summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2014-07-01 14:38:52 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:52:13 +0200
commit170dc68f9275dffb48fbe3f8ebb2183cd7ddf111 (patch)
tree6049724b1bb2d527a337c2f07e14275b9bc40818
parent909e291291414721b7f7bb4aae471a5c187b02c4 (diff)
Outgoing SMTP proxy.
-rw-r--r--all.yml1
-rw-r--r--group_vars/all.yml12
-rw-r--r--out.yml8
-rw-r--r--roles/IMAP/templates/etc/amavis/conf.d/50-user.j26
-rw-r--r--roles/MSA/templates/etc/postfix/main.cf.j28
-rw-r--r--roles/MX/templates/etc/postfix/main.cf.j28
-rw-r--r--roles/common/files/etc/postfix/master.cf1
-rw-r--r--roles/common/templates/etc/iptables/services.j23
-rw-r--r--roles/common/templates/etc/postfix/main.cf.j28
-rw-r--r--roles/lists/templates/etc/postfix/main.cf.j28
-rw-r--r--roles/out/handlers/main.yml9
-rw-r--r--roles/out/tasks/main.yml17
-rw-r--r--roles/out/templates/etc/postfix/main.cf.j278
-rw-r--r--roles/webmail/templates/etc/postfix/main.cf.j28
14 files changed, 146 insertions, 29 deletions
diff --git a/all.yml b/all.yml
index 6a62511..4f820bd 100644
--- a/all.yml
+++ b/all.yml
@@ -6,5 +6,6 @@
- include: IMAP.yml
- include: MX.yml
- include: MSA.yml
+- include: out.yml
- include: webmail.yml
- include: lists.yml
diff --git a/group_vars/all.yml b/group_vars/all.yml
index 351aa09..ef9fc82 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -3,9 +3,9 @@ postfix_instance:
# The keys are the group names associated with a Postfix role, and the
# values are the name and group (optional) of the instance dedicated
# to that role.
- IMAP: { name: mda, port: 2526 }
- MX: { name: mx, group: mta }
- MTA-out: { name: mta-out,group: mta, port: 2525 }
- MSA: { name: msa }
- webmail: { name: webmail }
- lists: { name: lists, port: 2527 }
+ IMAP: { name: mda, port: 2526 }
+ MX: { name: mx, group: mta }
+ out: { name: out, group: mta, port: 2525 }
+ MSA: { name: msa }
+ webmail: { name: webmail }
+ lists: { name: lists, port: 2527 }
diff --git a/out.yml b/out.yml
new file mode 100644
index 0000000..5b1206c
--- /dev/null
+++ b/out.yml
@@ -0,0 +1,8 @@
+---
+- name: Configure the outgoing SMTP proxy
+ hosts: out
+ roles:
+ - { role: out, inst: out }
+ tags:
+ - mail
+ - postfix
diff --git a/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 b/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2
index 503907e..b3ae7a9 100644
--- a/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2
+++ b/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2
@@ -110,10 +110,10 @@ $inet_socket_port = 10041;
$interface_policy{'10041'} = 'INBOUND';
-{% if 'MTA-out' in group_names %}
-$notify_method = 'smtp:[127.0.0.1]:{{ postfix_instance["MTA-out"].port }}';
+{% if 'out' in group_names %}
+$notify_method = 'smtp:[127.0.0.1]:{{ postfix_instance.out.port }}';
{% else %}
-$notify_method = 'smtp:[outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }}';
+$notify_method = 'smtp:[outgoing.fripost.org]:{{ postfix_instance.out.port }}';
{% endif %}
$forward_method = 'lmtp:/var/run/dovecot/lmtp';
$requeue_method = $forward_method;
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index e363d70..e3014aa 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -41,10 +41,10 @@ message_size_limit = 67108864
recipient_delimiter = +
# Forward everything to our internal mailhub
-{% if 'MTA-out' in group_names %}
-relayhost = [127.0.0.1]:{{ postfix_instance["MTA-out"].port }}
+{% if 'out' in group_names %}
+relayhost = [127.0.0.1]:{{ postfix_instance.out.port }}
{% else %}
-relayhost = [outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }}
+relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
{% endif %}
relay_domains =
@@ -61,7 +61,7 @@ header_checks = pcre:$config_directory/anonymize_sender.pcre
# Tunnel everything through IPSec
smtp_tls_security_level = none
-{% if 'MTA-out' in group_names %}
+{% if 'out' in group_names %}
smtp_bind_address = 127.0.0.1
