Outgoing SMTP: masquerade internal hostnames.

Use admin@fripost.org instead.  We were sending out (to the admin team)
system messages with non-existing or invalid envelope sender addresses,
such as <logcheck@antilop.fripost.org> or <root@mistral.fripost.org>.

3 files changed, 26 insertions, 0 deletions

diff --git a/roles/out/tasks/main.yml b/roles/out/tasks/main.yml
index 96a557d..0e64443 100644
--- a/roles/out/tasks/main.yml
+++ b/roles/out/tasks/main.yml
@@ -1,34 +1,46 @@
 - name: Install Postfix
   apt: pkg=postfix
 
 - name: Configure Postfix
   template: src=etc/postfix/{{ item }}.j2
             dest=/etc/postfix-{{ postfix_instance[inst].name }}/{{ item }}
             owner=root group=root
             mode=0644
   with_items:
     - main.cf
     - master.cf
   notify:
     - Reload Postfix
 
+- name: Copy the canonical maps
+  template: src=etc/postfix/canonical.j2
+            dest=/etc/postfix-{{ postfix_instance[inst].name }}/canonical
+            owner=root group=root
+            mode=0644
+
+- name: Compile the canonical maps
+  # no need to reload upon change, as cleanup(8) is short-running
+  postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/canonical db=lmdb
+           owner=root group=root
+           mode=0644
+
 - meta: flush_handlers
 
 - name: Start Postfix
   service: name=postfix state=started
 
 
 - name: Install 'postfix_mailqueue_' Munin wildcard plugin
   file: src=/usr/local/share/munin/plugins/postfix_mailqueue_
         dest=/etc/munin/plugins/postfix_mailqueue_postfix-{{ postfix_instance[inst].name }}
         owner=root group=root
         state=link force=yes
   tags:
     - munin
     - munin-node
   notify:
     - Restart munin-node
 
 - name: Install 'postfix_stats_' Munin wildcard plugin
   file: src=/usr/local/share/munin/plugins/postfix_stats_
         dest=/etc/munin/plugins/postfix_stats_{{ item }}_postfix-{{ postfix_instance[inst].name }}
diff --git a/roles/out/templates/etc/postfix/canonical.j2 b/roles/out/templates/etc/postfix/canonical.j2
new file mode 100644
index 0000000..ed8bb4d
--- /dev/null
+++ b/roles/out/templates/etc/postfix/canonical.j2
@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+# Addresses under $myhostname are typically not valid as envelope
+# recipients (eg, logcheck@, root@, etc.).  This breaks the sender
+# address verification, so we use the admin team's address in the
+# envelope.
+{% for host in groups.all | sort %}
+@{{ hostvars[host].inventory_hostname }}    admin@fripost.org
+{% endfor %}
diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2
index 6d83710..c05d9a5 100644
--- a/roles/out/templates/etc/postfix/main.cf.j2
+++ b/roles/out/templates/etc/postfix/main.cf.j2
@@ -25,40 +25,44 @@ mynetworks = 127.0.0.0/8, [::1]/128
 
 queue_directory       = /var/spool/postfix-{{ postfix_instance[inst].name }}
 data_directory        = /var/lib/postfix-{{ postfix_instance[inst].name }}
 multi_instance_group  = {{ postfix_instance[inst].group | default('') }}
 multi_instance_name   = postfix-{{ postfix_instance[inst].name }}
 multi_instance_enable = yes
 
 # No local delivery
 mydestination        =
 local_transport      = error:5.1.1 Mailbox unavailable
 alias_maps           =
 alias_database       =
 local_recipient_maps =
 
 message_size_limit  = 0
 recipient_delimiter = +
 
 relay_domains       =
 relay_transport     = error:5.3.2 Relay Transport unavailable
 
+# Replace internal system addresses under $myhostname with a valid address
+canonical_maps    = lmdb:$config_directory/canonical
+canonical_classes = envelope_sender, envelope_recipient
+
 # All header rewriting happens upstream
 local_header_rewrite_clients =
 
 
 smtp_tls_security_level         = may
 smtp_tls_ciphers                = medium
 smtp_tls_protocols              = !SSLv2, !SSLv3
 smtp_tls_note_starttls_offer    = yes
 smtp_tls_session_cache_database = lmdb:$data_directory/smtp_tls_session_cache
 
 smtpd_tls_security_level        = none
 
 strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
 
 smtpd_client_restrictions =
     permit_mynetworks
     # We are the only ones using this proxy, but if things go wrong we
     # want to know why