Configure the MX:es.

4 files changed, 26 insertions, 2 deletions

diff --git a/roles/common/files/etc/postfix/master.cf b/roles/common/files/etc/postfix/master.cf
index d9722ef..b8bc458 100644
--- a/roles/common/files/etc/postfix/master.cf
+++ b/roles/common/files/etc/postfix/master.cf
@@ -17,20 +17,22 @@ rewrite   unix  -       -       -       -       -       trivial-rewrite
 bounce    unix  -       -       -       -       0       bounce
 defer     unix  -       -       -       -       0       bounce
 trace     unix  -       -       -       -       0       bounce
 verify    unix  -       -       -       -       1       verify
 flush     unix  n       -       -       1000?   0       flush
 proxymap  unix  -       -       n       -       -       proxymap
 proxywrite unix -       -       n       -       1       proxymap
 smtp      unix  -       -       -       -       -       smtp
 relay     unix  -       -       -       -       -       smtp
 #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
 showq     unix  n       -       -       -       -       showq
 error     unix  -       -       -       -       -       error
 retry     unix  -       -       -       -       -       error
 discard   unix  -       -       -       -       -       discard
 local     unix  -       n       n       -       -       local
 virtual   unix  -       n       n       -       -       virtual
 lmtp      unix  -       -       -       -       -       lmtp
 anvil     unix  -       -       -       -       1       anvil
 scache    unix  -       -       -       -       1       scache
 16132     inet  n       -       -       -       -       smtpd
+reserved-alias unix  -  n       n       -       -       pipe
+  flags=Rhu user=mail argv=/usr/local/sbin/reserved-alias.pl ${original_recipient} @fripost.org
diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2
index 0dcab8d..b92cb7a 100644
--- a/roles/common/templates/etc/fail2ban/jail.local.j2
+++ b/roles/common/templates/etc/fail2ban/jail.local.j2
@@ -1,49 +1,63 @@
 # {{ ansible_managed }}
 # Do NOT edit this file directly!
 
 [DEFAULT]
 
 # Destination email address used solely for the interpolations in
 # jail.{conf,local} configuration files.
 destemail = admin@fripost.org
 
 # Specify chain where jumps would need to be added in iptables-* actions
 chain = fail2ban
 
 # Choose default action.
 action = %(action_)s
 
 #
 # JAILS
 #
+# There is no risk to lock ourself out, since traffic between our machines goes
+# through IPSec, and these packets are accepted before having a chance to enter
+# fail2ban's chain.
+#
 
 [ssh]
 
 enabled  = true
 port     = {{ ansible_ssh_port|default('22') }}
 filter   = sshd
 logpath  = /var/log/auth.log
 maxretry = 5
 
 [ssh-ddos]
 
 enabled  = true
 port     = {{ ansible_ssh_port|default('22') }}
 filter   = sshd-ddos
 logpath  = /var/log/auth.log
 maxretry = 2
 
 
 # Generic filter for pam. Has to be used with action which bans all ports
 # such as iptables-allports, shorewall
 [pam-generic]
 
 enabled   = true
 # pam-generic filter can be customized to monitor specific subset of 'tty's
 filter    = pam-generic
 # port actually must be irrelevant but lets leave it all for some possible uses
 port      = all
 banaction = iptables-allports
 port      = anyport
 logpath   = /var/log/auth.log
 maxretry  = 6
+
+{% if 'MX' in group_names %}
+[postfix]
+
+enabled  = true
+port     = smtp
+filter   = postfix
+logpath  = /var/log/mail.log
+maxretry = 10
+{% endif %}
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
index b1b7f0f..8a9409d 100644
--- a/roles/common/templates/etc/iptables/services.j2
+++ b/roles/common/templates/etc/iptables/services.j2
@@ -1,13 +1,17 @@
 # {{ ansible_managed }}
 # Do NOT edit this file directly!
 #
 # direction              protocol     destination port            source port
 # (in|out|inout)[46]?    (tcp|udp|..) (port|port:port|port,port)  (port|port:port|port,port)
 
 inout   udp     500    500                              # ISAKMP
-
-in      tcp     {{ ansible_ssh_port|default('22') }}    # SSH
+#inout   udp     4500    4500    # IPSec NAT Traversal
 
 out     tcp     80,443                                  # HTTP/HTTPS
 out     udp     53                                      # DNS
 out     udp     67                                      # DHCP
+
+in      tcp     {{ ansible_ssh_port|default('22') }}    # SSH
+{% if 'MX' in group_names %}
+in      tcp     25                                      # SMTP
+{% endif %}
diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2
index 59bf0ba..a856843 100644
--- a/roles/common/templates/etc/postfix/main.cf.j2
+++ b/roles/common/templates/etc/postfix/main.cf.j2
@@ -1,26 +1,30 @@
 ########################################################################
 # Nullmailer configuration
+#
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
 
 smtpd_banner     = $myhostname ESMTP $mail_name (Debian/GNU)
 biff             = no
 readme_directory = no
+mail_owner       = postfix
 
 myorigin            = /etc/mailname
 myhostname          = {{ ansible_fqdn }}
 mydomain            = {{ ansible_domain }}
 append_dot_mydomain = no
 
 # This server is for internal use only
 mynetworks_style = host
 inet_interfaces  = loopback-only
 inet_protocols   = ipv4
 
 # No local delivery
 mydestination        =
 local_transport      = error:5.1.1 Mailbox unavailable
 alias_maps           =
 local_recipient_maps =
 
 # All aliases are virtual
 default_database_type = cdb
 virtual_alias_maps    = cdb:/etc/aliases