Commit ad67b8b4 authored by Lars Beckers's avatar Lars Beckers
Browse files

postfix: implement SRS rewriting

parent bf8cf986
Pipeline #1805 failed with stage
in 1 minute and 28 seconds
...@@ -45,6 +45,7 @@ postfix_transport_maps: [] ...@@ -45,6 +45,7 @@ postfix_transport_maps: []
postfix_verify_spf: false postfix_verify_spf: false
postfix_verify_spf_testmode: true postfix_verify_spf_testmode: true
postfix_enable_srs: false
# Note: This requires at least buster-backports or newer. # Note: This requires at least buster-backports or newer.
postfix_enable_mta_sts: false postfix_enable_mta_sts: false
...@@ -80,6 +80,7 @@ ...@@ -80,6 +80,7 @@
- import_tasks: mta-sts.yml - import_tasks: mta-sts.yml
- import_tasks: spf.yml - import_tasks: spf.yml
- import_tasks: srs.yml
- name: install rt-mailgate if needed - name: install rt-mailgate if needed
apt: apt:
- name: ensure we got the SRS daemon installed
state: "{{ 'present' if postfix_enable_srs else 'absent' }}"
name: postsrsd
- name: ensure there is an (Debian-generated) secrets file
path: /etc/postsrsd.secret
state: file
owner: root
group: root
mode: '0600'
when: postfix_enable_srs
- name: ensure the SRS daemon is configured
src: postsrsd.j2
dest: /etc/default/postsrsd
owner: root
group: root
mode: '0644'
when: postfix_enable_srs
- restart postsrsd
- name: ensure the SRS daemon is up and running
name: postsrsd
enabled: "{{ postfix_enable_srs|string }}"
state: "{{ 'started' if postfix_enable_srs else 'stopped' }}"
...@@ -52,6 +52,12 @@ smtpd_recipient_restrictions= ...@@ -52,6 +52,12 @@ smtpd_recipient_restrictions=
reject_unauth_destination reject_unauth_destination
check_policy_service unix:private/policy-spf check_policy_service unix:private/policy-spf
{% endif %} {% endif %}
{% if postfix_enable_srs %}
sender_canonical_maps = tcp:
sender_canonical_classes = envelope_sender
recipient_canonical_maps = tcp:
recipient_canonical_classes= envelope_recipient,header_recipient
{% endif %}
smtpd_use_tls = yes smtpd_use_tls = yes
smtp_tls_security_level = may smtp_tls_security_level = may
# Default settings for postsrsd
# Local domain name.
# Addresses are rewritten to originate from this domain. The default value
# is taken from `postconf -h mydomain` and probably okay.
SRS_DOMAIN={{ ansible_fqdn.split(".")[1:]|join(".") }}
# Exclude additional domains.
# You may list domains which shall not be subjected to address rewriting.
# If a domain name starts with a dot, it matches all subdomains, but not
# the domain itself. Separate multiple domains by space or comma.
# First separator character after SRS0 or SRS1.
# Can be one of: -+=
# Secret key to sign rewritten addresses.
# When postsrsd is installed for the first time, a random secret is generated
# and stored in /etc/postsrsd.secret. For most installations, that's just fine.
# Length of hash to be used in rewritten addresses
# Minimum length of hash to accept when validating return addresses.
# When increasing SRS_HASHLENGTH, set this to its previous value and
# wait for the duration of SRS return address validity (21 days) before
# increading this value as well.
# Local ports for TCP list.
# These ports are used to bind the TCP list for postfix. If you change
# these, you have to modify the postfix settings accordingly. The ports
# are bound to the loopback interface, and should never be exposed on
# the internet.
# Drop root privileges and run as another user after initialization.
# This is highly recommended as postsrsd handles untrusted input.
# Bind to this address
# Jail daemon in chroot environment
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment