From 43f39850ffd9e658b4d783106ea32d9f5430e633 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 20 Sep 2016 16:55:58 +0200 Subject: Postscreen: Give temporary whitelist status to primary MX addresses only. --- group_vars/all.yml | 2 +- roles/MX/templates/etc/postfix/main.cf.j2 | 11 +++++++++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/group_vars/all.yml b/group_vars/all.yml index 77abc85..089c75f 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -29,7 +29,7 @@ postfix_instance: IMAP: { name: mda , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.IMAP[0]].inventory_hostname_short ], '127.0.0.1') }}" , port: 2526 } - MX: { name: mx, group: mta } + MX: { name: mx, group: mta, backup: mx3.fripost.org } out: { name: out, group: mta , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.out[0]].inventory_hostname_short ], '127.0.0.1') }}" , port: 2525 } diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 index 718be00..86c20cd 100644 --- a/roles/MX/templates/etc/postfix/main.cf.j2 +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -115,8 +115,15 @@ postscreen_dnsbl_sites = list.dnswl.org=127.[0..255].[0..255].1*-3 list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 -postscreen_greet_action = enforce -postscreen_whitelist_interfaces = !88.80.11.28 ![2a00:16b0:242:13::de30] static:all +postscreen_greet_action = enforce +postscreen_whitelist_interfaces = +{%- for ip in lookup('pipe', 'dig +short '+ postfix_instance.MX.backup +' A').splitlines() %} + !{{ ip }} +{%- endfor %} +{%- for ip in lookup('pipe', 'dig +short '+ postfix_instance.MX.backup +' AAAA').splitlines() %} + ![{{ ip }}] +{%- endfor %} + static:all smtpd_client_restrictions = permit_mynetworks -- cgit v1.2.3