Postscreen: Give temporary whitelist status to primary MX addresses only.

2 files changed, 10 insertions, 3 deletions

diff --git a/group_vars/all.yml b/group_vars/all.yml
index 77abc85..089c75f 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -12,31 +12,31 @@ ipsec:
   elefant:  172.16.0.4
   giraff:   172.16.0.5
   mistral:  172.16.0.6
 
 
 postfix_instance:
   # The keys are the group names associated with a Postfix role, and the
   # values are the name and group (optional) of the instance dedicated
   # to that role.
   # For internal services, we also specify its (non-routable) IP address
   # and port.
   # XXX it's unfortunate that we can only specify a single address, and
   #     therefore have to limit the number of outgoing SMTP proxy and
   #     IMAP server to one. Since hosts(5) files cannot map and IP
   #     address to multiple hostnames, a workaround would be to use
   #     round-robin DNS, but we can't rely on DNS as long as our zone is
   #     unsigned.
   IMAP:    { name: mda
            , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.IMAP[0]].inventory_hostname_short ], '127.0.0.1') }}"
            , port: 2526 }
-  MX:      { name: mx,  group: mta }
+  MX:      { name: mx,  group: mta, backup: mx3.fripost.org }
   out:     { name: out, group: mta
            , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.out[0]].inventory_hostname_short ], '127.0.0.1') }}"
            , port: 2525 }
   MSA:     { name: msa
            , port: 587 }
   lists:   { name: lists
            , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.lists[0]].inventory_hostname_short ], '127.0.0.1') }}"
            , port: 2527 }
 
 imapsvr_addr: "{{ postfix_instance.IMAP.addr | ipaddr }}"
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 718be00..86c20cd 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -98,42 +98,49 @@ unknown_client_reject_code          = 554
 unknown_hostname_reject_code        = 554
 unknown_local_recipient_reject_code = 554
 unknown_relay_recipient_reject_code = 554
 unknown_virtual_alias_reject_code   = 554
 unknown_virtual_mailbox_reject_code = 554
 
 postscreen_blacklist_action = drop
 postscreen_dnsbl_threshold  = 3
 postscreen_dnsbl_action     = enforce
 postscreen_dnsbl_sites      =
     zen.spamhaus.org*3
     swl.spamhaus.org*-4
     b.barracudacentral.org*2
     bl.spameatingmonkey.net*2
     bl.spamcop.net
     dnsbl.sorbs.net
     list.dnswl.org=127.[0..255].[0..255].0*-2
     list.dnswl.org=127.[0..255].[0..255].1*-3
     list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
 
-postscreen_greet_action          = enforce
-postscreen_whitelist_interfaces = !88.80.11.28 ![2a00:16b0:242:13::de30] static:all
+postscreen_greet_action         = enforce
+postscreen_whitelist_interfaces =
+{%- for ip in lookup('pipe', 'dig +short '+ postfix_instance.MX.backup +' A').splitlines() %}
+    !{{ ip }}
+{%- endfor %}
+{%- for ip in lookup('pipe', 'dig +short '+ postfix_instance.MX.backup +' AAAA').splitlines() %}
+    ![{{ ip }}]
+{%- endfor %}
+    static:all
 
 smtpd_client_restrictions =
     permit_mynetworks
 
 smtpd_helo_required     = yes
 smtpd_helo_restrictions =
     permit_mynetworks
     reject_non_fqdn_helo_hostname
     reject_invalid_helo_hostname
 
 smtpd_sender_restrictions =
     reject_non_fqdn_sender
 
 smtpd_relay_restrictions =
     reject_non_fqdn_recipient
     permit_mynetworks
     reject_unauth_destination
     reject_unlisted_recipient
 
 smtpd_data_restrictions =