From 55e9b2a0ebc87a353f9c9496a77b313e41e47bd4 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 9 Jul 2014 01:23:01 +0200
Subject: Perform the alias resolution and address validation solely on the
 MX:es.

We can therefore spare some lookups on the MDA, and use static:all
instead.
---
 roles/MX/tasks/main.yml                                       | 5 ++++-
 roles/MX/templates/etc/postfix/main.cf.j2                     | 2 +-
 roles/MX/templates/etc/postfix/virtual/alias.cf.j2            | 2 +-
 roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2    | 1 +
 roles/MX/templates/etc/postfix/virtual/catchall.cf.j2         | 1 +
 roles/MX/templates/etc/postfix/virtual/list.cf.j2             | 2 +-
 roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2          | 2 +-
 roles/MX/templates/etc/postfix/virtual/mailbox_domains.cf.j2  | 2 +-
 roles/MX/templates/etc/postfix/virtual/reserved_alias.pcre.j2 | 2 +-
 roles/MX/templates/etc/postfix/virtual/transport.j2           | 2 +-
 10 files changed, 13 insertions(+), 8 deletions(-)

(limited to 'roles/MX')

diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml
index a372cf4..a6c68f6 100644
--- a/roles/MX/tasks/main.yml
+++ b/roles/MX/tasks/main.yml
@@ -55,11 +55,14 @@
     - catchall.cf
     - transport
 
-- name: Compile the Reserved Transport Maps
+- name: Compile the Postfix transport maps
+  # trivial-rewrite(8) is a long-running process, so it's safer to reload
   postmap: instance={{ postfix_instance[inst].name }}
            src=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/transport db=cdb
            owner=root group=root
            mode=0644
+  notify:
+    - Reload Postfix
 
