Commit 2304dc5c authored by Kristian Klausen's avatar Kristian Klausen 🎉
Browse files

Split the postfix role into a role for mail.a.o and the clients

The role for the clients is named postfix_null (per [1]) and it's much
simpler and cleaner than the postfix role. I hope can cleanup the
postfix role at a later date.

[1] http://www.postfix.org/STANDARD_CONFIGURATION_README.html#null_client
parent 526ae415
......@@ -31,14 +31,14 @@ to the server. This gives us several benefits:
When a new host is provisioned:
- The *postfix* role has a task delegated to 'mail.archlinux.org' to create a local user
- The *postfix_null* role has a task delegated to 'mail.archlinux.org' to create a local user
on 'mail.archlinux.org' that is used for the new server to authenticate against. The user
name is the shortname of the new servers hostname (ie, "foobar.archlinux.org"
will authenticate with the username "foobar")
- You will need to run the *postfwd* role against mail.archlinux.org to update the
rate-limiting it performs (servers are given higher rate-limits than normal
users - see `/etc/postfwd/postfwd.cf` for exact limits). This *should*
happen automatically as the *postfwd* role is a dependency of the *postfix*
happen automatically as the *postfwd* role is a dependency of the *postfix_null*
role (using `delegate_to` to run it against 'mail.archlinux.org' regardless of the target
host that the postfix role is being run on)
......
......@@ -27,7 +27,7 @@
- { role: borg_client, tags: ["borg"] }
- { role: certbot }
- { role: nginx }
- { role: postfix, postfix_relayhost: "mail.archlinux.org" }
- { role: postfix_null }
- role: postgres
postgres_listen_addresses: "*"
postgres_ssl: 'on'
......
......@@ -16,7 +16,7 @@
- { role: memcached }
- { role: uwsgi }
- { role: borg_client, tags: ["borg"] }
- { role: postfix, postfix_relayhost: "mail.archlinux.org" }
- { role: postfix_null }
- { role: fail2ban }
- { role: aurweb, aurweb_domain: 'aur-dev.archlinux.org', aurweb_version: 'pu' }
- { role: prometheus_exporters }
......
......@@ -18,7 +18,7 @@
- { role: memcached }
- { role: uwsgi }
- { role: borg_client, tags: ["borg"] }
- { role: postfix, postfix_relayhost: "mail.archlinux.org" }
- { role: postfix_null }
- { role: fail2ban }
- { role: aurweb }
- { role: wireguard }
......@@ -15,7 +15,7 @@
- { role: php_fpm, php_extensions: ['apcu', 'iconv', 'intl', 'mysqli'], zend_extensions: ['opcache'] }
- { role: fluxbb }
- { role: borg_client, tags: ["borg"] }
- { role: postfix, postfix_relayhost: "mail.archlinux.org" }
- { role: postfix_null }
- { role: fail2ban }
- { role: prometheus_exporters }
- { role: promtail }
......
......@@ -15,7 +15,7 @@
- { role: php7_fpm, php_extensions: ['mysqli'], zend_extensions: ['opcache'] }
- { role: flyspray }
- { role: borg_client, tags: ["borg"] }
- { role: postfix, postfix_relayhost: "mail.archlinux.org" }
- { role: postfix_null }
- { role: fail2ban }
- { role: prometheus_exporters }
- { role: promtail }
......
......@@ -24,7 +24,7 @@
- { role: sources, sources_domain: "sources.archlinux.org", sources_dir: "/srv/sources" }
- { role: archive }
- { role: archive_web }
- { role: postfix, postfix_relayhost: "mail.archlinux.org" }
- { role: postfix_null }
- { role: fail2ban }
- { role: prometheus_exporters }
- { role: promtail }
......@@ -10,7 +10,7 @@
- { role: certbot }
- { role: nginx }
- { role: mta_sts }
- { role: postfix, postfix_server: true, postfix_smtpd_public: true, tags: ['mail'] }
- { role: postfix, tags: ['mail'] }
- { role: dovecot }
- { role: rspamd, rspamd_dkim_domain: archlinux.org, tags: ["mail"] }
- { role: unbound, unbound_port: 5353, tags: ["mail"] }
......
......@@ -19,8 +19,7 @@
postgres_maintenance_work_mem: 256MB
