summaryrefslogtreecommitdiffstats
path: root/roles/out
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2018-12-11 21:15:24 +0100
committerGuilhem Moulin <guilhem@fripost.org>2018-12-12 13:46:44 +0100
commit7beb915bb8dddac847ca3aca85c187e314a6c0fa (patch)
tree58007bea6929c6cdfb8d7b5abf483eb33fd3b609 /roles/out
parent68d56db92b95f570a8e7236dbff3fc7fd0fcd2c3 (diff)
Outgoing SMTP: masquerade internal hostnames.
Use admin@fripost.org instead. We were sending out (to the admin team) system messages with non-existing or invalid envelope sender addresses, such as <logcheck@antilop.fripost.org> or <root@mistral.fripost.org>.
Diffstat (limited to 'roles/out')
-rw-r--r--roles/out/tasks/main.yml12
-rw-r--r--roles/out/templates/etc/postfix/canonical.j210
-rw-r--r--roles/out/templates/etc/postfix/main.cf.j24
3 files changed, 26 insertions, 0 deletions
diff --git a/roles/out/tasks/main.yml b/roles/out/tasks/main.yml
index 96a557d..0e64443 100644
--- a/roles/out/tasks/main.yml
+++ b/roles/out/tasks/main.yml
@@ -12,6 +12,18 @@
notify:
- Reload Postfix
+- name: Copy the canonical maps
+ template: src=etc/postfix/canonical.j2
+ dest=/etc/postfix-{{ postfix_instance[inst].name }}/canonical
+ owner=root group=root
+ mode=0644
+
+- name: Compile the canonical maps
+ # no need to reload upon change, as cleanup(8) is short-running
+ postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/canonical db=lmdb
+ owner=root group=root
+ mode=0644
+
- meta: flush_handlers
- name: Start Postfix
diff --git a/roles/out/templates/etc/postfix/canonical.j2 b/roles/out/templates/etc/postfix/canonical.j2
new file mode 100644
index 0000000..ed8bb4d
--- /dev/null
+++ b/roles/out/templates/etc/postfix/canonical.j2
@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+# Addresses under $myhostname are typically not valid as envelope
+# recipients (eg, logcheck@, root@, etc.). This breaks the sender
+# address verification, so we use the admin team's address in the
+# envelope.
+{% for host in groups.all | sort %}
+@{{ hostvars[host].inventory_hostname }} admin@fripost.org
+{% endfor %}
diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2
index 6d83710..c05d9a5 100644
--- a/roles/out/templates/etc/postfix/main.cf.j2
+++ b/roles/out/templates/etc/postfix/main.cf.j2
@@ -42,6 +42,10 @@ recipient_delimiter = +
relay_domains =
relay_transport = error:5.3.2 Relay Transport unavailable
+# Replace internal system addresses under $myhostname with a valid address
+canonical_maps = lmdb:$config_directory/canonical
+canonical_classes = envelope_sender, envelope_recipient
+
# All header rewriting happens upstream
local_header_rewrite_clients =