Don't use IPSec to relay messages to localhost.

author: Guilhem Moulin <guilhem@fripost.org> 2014-01-14 06:51:03 +0100
committer: Guilhem Moulin <guilhem@fripost.org> 2015-06-07 02:51:35 +0200
commit: 650db94b3b8dc6665c3883ac29f78adfe23e03f0 (patch)
tree: 8fc334329381952850dda59f16a558d0159305d9 /roles
parent: f8a46672a40b29f04a1a6417042759e2c25d4671 (diff)
4 files changed, 16 insertions, 0 deletions
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index 685287a..337acd1 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -47,41 +47,45 @@ relayhost     = [127.0.0.1]:{{ MTA_out.port }}
 {% else %}
 relayhost     = [{{ MTA_out.host }}]:{{ MTA_out.port }}
 {% endif %}
 relay_domains =
 
 # Don't rewrite remote headers
 local_header_rewrite_clients     =
 # Pass the client information along to the content filter
 smtp_send_xforward_command       = yes
 # Avoid splitting the envelope and scanning messages multiple times
 smtp_destination_recipient_limit = 1000
 # Tolerate occasional high latency
 smtp_data_done_timeout           = 1200s
 
 # Anonymize the (authenticated) sender; pass the mail to the antivirus
 header_checks  = pcre:$config_directory/anonymize_sender.pcre
 #content_filter = amavisfeed:unix:public/amavisfeed-antivirus
 
 # Tunnel everything through IPSec
 smtp_tls_security_level = none
+{% if 'MTA-out' in group_names %}
+smtp_bind_address       = 127.0.0.1
+{% else %}
 smtp_bind_address       = 172.16.0.1
+{% endif %}
 
 # TLS
 smtpd_tls_security_level        = encrypt
 smtpd_tls_cert_file             = /etc/ssl/certs/ssl-cert-snakeoil.pem
 smtpd_tls_key_file              = /etc/ssl/private/ssl-cert-snakeoil.key
 smtpd_tls_CApath                = /etc/ssl/certs/
 smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
 smtpd_tls_received_header       = yes
 smtpd_tls_ask_ccert             = yes
 smtpd_tls_fingerprint_digest    = sha1
 smtpd_tls_eecdh_grade           = strong
 tls_random_source               = dev:/dev/urandom
 
 # SASL
 smtpd_sasl_auth_enable          = yes
 smtpd_sasl_authenticated_header = no
 smtpd_sasl_local_domain         =
 smtpd_sasl_exceptions_networks  = $mynetworks
 smtpd_sasl_security_options     = noanonymous, noplaintext
 smtpd_sasl_tls_security_options = noanonymous
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 570a797..9f88eef 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -64,41 +64,45 @@ transport_maps = pcre:$config_directory/virtual/transport_reserved_maps.pcre
                  ldap:$config_directory/virtual/transport_mailbox_maps.cf
                  ldap:$config_directory/virtual/transport_lists_maps.cf
                  ldap:$config_directory/virtual/transport_catchall_maps.cf
 
 virtual_mailbox_domains = ldap:$config_directory/virtual/mailbox_domains.cf
 virtual_alias_maps      = cdb:$config_directory/virtual/reserved_alias_maps
                           ldap:$config_directory/virtual/alias_maps.cf
 virtual_mailbox_maps    = $transport_maps
 
 # Don't rewrite remote headers
 local_header_rewrite_clients     =
 # Pass the client information along to the content filter
 smtp_send_xforward_command       = yes
 # Avoid splitting the envelope and scanning messages multiple times
 smtp_destination_recipient_limit = 1000
 # Tolerate occasional high latency
 smtp_data_done_timeout           = 1200s
 
 # Tunnel everything through IPSec
 smtp_tls_security_level = none
+{% if 'MTA-out' in group_names %}
+smtp_bind_address       = 127.0.0.1
+{% else %}
 smtp_bind_address       = 172.16.0.1
+{% endif %}
 
 # TLS
 smtpd_tls_security_level        = may
 smtpd_tls_cert_file             = /etc/ssl/certs/ssl-cert-snakeoil.pem
 smtpd_tls_key_file              = /etc/ssl/private/ssl-cert-snakeoil.key
 smtpd_tls_CApath                = /etc/ssl/certs/
 smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
 smtpd_tls_received_header       = yes
 smtpd_tls_ask_ccert             = yes
 smtpd_tls_fingerprint_digest    = sha1
 smtpd_tls_eecdh_grade           = strong
 tls_random_source               = dev:/dev/urandom
 
