Outgoing SMTP proxy.

14 files changed, 146 insertions, 29 deletions

diff --git a/all.yml b/all.yml
index 6a62511..4f820bd 100644
--- a/all.yml
+++ b/all.yml
@@ -6,5 +6,6 @@
 - include: IMAP.yml
 - include: MX.yml
 - include: MSA.yml
+- include: out.yml
 - include: webmail.yml
 - include: lists.yml
diff --git a/group_vars/all.yml b/group_vars/all.yml
index 351aa09..ef9fc82 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -3,9 +3,9 @@ postfix_instance:
   # The keys are the group names associated with a Postfix role, and the
   # values are the name and group (optional) of the instance dedicated
   # to that role.
-  IMAP:    { name: mda,                port: 2526 }
-  MX:      { name: mx,     group: mta             }
-  MTA-out: { name: mta-out,group: mta, port: 2525 }
-  MSA:     { name: msa                            }
-  webmail: { name: webmail                        }
-  lists:   { name: lists,              port: 2527 }
+  IMAP:    { name: mda,             port: 2526 }
+  MX:      { name: mx,  group: mta             }
+  out:     { name: out, group: mta, port: 2525 }
+  MSA:     { name: msa                         }
+  webmail: { name: webmail                     }
+  lists:   { name: lists,           port: 2527 }
diff --git a/out.yml b/out.yml
new file mode 100644
index 0000000..5b1206c
--- /dev/null
+++ b/out.yml
@@ -0,0 +1,8 @@
+---
+- name: Configure the outgoing SMTP proxy
+  hosts: out
+  roles:
+    - { role: out, inst: out }
+  tags:
+    - mail
+    - postfix
diff --git a/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 b/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2
index 503907e..b3ae7a9 100644
--- a/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2
+++ b/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2
@@ -110,10 +110,10 @@ $inet_socket_port = 10041;
 
 $interface_policy{'10041'} = 'INBOUND';
 
-{% if 'MTA-out' in group_names %}
-$notify_method  = 'smtp:[127.0.0.1]:{{ postfix_instance["MTA-out"].port }}';
+{% if 'out' in group_names %}
+$notify_method  = 'smtp:[127.0.0.1]:{{ postfix_instance.out.port }}';
 {% else %}
-$notify_method  = 'smtp:[outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }}';
+$notify_method  = 'smtp:[outgoing.fripost.org]:{{ postfix_instance.out.port }}';
 {% endif %}
 $forward_method = 'lmtp:/var/run/dovecot/lmtp';
 $requeue_method = $forward_method;
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index e363d70..e3014aa 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -41,10 +41,10 @@ message_size_limit  = 67108864
 recipient_delimiter = +
 
 # Forward everything to our internal mailhub
-{% if 'MTA-out' in group_names %}
-relayhost     = [127.0.0.1]:{{ postfix_instance["MTA-out"].port }}
+{% if 'out' in group_names %}
+relayhost     = [127.0.0.1]:{{ postfix_instance.out.port }}
 {% else %}
-relayhost     = [outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }}
+relayhost     = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
 {% endif %}
 relay_domains =
 
@@ -61,7 +61,7 @@ header_checks  = pcre:$config_directory/anonymize_sender.pcre
 
 # Tunnel everything through IPSec
 smtp_tls_security_level = none
-{% if 'MTA-out' in group_names %}
+{% if 'out' in group_names %}
 smtp_bind_address       = 127.0.0.1
 {% else %}
 smtp_bind_address       = 172.16.0.1
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 4dbbbcb..34e38a0 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -42,10 +42,10 @@ message_size_limit  = 67108864
 recipient_delimiter = +
 
 # Forward everything to our internal mailhub
-{% if 'MTA-out' in group_names %}
-relayhost     = [127.0.0.1]:{{ postfix_instance["MTA-out"].port }}
+{% if 'out' in group_names %}
+relayhost     = [127.0.0.1]:{{ postfix_instance.out.port }}
 {% else %}
-relayhost     = [outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }}
+relayhost     = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
 {% endif %}
 relay_domains =
 