 - name: Copy reserved-alias.pl
   copy: src=usr/local/sbin/reserved-alias.pl
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 8785c5a..b0da1bc 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -54,7 +54,7 @@ relay_domains =
 # We use a dedicated "virtual" domain to decongestion potential
 # bottlenecks on trivial_rewrite(8) due to slow LDAP lookups in
 # tranport_maps.
-virtual_transport = error:5.1.1 Virtual transport unavailable
+virtual_transport       = error:5.1.1 Virtual transport unavailable
 virtual_mailbox_domains = ldap:$config_directory/virtual/mailbox_domains.cf
 virtual_alias_maps      = pcre:$config_directory/virtual/reserved_alias.pcre
                           # first we do the alias resolution...
diff --git a/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2
index 31a23ce..c0ab405 100644
--- a/roles/MX/templates/etc/postfix/virtual/alias.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2
@@ -6,5 +6,5 @@ scope            = one
 bind             = yes
 bind_dn          = cn=postfix,ou=services,dc=fripost,dc=org
 bind_pw          = FIXME
-query_filter     = (&(objectClass=FripostVirtualAlias)(fvl=%u))
+query_filter     = (&(objectClass=FripostVirtualAlias)(fvl=%u)(fripostIsStatusActive=TRUE))
 result_attribute = fripostMaildrop
diff --git a/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2
index b338c8c..7679a9c 100644
--- a/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2
@@ -6,6 +6,7 @@ scope            = one
 bind             = yes
 bind_dn          = cn=postfix,ou=services,dc=fripost,dc=org
 bind_pw          = FIXME
+# The domain has already been validated (it's active and not pending)
 query_filter     = (&(objectClass=FripostVirtualAliasDomain)(fvd=%d))
 result_attribute = fripostMaildrop
 result_format    = %U@%s
diff --git a/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2
index 3d86ecf..818ad02 100644
--- a/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2
@@ -6,5 +6,6 @@ scope            = one
 bind             = yes
 bind_dn          = cn=postfix,ou=services,dc=fripost,dc=org
 bind_pw          = FIXME
+# The domain has already been validated (it's active and not pending)
 query_filter     = (&(objectClass=FripostVirtualDomain)(!(objectClass=FripostVirtualAliasDomain))(fvd=%d)(fripostOptionalMaildrop=*))
 result_attribute = fripostOptionalMaildrop
diff --git a/roles/MX/templates/etc/postfix/virtual/list.cf.j2 b/roles/MX/templates/etc/postfix/virtual/list.cf.j2
index a39343b..a2ff325 100644
--- a/roles/MX/templates/etc/postfix/virtual/list.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/list.cf.j2
@@ -6,7 +6,7 @@ scope            = one
 bind             = yes
 bind_dn          = cn=postfix,ou=services,dc=fripost,dc=org
 bind_pw          = FIXME
-query_filter     = (&(objectClass=FripostVirtualList)(fvl=%u))
+query_filter     = (&(objectClass=FripostVirtualList)(!(objectClass=FripostPendingEntry))(fvl=%u)(fripostIsStatusActive=TRUE))
 result_attribute = fvl
 # Use a dedicated "virtual" domain to decongestion potential bottlenecks
 # on trivial_rewrite(8) due to slow LDAP lookups in tranport_maps.
diff --git a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2
index 083b638..9b584c9 100644
--- a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2
@@ -6,7 +6,7 @@ scope            = one
 bind             = yes
 bind_dn          = cn=postfix,ou=services,dc=fripost,dc=org
 bind_pw          = FIXME
-query_filter     = (&(objectClass=FripostVirtualUser)(fvl=%u))
+query_filter     = (&(objectClass=FripostVirtualUser)(fvl=%u)(fripostIsStatusActive=TRUE))
 result_attribute = fvl
 # Use a dedicated "virtual" domain to decongestion potential bottlenecks
 # on trivial_rewrite(8) due to slow LDAP lookups in tranport_maps.
diff --git a/roles/MX/templates/etc/postfix/virtual/mailbox_domains.cf.j2 b/roles/MX/templates/etc/postfix/virtual/mailbox_domains.cf.j2
index fde355e..1cb8add 100644
--- a/roles/MX/templates/etc/postfix/virtual/mailbox_domains.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/mailbox_domains.cf.j2
@@ -5,6 +5,6 @@ scope            = one
 bind             = yes
 bind_dn          = cn=postfix,ou=services,dc=fripost,dc=org
 bind_pw          = FIXME
-query_filter     = (&(objectClass=FripostVirtualDomain)(fvd=%s))
+query_filter     = (&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(fvd=%s)(fripostIsStatusActive=TRUE))
 result_attribute = fvd
 result_format    = OK
diff --git a/roles/MX/templates/etc/postfix/virtual/reserved_alias.pcre.j2 b/roles/MX/templates/etc/postfix/virtual/reserved_alias.pcre.j2
index 6f62a01..f1c79c7 100644
--- a/roles/MX/templates/etc/postfix/virtual/reserved_alias.pcre.j2
+++ b/roles/MX/templates/etc/postfix/virtual/reserved_alias.pcre.j2
@@ -2,4 +2,4 @@
 # For other domains, RFC 822 section 6.3 and RFC 2142 section 4
 # mandatory aliases are forwarded to OUR admin team and to the domain
 # owner or postmaster, if there are any.
-/^((?:postmaster|abuse)(?:\+.*)?@.*)/   $1@reserved.locahost.localdomain
+/^(postmaster|abuse)(?:\+.*)?@(.*)/   $2/$1@reserved.fripost.org
diff --git a/roles/MX/templates/etc/postfix/virtual/transport.j2 b/roles/MX/templates/etc/postfix/virtual/transport.j2
index a34dcad..85715a0 100644
--- a/roles/MX/templates/etc/postfix/virtual/transport.j2
+++ b/roles/MX/templates/etc/postfix/virtual/transport.j2
@@ -1,4 +1,4 @@
-reserved.locahost.localdomain   reserved-alias:
+reserved.fripost.org    reserved-alias:
 
 {% if 'LDA' in group_names %}
 mda.fripost.org smtpl:[127.0.0.1]:{{ postfix_instance.IMAP.port }}
-- 
cgit v1.2.3