When increasing SRS_HASHLENGTH, set this to its previous value and
+# wait for the duration of SRS return address validity (21 days) before
+# increading this value as well.
+SRS_HASHMIN=4
+
+# Local ports for TCP list.
+# These ports are used to bind the TCP list for postfix. If you change
+# these, you have to modify the postfix settings accordingly. The ports
+# are bound to the loopback interface, and should never be exposed on
+# the internet.
+#
+SRS_FORWARD_PORT=10001
+SRS_REVERSE_PORT=10002
+
+# Drop root privileges and run as another user after initialization.
+# This is highly recommended as postsrsd handles untrusted input.
+#
+RUN_AS=postsrsd
+
+# Bind to this address
+#
+SRS_LISTEN_ADDR=127.0.0.1
+
+# Jail daemon in chroot environment
+CHROOT=/var/lib/postsrsd
+