@@ -79,7 +79,7 @@ smtp_data_done_timeout           = 1200s
 
 # Tunnel everything through IPSec
 smtp_tls_security_level = none
-{% if 'MTA-out' in group_names %}
+{% if 'out' in group_names %}
 smtp_bind_address       = 127.0.0.1
 {% else %}
 smtp_bind_address       = 172.16.0.1
diff --git a/roles/common/files/etc/postfix/master.cf b/roles/common/files/etc/postfix/master.cf
index 4fdbff3..e845371 100644
--- a/roles/common/files/etc/postfix/master.cf
+++ b/roles/common/files/etc/postfix/master.cf
@@ -39,6 +39,7 @@ lmtp      unix  -       -       -       -       -       lmtp
 anvil     unix  -       -       -       -       1       anvil
 scache    unix  -       -       -       -       1       scache
 127.0.0.1:16132 inet n  -       -       -       -       smtpd
+2525      inet  n       -       -       -       -       smtpd
 2526      inet  n       -       -       -       -       smtpd
 2527      inet  n       -       -       -       -       smtpd
   -o mynetworks=0.0.0.0/0
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
index 4e21dfc..923aa35 100644
--- a/roles/common/templates/etc/iptables/services.j2
+++ b/roles/common/templates/etc/iptables/services.j2
@@ -19,6 +19,9 @@ in      tcp     {{ ansible_ssh_port|default('22') }}    # SSH
 {% if 'MX' in group_names %}
 in      tcp     25                                      # SMTP
 {% endif %}
+{% if 'out' in group_names %}
+#out     tcp     25                                     # SMTP
+{% endif %}
 {% if 'IMAP' in group_names %}
 in      tcp     993                                     # IMAPS
 in      tcp     4190                                    # ManageSieve
diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2
index e594c1e..70d4b98 100644
--- a/roles/common/templates/etc/postfix/main.cf.j2
+++ b/roles/common/templates/etc/postfix/main.cf.j2
@@ -31,16 +31,16 @@ virtual_alias_maps    = cdb:/etc/aliases
 alias_database        = $virtual_alias_maps
 
 # Forward everything to our internal mailhub
-{% if 'MTA-out' in group_names %}
-relayhost     = [127.0.0.1]:{{ postfix_instance["MTA-out"].port }}
+{% if 'out' in group_names %}
+relayhost     = [127.0.0.1]:{{ postfix_instance.out.port }}
 {% else %}
-relayhost     = [outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }}
+relayhost     = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
 {% endif %}
 relay_domains =
 
 # Tunnel everything through IPSec
 smtp_tls_security_level  = none
-{% if 'MTA-out' in group_names %}
+{% if 'out' in group_names %}
 smtp_bind_address        = 127.0.0.1
 {% else %}
 smtp_bind_address        = 172.16.0.1
diff --git a/roles/lists/templates/etc/postfix/main.cf.j2 b/roles/lists/templates/etc/postfix/main.cf.j2
index 45e66aa..083fa2b 100644
--- a/roles/lists/templates/etc/postfix/main.cf.j2
+++ b/roles/lists/templates/etc/postfix/main.cf.j2
@@ -47,10 +47,10 @@ message_size_limit  = 67108864
 recipient_delimiter = +
 
 # Forward everything to our internal mailhub
-{% if 'MTA-out' in group_names %}
-relayhost     = [127.0.0.1]:{{ postfix_instance["MTA-out"].port }}
+{% if 'out' in group_names %}
+relayhost     = [127.0.0.1]:{{ postfix_instance.out.port }}
 {% else %}
-relayhost     = [outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }}
+relayhost     = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
 {% endif %}
 relay_domains =
 