{% else %}
smtp_bind_address = 172.16.0.1
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 4dbbbcb..34e38a0 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -42,10 +42,10 @@ message_size_limit = 67108864
recipient_delimiter = +
# Forward everything to our internal mailhub
-{% if 'MTA-out' in group_names %}
-relayhost = [127.0.0.1]:{{ postfix_instance["MTA-out"].port }}
+{% if 'out' in group_names %}
+relayhost = [127.0.0.1]:{{ postfix_instance.out.port }}
{% else %}
-relayhost = [outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }}
+relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
{% endif %}
relay_domains =
@@ -79,7 +79,7 @@ smtp_data_done_timeout = 1200s
# Tunnel everything through IPSec
smtp_tls_security_level = none
-{% if 'MTA-out' in group_names %}
+{% if 'out' in group_names %}
smtp_bind_address = 127.0.0.1
{% else %}
smtp_bind_address = 172.16.0.1
diff --git a/roles/common/files/etc/postfix/master.cf b/roles/common/files/etc/postfix/master.cf
index 4fdbff3..e845371 100644
--- a/roles/common/files/etc/postfix/master.cf
+++ b/roles/common/files/etc/postfix/master.cf
@@ -39,6 +39,7 @@ lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
127.0.0.1:16132 inet n - - - - smtpd
+2525 inet n - - - - smtpd
2526 inet n - - - - smtpd
2527 inet n - - - - smtpd
-o mynetworks=0.0.0.0/0
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
index 4e21dfc..923aa35 100644
--- a/roles/common/templates/etc/iptables/services.j2
+++ b/roles/common/templates/etc/iptables/services.j2
@@ -19,6 +19,9 @@ in tcp {{ ansible_ssh_port|default('22') }} # SSH
{% if 'MX' in group_names %}
in tcp 25 # SMTP
{% endif %}
+{% if 'out' in group_names %}
+#out tcp 25 # SMTP
+{% endif %}
{% if 'IMAP' in group_names %}
in tcp 993 # IMAPS
in tcp 4190 # ManageSieve
diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2
index e594c1e..70d4b98 100644
--- a/roles/common/templates/etc/postfix/main.cf.j2
+++ b/roles/common/templates/etc/postfix/main.cf.j2
@@ -31,16 +31,16 @@ virtual_alias_maps = cdb:/etc/aliases
alias_database = $virtual_alias_maps
# Forward everything to our internal mailhub
-{% if 'MTA-out' in group_names %}
-relayhost = [127.0.0.1]:{{ postfix_instance["MTA-out"].port }}
+{% if 'out' in group_names %}
+relayhost = [127.0.0.1]:{{ postfix_instance.out.port }}
{% else %}
-relayhost = [outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }}
+relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
{% endif %}
relay_domains =
# Tunnel everything through IPSec
smtp_tls_security_level = none
-{% if 'MTA-out' in group_names %}
+{% if 'out' in group_names %}
smtp_bind_address = 127.0.0.1
{% else %}
smtp_bind_address = 172.16.0.1
diff --git a/roles/lists/templates/etc/postfix/main.cf.j2 b/roles/lists/templates/etc/postfix/main.cf.j2
index 45e66aa..083fa2b 100644
--- a/roles/lists/templates/etc/postfix/main.cf.j2
+++ b/roles/lists/templates/etc/postfix/main.cf.j2
@@ -47,10 +47,10 @@ message_size_limit = 67108864
recipient_delimiter = +
# Forward everything to our internal mailhub
-{% if 'MTA-out' in group_names %}
-relayhost = [127.0.0.1]:{{ postfix_instance["MTA-out"].port }}
+{% if 'out' in group_names %}
+relayhost = [127.0.0.1]:{{ postfix_instance.out.port }}
{% else %}
-relayhost = [outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }}
+relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
{% endif %}
relay_domains =
@@ -68,7 +68,7 @@ smtpd_timeout = 1200s
# Tunnel everything through IPSec
smtp_tls_security_level = none
-{% if 'MTA-out' in group_names %}
+{% if 'out' in group_names %}
smtp_bind_address = 127.0.0.1
{% else %}
smtp_bind_address = 172.16.0.1
diff --git a/roles/out/handlers/main.yml b/roles/out/handlers/main.yml
new file mode 100644
index 0000000..21c736a
--- /dev/null
+++ b/roles/out/handlers/main.yml
@@ -0,0 +1,9 @@
+---
+- name: Restart Postgrey
+ service: name=postgrey state=restarted
+
+- name: Restart Postfix
