Postscreen: Give temporary whitelist status to primary MX addresses only.

author: Guilhem Moulin <guilhem@fripost.org> 2016-09-20 16:55:58 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2016-09-20 16:55:58 +0200
commit: 43f39850ffd9e658b4d783106ea32d9f5430e633 (patch)
tree: 5fdac9bbd29db220a406213f622469d82b366959 /roles/MX
parent: c40a1be176ca1e2ea3e211249a0ea6601a00b5db (diff)
1 files changed, 9 insertions, 2 deletions
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 718be00..86c20cd 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -115,8 +115,15 @@ postscreen_dnsbl_sites      =
     list.dnswl.org=127.[0..255].[0..255].1*-3
     list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
 
-postscreen_greet_action          = enforce
-postscreen_whitelist_interfaces = !88.80.11.28 ![2a00:16b0:242:13::de30] static:all
+postscreen_greet_action         = enforce
+postscreen_whitelist_interfaces =
+{%- for ip in lookup('pipe', 'dig +short '+ postfix_instance.MX.backup +' A').splitlines() %}
+    !{{ ip }}
+{%- endfor %}
+{%- for ip in lookup('pipe', 'dig +short '+ postfix_instance.MX.backup +' AAAA').splitlines() %}
+    ![{{ ip }}]
+{%- endfor %}
+    static:all
 
 smtpd_client_restrictions =
     permit_mynetworks
author	Guilhem Moulin <guilhem@fripost.org>	2016-09-20 16:55:58 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2016-09-20 16:55:58 +0200
commit	43f39850ffd9e658b4d783106ea32d9f5430e633 (patch)
tree	5fdac9bbd29db220a406213f622469d82b366959 /roles/MX
parent	c40a1be176ca1e2ea3e211249a0ea6601a00b5db (diff)