From 170dc68f9275dffb48fbe3f8ebb2183cd7ddf111 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 1 Jul 2014 14:38:52 +0200 Subject: Outgoing SMTP proxy. --- all.yml | 1 + group_vars/all.yml | 12 ++-- out.yml | 8 +++ roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 | 6 +- roles/MSA/templates/etc/postfix/main.cf.j2 | 8 +-- roles/MX/templates/etc/postfix/main.cf.j2 | 8 +-- roles/common/files/etc/postfix/master.cf | 1 + roles/common/templates/etc/iptables/services.j2 | 3 + roles/common/templates/etc/postfix/main.cf.j2 | 8 +-- roles/lists/templates/etc/postfix/main.cf.j2 | 8 +-- roles/out/handlers/main.yml | 9 +++ roles/out/tasks/main.yml | 17 +++++ roles/out/templates/etc/postfix/main.cf.j2 | 78 +++++++++++++++++++++++ roles/webmail/templates/etc/postfix/main.cf.j2 | 8 +-- 14 files changed, 146 insertions(+), 29 deletions(-) create mode 100644 out.yml create mode 100644 roles/out/handlers/main.yml create mode 100644 roles/out/tasks/main.yml create mode 100644 roles/out/templates/etc/postfix/main.cf.j2 diff --git a/all.yml b/all.yml index 6a62511..4f820bd 100644 --- a/all.yml +++ b/all.yml @@ -6,5 +6,6 @@ - include: IMAP.yml - include: MX.yml - include: MSA.yml +- include: out.yml - include: webmail.yml - include: lists.yml diff --git a/group_vars/all.yml b/group_vars/all.yml index 351aa09..ef9fc82 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -3,9 +3,9 @@ postfix_instance: # The keys are the group names associated with a Postfix role, and the # values are the name and group (optional) of the instance dedicated # to that role. - IMAP: { name: mda, port: 2526 } - MX: { name: mx, group: mta } - MTA-out: { name: mta-out,group: mta, port: 2525 } - MSA: { name: msa } - webmail: { name: webmail } - lists: { name: lists, port: 2527 } + IMAP: { name: mda, port: 2526 } + MX: { name: mx, group: mta } + out: { name: out, group: mta, port: 2525 } + MSA: { name: msa } + webmail: { name: webmail } + lists: { name: lists, port: 2527 } diff --git a/out.yml b/out.yml new file mode 100644 index 0000000..5b1206c --- /dev/null +++ b/out.yml @@ -0,0 +1,8 @@ +--- +- name: Configure the outgoing SMTP proxy + hosts: out + roles: + - { role: out, inst: out } + tags: + - mail + - postfix diff --git a/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 b/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 index 503907e..b3ae7a9 100644 --- a/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 +++ b/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 @@ -110,10 +110,10 @@ $inet_socket_port = 10041; $interface_policy{'10041'} = 'INBOUND'; -{% if 'MTA-out' in group_names %} -$notify_method = 'smtp:[127.0.0.1]:{{ postfix_instance["MTA-out"].port }}'; +{% if 'out' in group_names %} +$notify_method = 'smtp:[127.0.0.1]:{{ postfix_instance.out.port }}'; {% else %} -$notify_method = 'smtp:[outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }}'; +$notify_method = 'smtp:[outgoing.fripost.org]:{{ postfix_instance.out.port }}'; {% endif %} $forward_method = 'lmtp:/var/run/dovecot/lmtp'; $requeue_method = $forward_method; diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2 index e363d70..e3014aa 100644 --- a/roles/MSA/templates/etc/postfix/main.cf.j2 +++ b/roles/MSA/templates/etc/postfix/main.cf.j2 @@ -41,10 +41,10 @@ message_size_limit = 67108864 recipient_delimiter = + # Forward everything to our internal mailhub -{% if 'MTA-out' in group_names %} -relayhost = [127.0.0.1]:{{ postfix_instance["MTA-out"].port }} +{% if 'out' in group_names %} +relayhost = [127.0.0.1]:{{ postfix_instance.out.port }} {% else %} -relayhost = [outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }} +relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }} {% endif %} relay_domains = @@ -61,7 +61,7 @@ header_checks = pcre:$config_directory/anonymize_sender.pcre # Tunnel everything through IPSec smtp_tls_security_level = none -{% if 'MTA-out' in group_names %} +{% if 'out' in group_names %} smtp_bind_address = 127.0.0.1 {% else %} smtp_bind_address = 172.16.0.1 diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 index 4dbbbcb..34e38a0 100644 --- a/roles/MX/templates/etc/postfix/main.cf.j2 +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -42,10 +42,10 @@ message_size_limit = 67108864 recipient_delimiter = + # Forward everything to our internal mailhub -{% if 'MTA-out' in group_names %} -relayhost = [127.0.0.1]:{{ postfix_instance["MTA-out"].port }} +{% if 'out' in group_names %} +relayhost = [127.0.0.1]:{{ postfix_instance.out.port }} {% else %} -relayhost = [outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }} +relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }} {% endif %} relay_domains = @@ -79,7 +79,7 @@ smtp_data_done_timeout = 1200s # Tunnel everything through IPSec smtp_tls_security_level = none -{% if 'MTA-out' in group_names %} +{% if 'out' in group_names %} smtp_bind_address = 127.0.0.1 {% else %} smtp_bind_address = 172.16.0.1 diff --git a/roles/common/files/etc/postfix/master.cf b/roles/common/files/etc/postfix/master.cf index 4fdbff3..e845371 100644 --- a/roles/common/files/etc/postfix/master.cf +++ b/roles/common/files/etc/postfix/master.cf @@ -39,6 +39,7 @@ lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache 127.0.0.1:16132 inet n - - - - smtpd +2525 inet n - - - - smtpd 2526 inet n - - - - smtpd 2527 inet n - - - - smtpd -o mynetworks=0.0.0.0/0 diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2 index 4e21dfc..923aa35 100644 --- a/roles/common/templates/etc/iptables/services.j2 +++ b/roles/common/templates/etc/iptables/services.j2 @@ -19,6 +19,9 @@ in tcp {{ ansible_ssh_port|default('22') }} # SSH {% if 'MX' in group_names %} in tcp 25 # SMTP {% endif %} +{% if 'out' in group_names %} +#out tcp 25 # SMTP +{% endif %} {% if 'IMAP' in group_names %} in tcp 993 # IMAPS in tcp 4190 # ManageSieve diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2 index e594c1e..70d4b98 100644 --- a/roles/common/templates/etc/postfix/main.cf.j2 +++ b/roles/common/templates/etc/postfix/main.cf.j2 @@ -31,16 +31,16 @@ virtual_alias_maps = cdb:/etc/aliases alias_database = $virtual_alias_maps # Forward everything to our internal mailhub -{% if 'MTA-out' in group_names %} -relayhost = [127.0.0.1]:{{ postfix_instance["MTA-out"].port }} +{% if 'out' in group_names %} +relayhost = [127.0.0.1]:{{ postfix_instance.out.port }} {% else %} -relayhost = [outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }} +relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }} {% endif %} relay_domains = # Tunnel everything through IPSec smtp_tls_security_level = none -{% if 'MTA-out' in group_names %} +{% if 'out' in group_names %} smtp_bind_address = 127.0.0.1 {% else %} smtp_bind_address = 172.16.0.1 diff --git a/roles/lists/templates/etc/postfix/main.cf.j2 b/roles/lists/templates/etc/postfix/main.cf.j2 index 45e66aa..083fa2b 100644 --- a/roles/lists/templates/etc/postfix/main.cf.j2 +++ b/roles/lists/templates/etc/postfix/main.cf.j2 @@ -47,10 +47,10 @@ message_size_limit = 67108864 recipient_delimiter = + # Forward everything to our internal mailhub -{% if 'MTA-out' in group_names %} -relayhost = [127.0.0.1]:{{ postfix_instance["MTA-out"].port }} +{% if 'out' in group_names %} +relayhost = [127.0.0.1]:{{ postfix_instance.out.port }} {% else %} -relayhost = [outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }} +relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }} {% endif %} relay_domains = @@ -68,7 +68,7 @@ smtpd_timeout = 1200s # Tunnel everything through IPSec smtp_tls_security_level = none -{% if 'MTA-out' in group_names %} +{% if 'out' in group_names %} smtp_bind_address = 127.0.0.1 {% else %} smtp_bind_address = 172.16.0.1 diff --git a/roles/out/handlers/main.yml b/roles/out/handlers/main.yml new file mode 100644 index 0000000..21c736a --- /dev/null +++ b/roles/out/handlers/main.yml @@ -0,0 +1,9 @@ +--- +- name: Restart Postgrey + service: name=postgrey state=restarted + +- name: Restart Postfix + service: name=postfix state=restarted + +- name: Reload Postfix + service: name=postfix state=reloaded diff --git a/roles/out/tasks/main.yml b/roles/out/tasks/main.yml new file mode 100644 index 0000000..4bf4363 --- /dev/null +++ b/roles/out/tasks/main.yml @@ -0,0 +1,17 @@ +- name: Install Postfix + apt: pkg=postfix + +- name: Configure Postfix + template: src=etc/postfix/main.cf.j2 + dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf + owner=root group=root + mode=0644 + register: r + notify: + - Restart Postfix + +- name: Start Postfix + service: name=postfix state=started + when: not r.changed + +- meta: flush_handlers diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2 new file mode 100644 index 0000000..1a7985f --- /dev/null +++ b/roles/out/templates/etc/postfix/main.cf.j2 @@ -0,0 +1,78 @@ +######################################################################## +# Outgoing MTA configuration +# +# {{ ansible_managed }} +# Do NOT edit this file directly! + +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no +readme_directory = no +mail_owner = postfix + +delay_warning_time = 1d +maximal_queue_lifetime = 5d + +myorigin = /etc/mailname +myhostname = outgoing{{ outgoingno | default('') }}.$mydomain +mydomain = fripost.org +append_dot_mydomain = no + +# Turn off all TCP/IP listener ports except that necessary for the +# outgoing SMTP proxy. +master_service_disable = !2525.inet inet + +queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} +data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} +multi_instance_group = {{ postfix_instance[inst].group | default('') }} +multi_instance_name = postfix-{{ postfix_instance[inst].name }} +multi_instance_enable = yes + +# Accept everything coming through IPSec. +# TODO: this should our virtual private subnetwork +mynetworks = 0.0.0.0/0 +inet_interfaces = 172.16.0.1, 127.0.0.1 + +# No local delivery +mydestination = +local_transport = error:5.1.1 Mailbox unavailable +alias_maps = +alias_database = +local_recipient_maps = + +message_size_limit = 67108864 +recipient_delimiter = + + +relay_domains = +relay_transport = error:5.3.2 Relay Transport unavailable + +# All header rewriting happens upstream +local_header_rewrite_clients = + + +smtp_tls_security_level = may +smtp_tls_note_starttls_offer = yes +smtp_tls_cert_file = /etc/postfix-out/ssl/smtp.fripost.org.pem +smtp_tls_key_file = /etc/postfix-out/ssl/smtp.fripost.org.key +smtp_tls_CApath = /etc/ssl/certs/ +smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache +smtp_tls_fingerprint_digest = sha1 +tls_random_source = dev:/dev/urandom + + +smtpd_helo_required = yes +smtpd_helo_restrictions = + reject_invalid_helo_hostname + +smtpd_sender_restrictions = + reject_non_fqdn_sender + reject_unknown_sender_domain + +smtpd_recipient_restrictions = + # RFC requirements + reject_non_fqdn_recipient + reject_unknown_recipient_domain + permit_mynetworks + reject_unauth_destination + +smtpd_data_restrictions = + reject_unauth_pipelining diff --git a/roles/webmail/templates/etc/postfix/main.cf.j2 b/roles/webmail/templates/etc/postfix/main.cf.j2 index 76efb59..b070881 100644 --- a/roles/webmail/templates/etc/postfix/main.cf.j2 +++ b/roles/webmail/templates/etc/postfix/main.cf.j2 @@ -41,10 +41,10 @@ message_size_limit = 67108864 recipient_delimiter = + # Forward everything to our internal mailhub -{% if 'MTA-out' in group_names %} -relayhost = [127.0.0.1]:{{ postfix_instance["MTA-out"].port }} +{% if 'out' in group_names %} +relayhost = [127.0.0.1]:{{ postfix_instance.out.port }} {% else %} -relayhost = [outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }} +relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }} {% endif %} relay_domains = @@ -60,7 +60,7 @@ smtp_data_done_timeout = 1200s # Tunnel everything through IPSec smtp_tls_security_level = none -{% if 'MTA-out' in group_names %} +{% if 'out' in group_names %} smtp_bind_address = 127.0.0.1 {% else %} smtp_bind_address = 172.16.0.1 -- cgit v1.2.3