 
 # http://en.linuxreviews.org/HOWTO_Stop_spam_using_Postfix
 # http://www.howtoforge.com/block_spam_at_mta_level_postfix
 
 strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2
index 4c56cea..83f97b4 100644
--- a/roles/common/templates/etc/postfix/main.cf.j2
+++ b/roles/common/templates/etc/postfix/main.cf.j2
@@ -26,39 +26,43 @@ alias_maps           =
 local_recipient_maps =
 
 # All aliases are virtual
 default_database_type = cdb
 virtual_alias_maps    = cdb:/etc/aliases
 alias_database        = $virtual_alias_maps
 
 # Transform local FQDN addresses to addresses routable on the internet
 smtp_generic_maps = pcre:$config_directory/generic.pcre
 
 # Forward everything to our internal mailhub
 {% if 'MTA-out' in group_names %}
 relayhost     = [127.0.0.1]:{{ MTA_out.port }}
 {% else %}
 relayhost     = [{{ MTA_out.host }}]:{{ MTA_out.port }}
 {% endif %}
 relay_domains =
 
 # Tunnel everything through IPSec
 smtp_tls_security_level  = none
+{% if 'MTA-out' in group_names %}
+smtp_bind_address        = 127.0.0.1
+{% else %}
 smtp_bind_address        = 172.16.0.1
+{% endif %}
 smtpd_tls_security_level = none
 
 # Turn off all TCP/IP listener ports except that dedicated to
 # samhain(8), which sadly cannot use pickup through the sendmail binary.
 master_service_disable = !127.0.0.1:16132.inet inet
 
 {% set multi_instance = False %}
 {%- for g in postfix_instance.keys() | sort -%}
   {%- if g in group_names -%}
     {%- if not multi_instance -%}
       {%- set multi_instance = True -%}
 ## Other postfix instances
 multi_instance_wrapper     = $command_directory/postmulti -p --
 multi_instance_enable      = yes
 multi_instance_directories =
     {%- endif %} /etc/postfix-{{ postfix_instance[g].name }}
   {%- endif %}
 {% endfor %}
diff --git a/roles/webmail/templates/etc/postfix/main.cf.j2 b/roles/webmail/templates/etc/postfix/main.cf.j2
index cb57b23..cd026d1 100644
--- a/roles/webmail/templates/etc/postfix/main.cf.j2
+++ b/roles/webmail/templates/etc/postfix/main.cf.j2
@@ -46,41 +46,45 @@ recipient_delimiter = +
 relayhost     = [127.0.0.1]:{{ MTA_out.port }}
 {% else %}
 relayhost     = [{{ MTA_out.host }}]:{{ MTA_out.port }}
 {% endif %}
 relay_domains =
 
 # Don't rewrite remote headers
 local_header_rewrite_clients     =
 # Pass the client information along to the content filter
 smtp_send_xforward_command       = yes
 # Avoid splitting the envelope and scanning messages multiple times
 smtp_destination_recipient_limit = 1000
 # Tolerate occasional high latency
 smtp_data_done_timeout           = 1200s
 
 # Pass the mail to the antivirus
 #content_filter = amavisfeed:unix:public/amavisfeed-antivirus
 
 # Tunnel everything through IPSec
 smtp_tls_security_level  = none
+{% if 'MTA-out' in group_names %}
+smtp_bind_address        = 127.0.0.1
+{% else %}
 smtp_bind_address        = 172.16.0.1
+{% endif %}
 smtpd_tls_security_level = none
 
 
 strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
 
 # UCE control
 unknown_client_reject_code = 554
 
 smtpd_client_restrictions =
     permit_mynetworks
     reject
 
 smtpd_helo_required     = yes
 smtpd_helo_restrictions =
     permit_mynetworks
     reject_non_fqdn_helo_hostname
     reject_invalid_helo_hostname
author	Guilhem Moulin <guilhem@fripost.org>	2014-01-14 06:51:03 +0100
committer	Guilhem Moulin <guilhem@fripost.org>	2015-06-07 02:51:35 +0200
commit	650db94b3b8dc6665c3883ac29f78adfe23e03f0 (patch)
tree	8fc334329381952850dda59f16a558d0159305d9 /roles
parent	f8a46672a40b29f04a1a6417042759e2c25d4671 (diff)