diff options
| -rw-r--r-- | group_vars/all.yml | 2 | ||||
| -rw-r--r-- | roles/MX/templates/etc/postfix/main.cf.j2 | 11 |
2 files changed, 10 insertions, 3 deletions
diff --git a/group_vars/all.yml b/group_vars/all.yml index 77abc85..089c75f 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -12,31 +12,31 @@ ipsec: elefant: 172.16.0.4 giraff: 172.16.0.5 mistral: 172.16.0.6 postfix_instance: # The keys are the group names associated with a Postfix role, and the # values are the name and group (optional) of the instance dedicated # to that role. # For internal services, we also specify its (non-routable) IP address # and port. # XXX it's unfortunate that we can only specify a single address, and # therefore have to limit the number of outgoing SMTP proxy and # IMAP server to one. Since hosts(5) files cannot map and IP # address to multiple hostnames, a workaround would be to use # round-robin DNS, but we can't rely on DNS as long as our zone is # unsigned. IMAP: { name: mda , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.IMAP[0]].inventory_hostname_short ], '127.0.0.1') }}" , port: 2526 } - MX: { name: mx, group: mta } + MX: { name: mx, group: mta, backup: mx3.fripost.org } out: { name: out, group: mta , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.out[0]].inventory_hostname_short ], '127.0.0.1') }}" , port: 2525 } MSA: { name: msa , port: 587 } lists: { name: lists , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.lists[0]].inventory_hostname_short ], '127.0.0.1') }}" , port: 2527 } imapsvr_addr: "{{ postfix_instance.IMAP.addr | ipaddr }}" diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 index 718be00..86c20cd 100644 --- a/roles/MX/templates/etc/postfix/main.cf.j2 +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -98,42 +98,49 @@ unknown_client_reject_code = 554 unknown_hostname_reject_code = 554 unknown_local_recipient_reject_code = 554 unknown_relay_recipient_reject_code = 554 unknown_virtual_alias_reject_code = 554 unknown_virtual_mailbox_reject_code = 554 postscreen_blacklist_action = drop postscreen_dnsbl_threshold = 3 postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = zen.spamhaus.org*3 swl.spamhaus.org*-4 b.barracudacentral.org*2 bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-3 list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 -postscreen_greet_action = enforce -postscreen_whitelist_interfaces = !88.80.11.28 ![2a00:16b0:242:13::de30] static:all +postscreen_greet_action = enforce +postscreen_whitelist_interfaces = +{%- for ip in lookup('pipe', 'dig +short '+ postfix_instance.MX.backup +' A').splitlines() %} + !{{ ip }} +{%- endfor %} +{%- for ip in lookup('pipe', 'dig +short '+ postfix_instance.MX.backup +' AAAA').splitlines() %} + ![{{ ip }}] +{%- endfor %} + static:all smtpd_client_restrictions = permit_mynetworks smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_non_fqdn_helo_hostname reject_invalid_helo_hostname smtpd_sender_restrictions = reject_non_fqdn_sender smtpd_relay_restrictions = reject_non_fqdn_recipient permit_mynetworks reject_unauth_destination reject_unlisted_recipient smtpd_data_restrictions = |