@@ -68,7 +68,7 @@ smtpd_timeout                = 1200s
 
 # Tunnel everything through IPSec
 smtp_tls_security_level  = none
-{% if 'MTA-out' in group_names %}
+{% if 'out' in group_names %}
 smtp_bind_address        = 127.0.0.1
 {% else %}
 smtp_bind_address        = 172.16.0.1
diff --git a/roles/out/handlers/main.yml b/roles/out/handlers/main.yml
new file mode 100644
index 0000000..21c736a
--- /dev/null
+++ b/roles/out/handlers/main.yml
@@ -0,0 +1,9 @@
+---
+- name: Restart Postgrey
+  service: name=postgrey state=restarted
+
+- name: Restart Postfix
+  service: name=postfix state=restarted
+
+- name: Reload Postfix
+  service: name=postfix state=reloaded
diff --git a/roles/out/tasks/main.yml b/roles/out/tasks/main.yml
new file mode 100644
index 0000000..4bf4363
--- /dev/null
+++ b/roles/out/tasks/main.yml
@@ -0,0 +1,17 @@
+- name: Install Postfix
+  apt: pkg=postfix
+
+- name: Configure Postfix
+  template: src=etc/postfix/main.cf.j2
+            dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf
+            owner=root group=root
+            mode=0644
+  register: r
+  notify:
+    - Restart Postfix
+
+- name: Start Postfix
+  service: name=postfix state=started
+  when: not r.changed
+
+- meta: flush_handlers
diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2
new file mode 100644
index 0000000..1a7985f
--- /dev/null
+++ b/roles/out/templates/etc/postfix/main.cf.j2
@@ -0,0 +1,78 @@
+########################################################################
+# Outgoing MTA configuration
+#
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+smtpd_banner     = $myhostname ESMTP $mail_name (Debian/GNU)
+biff             = no
+readme_directory = no
+mail_owner       = postfix
+
+delay_warning_time     = 1d
+maximal_queue_lifetime = 5d
+
+myorigin            = /etc/mailname
+myhostname          = outgoing{{ outgoingno | default('') }}.$mydomain
+mydomain            = fripost.org
+append_dot_mydomain = no
+
+# Turn off all TCP/IP listener ports except that necessary for the
+# outgoing SMTP proxy.
+master_service_disable = !2525.inet inet
+
+queue_directory       = /var/spool/postfix-{{ postfix_instance[inst].name }}
+data_directory        = /var/lib/postfix-{{ postfix_instance[inst].name }}
+multi_instance_group  = {{ postfix_instance[inst].group | default('') }}
+multi_instance_name   = postfix-{{ postfix_instance[inst].name }}
+multi_instance_enable = yes
+
+# Accept everything coming through IPSec.
+# TODO: this should our virtual private subnetwork
+mynetworks      = 0.0.0.0/0
+inet_interfaces = 172.16.0.1, 127.0.0.1
+
+# No local delivery
+mydestination        =
+local_transport      = error:5.1.1 Mailbox unavailable
+alias_maps           =
+alias_database       =
+local_recipient_maps =
+
+message_size_limit  = 67108864
+recipient_delimiter = +
+
+relay_domains           =
+relay_transport         = error:5.3.2 Relay Transport unavailable
+
+# All header rewriting happens upstream
+local_header_rewrite_clients =
+
+
+smtp_tls_security_level         = may
+smtp_tls_note_starttls_offer    = yes
+smtp_tls_cert_file              = /etc/postfix-out/ssl/smtp.fripost.org.pem
+smtp_tls_key_file               = /etc/postfix-out/ssl/smtp.fripost.org.key
+smtp_tls_CApath                 = /etc/ssl/certs/
+smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
+smtp_tls_fingerprint_digest     = sha1
+tls_random_source               = dev:/dev/urandom
+
+
+smtpd_helo_required     = yes
+smtpd_helo_restrictions =
+    reject_invalid_helo_hostname
+
+smtpd_sender_restrictions =
+    reject_non_fqdn_sender
+    reject_unknown_sender_domain
+
+smtpd_recipient_restrictions =
+    # RFC requirements
+    reject_non_fqdn_recipient
+    reject_unknown_recipient_domain
+    permit_mynetworks
+    reject_unauth_destination
+
+smtpd_data_restrictions =
+    reject_unauth_pipelining
diff --git a/roles/webmail/templates/etc/postfix/main.cf.j2 b/roles/webmail/templates/etc/postfix/main.cf.j2
index 76efb59..b070881 100644
--- a/roles/webmail/templates/etc/postfix/main.cf.j2
+++ b/roles/webmail/templates/etc/postfix/main.cf.j2
@@ -41,10 +41,10 @@ message_size_limit  = 67108864
 recipient_delimiter = +
 
 # Forward everything to our internal mailhub
-{% if 'MTA-out' in group_names %}
-relayhost     = [127.0.0.1]:{{ postfix_instance["MTA-out"].port }}
+{% if 'out' in group_names %}
+relayhost     = [127.0.0.1]:{{ postfix_instance.out.port }}
 {% else %}
-relayhost     = [outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }}
+relayhost     = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
 {% endif %}
 relay_domains =
 
@@ -60,7 +60,7 @@ smtp_data_done_timeout           = 1200s
 
 # Tunnel everything through IPSec
 smtp_tls_security_level  = none
-{% if 'MTA-out' in group_names %}
+{% if 'out' in group_names %}
 smtp_bind_address        = 127.0.0.1
 {% else %}
 smtp_bind_address        = 172.16.0.1