+ service: name=postfix state=restarted
+
+- name: Reload Postfix
+ service: name=postfix state=reloaded
diff --git a/roles/out/tasks/main.yml b/roles/out/tasks/main.yml
new file mode 100644
index 0000000..4bf4363
--- /dev/null
+++ b/roles/out/tasks/main.yml
@@ -0,0 +1,17 @@
+- name: Install Postfix
+ apt: pkg=postfix
+
+- name: Configure Postfix
+ template: src=etc/postfix/main.cf.j2
+ dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf
+ owner=root group=root
+ mode=0644
+ register: r
+ notify:
+ - Restart Postfix
+
+- name: Start Postfix
+ service: name=postfix state=started
+ when: not r.changed
+
+- meta: flush_handlers
diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2
new file mode 100644
index 0000000..1a7985f
--- /dev/null
+++ b/roles/out/templates/etc/postfix/main.cf.j2
@@ -0,0 +1,78 @@
+########################################################################
+# Outgoing MTA configuration
+#
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+readme_directory = no
+mail_owner = postfix
+
+delay_warning_time = 1d
+maximal_queue_lifetime = 5d
+
+myorigin = /etc/mailname
+myhostname = outgoing{{ outgoingno | default('') }}.$mydomain
+mydomain = fripost.org
+append_dot_mydomain = no
+
+# Turn off all TCP/IP listener ports except that necessary for the
+# outgoing SMTP proxy.
+master_service_disable = !2525.inet inet
+
+queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }}
+data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }}
+multi_instance_group = {{ postfix_instance[inst].group | default('') }}
+multi_instance_name = postfix-{{ postfix_instance[inst].name }}
+multi_instance_enable = yes
+
+# Accept everything coming through IPSec.
+# TODO: this should our virtual private subnetwork
+mynetworks = 0.0.0.0/0
+inet_interfaces = 172.16.0.1, 127.0.0.1
+
+# No local delivery
+mydestination =
+local_transport = error:5.1.1 Mailbox unavailable
+alias_maps =
+alias_database =
+local_recipient_maps =
+
+message_size_limit = 67108864
+recipient_delimiter = +
+
+relay_domains =
+relay_transport = error:5.3.2 Relay Transport unavailable
+
+# All header rewriting happens upstream
+local_header_rewrite_clients =
+
+
+smtp_tls_security_level = may
+smtp_tls_note_starttls_offer = yes
+smtp_tls_cert_file = /etc/postfix-out/ssl/smtp.fripost.org.pem
+smtp_tls_key_file = /etc/postfix-out/ssl/smtp.fripost.org.key
+smtp_tls_CApath = /etc/ssl/certs/
+smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
+smtp_tls_fingerprint_digest = sha1
+tls_random_source = dev:/dev/urandom
+
+
+smtpd_helo_required = yes
+smtpd_helo_restrictions =
+ reject_invalid_helo_hostname
+
+smtpd_sender_restrictions =
+ reject_non_fqdn_sender
+ reject_unknown_sender_domain
+
+smtpd_recipient_restrictions =
+ # RFC requirements
+ reject_non_fqdn_recipient
+ reject_unknown_recipient_domain
+ permit_mynetworks
+ reject_unauth_destination
+
+smtpd_data_restrictions =
+ reject_unauth_pipelining
diff --git a/roles/webmail/templates/etc/postfix/main.cf.j2 b/roles/webmail/templates/etc/postfix/main.cf.j2
index 76efb59..b070881 100644
--- a/roles/webmail/templates/etc/postfix/main.cf.j2
+++ b/roles/webmail/templates/etc/postfix/main.cf.j2
@@ -41,10 +41,10 @@ message_size_limit = 67108864
recipient_delimiter = +
# Forward everything to our internal mailhub
-{% if 'MTA-out' in group_names %}
-relayhost = [127.0.0.1]:{{ postfix_instance["MTA-out"].port }}
+{% if 'out' in group_names %}
+relayhost = [127.0.0.1]:{{ postfix_instance.out.port }}
{% else %}
-relayhost = [outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }}
+relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
{% endif %}
relay_domains =
@@ -60,7 +60,7 @@ smtp_data_done_timeout = 1200s
# Tunnel everything through IPSec
smtp_tls_security_level = none
-{% if 'MTA-out' in group_names %}
+{% if 'out' in group_names %}
smtp_bind_address = 127.0.0.1
{% else %}
smtp_bind_address = 172.16.0.1