summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2016-09-20 16:55:58 +0200
committerGuilhem Moulin <guilhem@fripost.org>2016-09-20 16:55:58 +0200
commit43f39850ffd9e658b4d783106ea32d9f5430e633 (patch)
tree5fdac9bbd29db220a406213f622469d82b366959
parentc40a1be176ca1e2ea3e211249a0ea6601a00b5db (diff)
Postscreen: Give temporary whitelist status to primary MX addresses only.
-rw-r--r--group_vars/all.yml2
-rw-r--r--roles/MX/templates/etc/postfix/main.cf.j211
2 files changed, 10 insertions, 3 deletions
diff --git a/group_vars/all.yml b/group_vars/all.yml
index 77abc85..089c75f 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -29,7 +29,7 @@ postfix_instance:
IMAP: { name: mda
, addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.IMAP[0]].inventory_hostname_short ], '127.0.0.1') }}"
, port: 2526 }
- MX: { name: mx, group: mta }
+ MX: { name: mx, group: mta, backup: mx3.fripost.org }
out: { name: out, group: mta
, addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.out[0]].inventory_hostname_short ], '127.0.0.1') }}"
, port: 2525 }
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 718be00..86c20cd 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -115,8 +115,15 @@ postscreen_dnsbl_sites =
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
-postscreen_greet_action = enforce
-postscreen_whitelist_interfaces = !88.80.11.28 ![2a00:16b0:242:13::de30] static:all
+postscreen_greet_action = enforce
+postscreen_whitelist_interfaces =
+{%- for ip in lookup('pipe', 'dig +short '+ postfix_instance.MX.backup +' A').splitlines() %}
+ !{{ ip }}
+{%- endfor %}
+{%- for ip in lookup('pipe', 'dig +short '+ postfix_instance.MX.backup +' AAAA').splitlines() %}
+ ![{{ ip }}]
+{%- endfor %}
+ static:all
smtpd_client_restrictions =
permit_mynetworks