diff options
| -rw-r--r-- | roles/IMAP/files/etc/postfix/recipient_canonical.pcre | 4 | ||||
| -rw-r--r-- | roles/IMAP/tasks/mda.yml | 6 | ||||
| -rw-r--r-- | roles/IMAP/templates/etc/postfix/main.cf.j2 | 5 | ||||
| -rw-r--r-- | roles/MX/tasks/main.yml | 5 | ||||
| -rw-r--r-- | roles/MX/templates/etc/postfix/main.cf.j2 | 26 | ||||
| -rw-r--r-- | roles/MX/templates/etc/postfix/virtual/list.cf.j2 | 4 | ||||
| -rw-r--r-- | roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 | 4 | ||||
| -rw-r--r-- | roles/MX/templates/etc/postfix/virtual/transport.j2 | 13 | ||||
| -rw-r--r-- | roles/MX/templates/etc/postfix/virtual/transport_list.cf.j2 | 13 | ||||
| -rw-r--r-- | roles/MX/templates/etc/postfix/virtual/transport_reserved_alias.j2 | 1 |
10 files changed, 48 insertions, 33 deletions
diff --git a/roles/IMAP/files/etc/postfix/recipient_canonical.pcre b/roles/IMAP/files/etc/postfix/recipient_canonical.pcre new file mode 100644 index 0000000..07c5859 --- /dev/null +++ b/roles/IMAP/files/etc/postfix/recipient_canonical.pcre @@ -0,0 +1,4 @@ +# Restore the original envelope recipient (drop our internal domain). +# Extensions are preserved as they are included in $2. + +/^([^\/]+)\/(.+)@[^@]+$/ $2@$1 diff --git a/roles/IMAP/tasks/mda.yml b/roles/IMAP/tasks/mda.yml index 1aac519..0358f12 100644 --- a/roles/IMAP/tasks/mda.yml +++ b/roles/IMAP/tasks/mda.yml @@ -12,25 +12,31 @@ register: r notify: - Restart Postfix - name: Create directory /etc/postfix-.../virtual file: path=/etc/postfix-{{ postfix_instance[inst].name }}/virtual state=directory owner=root group=root mode=0755 - name: Copy lookup tables copy: src=etc/postfix/virtual/{{ item }} dest=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/{{ item }} owner=root group=root mode=0644 with_items: - mailbox_domains.cf - mailbox.cf - transport_content_filter.cf +- name: Copy recipient canonical + copy: src=etc/postfix/recipient_canonical.pcre + dest=/etc/postfix-{{ postfix_instance[inst].name }}/recipient_canonical.pcre + owner=root group=root + mode=0644 + - name: Start Postfix service: name=postfix state=started when: not r.changed - meta: flush_handlers diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2 index e4c01bd..d0421ce 100644 --- a/roles/IMAP/templates/etc/postfix/main.cf.j2 +++ b/roles/IMAP/templates/etc/postfix/main.cf.j2 @@ -38,24 +38,29 @@ inet_protocols = ipv4 mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = alias_database = local_recipient_maps = message_size_limit = 67108864 recipient_delimiter = + # No relay: this server is inbound-only relay_transport = error:5.1.1 Relay unavailable default_transport = error:5.1.1 Transport unavailable # Virtual transport (the alias resolution is already done by the MX:es) virtual_transport = lmtp:unix:private/dovecot-lmtpd lmtp_bind_address = 127.0.0.1 virtual_mailbox_domains = ldap:$config_directory/virtual/mailbox_domains.cf virtual_mailbox_maps = ldap:$config_directory/virtual/mailbox.cf transport_maps = ldap:$config_directory/virtual/transport_content_filter.cf +# Restore the original envelope recipient +relay_domains = $myhostname +recipient_canonical_classes = envelope_recipient +recipient_canonical_maps = pcre:$config_directory/recipient_canonical.pcre + # Don't rewrite remote headers local_header_rewrite_clients = # Tolerate occasional high latency smtpd_timeout = 1200s diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml index e8dadb1..2670703 100644 --- a/roles/MX/tasks/main.yml +++ b/roles/MX/tasks/main.yml @@ -36,40 +36,39 @@ - name: Create directory /etc/postfix-.../virtual file: path=/etc/postfix-{{ postfix_instance[inst].name }}/virtual state=directory owner=root group=root mode=0755 - name: Copy lookup tables template: src=etc/postfix/virtual/{{ item }}.j2 dest=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/{{ item }} owner=root group=root mode=0644 with_items: - mailbox_domains.cf - reserved_alias.pcre - alias.cf - mailbox.cf - list.cf - alias_domains.cf - catchall.cf - - transport_reserved_alias - - transport_list.cf + - transport - name: Compile the Reserved Transport Maps postmap: instance={{ postfix_instance[inst].name }} - src=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/transport_reserved_alias db=cdb + src=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/transport db=cdb owner=root group=root mode=0644 - name: Copy reserved-alias.pl copy: src=usr/local/sbin/reserved-alias.pl dest=/usr/local/sbin/reserved-alias.pl owner=root group=root mode=0755 - name: Start Postfix service: name=postfix state=started when: not r.changed - meta: flush_handlers diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 index 6c2004a..8bed701 100644 --- a/roles/MX/templates/etc/postfix/main.cf.j2 +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -34,66 +34,64 @@ inet_protocols = all # No local delivery mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = alias_database = local_recipient_maps = message_size_limit = 67108864 recipient_delimiter = + # Forward everything to our internal mailhub {% if 'MTA-out' in group_names %} relayhost = [127.0.0.1]:{{ MTA_out.port }} {% else %} relayhost = [{{ MTA_out.host }}]:{{ MTA_out.port }} {% endif %} relay_domains = # Virtual transport -{% if 'LDA' in group_names %} -virtual_transport = smtpl:[127.0.0.1]:{{ LDA.port }} -{% else %} -virtual_transport = smtps:[{{ LDA.host }}]:{{ LDA.port }} -{% endif %} - +# We use a dedicated "virtual" domain to decongestion potential +# bottlenecks on trivial_rewrite(8) due to slow LDAP lookups in +# tranport_maps. +virtual_transport = error:5.1.1 Virtual transport unavailable virtual_mailbox_domains = ldap:$config_directory/virtual/mailbox_domains.cf virtual_alias_maps = pcre:$config_directory/virtual/reserved_alias.pcre + # first we do the alias resolution... ldap:$config_directory/virtual/alias.cf - # stop the alias resolution (by making finding - # an A -> A alias) before searching for - # catch-alls and domain aliases - $virtual_mailbox_maps + # ...and unless there is matching mailbox/list... + ldap:$config_directory/virtual/mailbox.cf + ldap:$config_directory/virtual/list.cf + # ...we resolve alias domains and catch alls ldap:$config_directory/virtual/alias_domains.cf ldap:$config_directory/virtual/catchall.cf -virtual_mailbox_maps = ldap:$config_directory/virtual/mailbox.cf - ldap:$config_directory/virtual/list.cf -transport_maps = cdb:$config_directory/virtual/transport_reserved_alias - ldap:$config_directory/virtual/transport_list.cf +virtual_mailbox_maps = +transport_maps = cdb:$config_directory/virtual/transport # Don't rewrite remote headers local_header_rewrite_clients = # Pass the client information along to the content filter smtp_send_xforward_command = yes # Avoid splitting the envelope and scanning messages multiple times smtp_destination_recipient_limit = 1000 +reserved-alias_recipient_limit = 1 # Tolerate occasional high latency smtp_data_done_timeout = 1200s # Tunnel everything through IPSec smtp_tls_security_level = none {% if 'MTA-out' in group_names %} smtp_bind_address = 127.0.0.1 {% else %} smtp_bind_address = 172.16.0.1 {% endif %} # TLS smtpd_tls_security_level = may smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_CApath = /etc/ssl/certs/ smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes smtpd_tls_fingerprint_digest = sha1 diff --git a/roles/MX/templates/etc/postfix/virtual/list.cf.j2 b/roles/MX/templates/etc/postfix/virtual/list.cf.j2 index 8bcd5df..6100c01 100644 --- a/roles/MX/templates/etc/postfix/virtual/list.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/list.cf.j2 @@ -1,9 +1,11 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org domain = static:all scope = base bind = none query_filter = (&(objectClass=FripostVirtualList)(fvl=%u)) result_attribute = fvl -result_format = %S +# Use a dedicated "virtual" domain to decongestion potential bottlenecks +# on trivial_rewrite(8) due to slow LDAP lookups in tranport_maps. +result_format = %D/%U@lists.guilhem.org diff --git a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 index b421e9a..fe27124 100644 --- a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 @@ -1,9 +1,11 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org domain = static:all scope = base bind = none query_filter = (&(objectClass=FripostVirtualUser)(fvl=%u)) result_attribute = fvl -result_format = %S +# Use a dedicated "virtual" domain to decongestion potential bottlenecks +# on trivial_rewrite(8) due to slow LDAP lookups in tranport_maps. +result_format = %D/%U@mda.guilhem.org diff --git a/roles/MX/templates/etc/postfix/virtual/transport.j2 b/roles/MX/templates/etc/postfix/virtual/transport.j2 new file mode 100644 index 0000000..6d244dc --- /dev/null +++ b/roles/MX/templates/etc/postfix/virtual/transport.j2 @@ -0,0 +1,13 @@ +reserved.locahost.localdomain reserved-alias: + +{% if 'LDA' in group_names %} +mda.guilhem.org smtpl:[127.0.0.1]:{{ LDA.port }} +{% else %} +mda.guilhem.org smtps:[{{ LDA.host }}]:{{ LDA.port }} +{% endif %} + +{% if 'lists' in group_names %} +lists.guilhem.org smtpl:[127.0.0.1]:{{ lists.port }} +{% else %} +lists.guilhem.org smtps:[{{ lists.host }}]:{{ lists.port }} +{% endif %} diff --git a/roles/MX/templates/etc/postfix/virtual/transport_list.cf.j2 b/roles/MX/templates/etc/postfix/virtual/transport_list.cf.j2 deleted file mode 100644 index eb696db..0000000 --- a/roles/MX/templates/etc/postfix/virtual/transport_list.cf.j2 +++ /dev/null @@ -1,13 +0,0 @@ -server_host = ldapi://%2Fprivate%2Fldapi/ -version = 3 -search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org -domain = static:all -scope = base -bind = none -query_filter = (&(objectClass=FripostVirtualList)(fvl=%u)) -result_attribute = fvl -{% if 'lists' in group_names %} -result_format = smtpl:[127.0.0.1]:{{ lists.port }} -{% else %} -result_format = smtps:[{{ lists.host }}]:{{ lists.port }} -{% endif %} diff --git a/roles/MX/templates/etc/postfix/virtual/transport_reserved_alias.j2 b/roles/MX/templates/etc/postfix/virtual/transport_reserved_alias.j2 deleted file mode 100644 index 4af5318..0000000 --- a/roles/MX/templates/etc/postfix/virtual/transport_reserved_alias.j2 +++ /dev/null @@ -1 +0,0 @@ -reserved.locahost.localdomain reserved-alias: |