postgres_effective_cache_size: 4GB
postgres_jit: 'off'
- role: postfix
postfix_relayhost: "mail.archlinux.org"
- { role: postfix_null }
- { role: matrix }
- { role: fail2ban }
- { role: prometheus_exporters }
......
......@@ -11,7 +11,7 @@
- { role: borg_client, tags: ["borg"] }
- { role: certbot }
- { role: nginx }
- { role: postfix, postfix_relayhost: "mail.archlinux.org" }
- { role: postfix_null }
- { role: sudo }
- { role: uwsgi }
- role: security_tracker
......
......@@ -13,7 +13,7 @@
- { role: borg_client, tags: ["borg"] }
- { role: certbot }
- { role: nginx }
- { role: postfix, postfix_relayhost: "mail.archlinux.org" }
- { role: postfix_null }
- { role: mariadb, mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: true }
- { role: sudo }
- { role: php7_fpm, php_extensions: ['bcmath', 'curl', 'gd', 'iconv', 'intl', 'mysqli', 'sockets', 'zip'], zend_extensions: ['opcache'] }
......
---
postfix_smtpd_public: false
postfix_server: false
postfix_patchwork_enabled: false
postfix_patchwork_user: "patchwork"
postfix_patchwork_mail_handler: "/usr/local/bin/patchwork-parsemail-wrapper.sh"
mail_domain: "mail.archlinux.org"
postfix_relayhost: ""
postfix_wiki_bounce_mail_handler: "/usr/local/bin/wiki-bouncehandler.pl"
postfix_wiki_bounce_user: "wiki_bouncehandler"
postfix_wiki_bounce_config: "/etc/wiki-bouncehandler.conf"
......@@ -23,6 +23,3 @@
- name: update aliases db
command: postalias /etc/postfix/aliases
- name: postmap relay_passwords
command: postmap /etc/postfix/relay_passwords
......@@ -43,26 +43,21 @@
name: certificate
vars:
domains: ["{{ mail_domain }}"]
when: postfix_smtpd_public
- name: install postfix cert renewal hook
template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/postfix owner=root group=root mode=0755
when: postfix_smtpd_public
- name: install bouncehandler config
template: src=wiki-bouncehandler.conf.j2 dest={{ postfix_wiki_bounce_config }} owner={{ postfix_wiki_bounce_user }} group=root mode=0600
when: postfix_server
- name: install packages for bounce handler
pacman: name=perl-mediawiki-api,perl-config-simple state=present
when: postfix_server
- name: install bouncehandler script
copy: src=bouncehandler.pl dest={{ postfix_wiki_bounce_mail_handler }} owner=root group=root mode=0755
when: postfix_server
- name: make bouncehandler user
user: name={{ postfix_wiki_bounce_user }} shell=/bin/false skeleton=/var/empty state={{ "present" if postfix_server else "absent" }}
user: name={{ postfix_wiki_bounce_user }} shell=/bin/false skeleton=/var/empty state=present
- name: start and enable postfix
service: name=postfix enabled=yes state=started
......@@ -73,41 +68,11 @@
- compat_maps
- compat_maps.db
- name: install extra packages for relaying via smarthost
when: postfix_relayhost | length > 0
package:
name: cyrus-sasl
state: present
- name: install relay_passwords file
when: postfix_relayhost | length > 0
template:
src: relay_passwords.j2
dest: /etc/postfix/relay_passwords
mode: 0640
owner: root
group: postfix
notify:
- postmap relay_passwords
- name: create user account on mail to relay with
delegate_to: mail.archlinux.org
when: postfix_relayhost | length > 0
user:
name: "{{ inventory_hostname_short }}"
comment: "SMTP Relay Account for {{ inventory_hostname }}"
group: nobody
password: "{{ postfix_relay_password | password_hash('sha512') }}"
shell: /sbin/nologin
update_password: always
home: /home/"{{ inventory_hostname }}" # Set home directory so shadow.service does not fail
create_home: true
- name: open firewall holes
ansible.posix.firewalld: service={{ item }} permanent=true state=enabled immediate=yes
with_items:
- smtp
- smtps
when: postfix_smtpd_public and configure_firewall
when: configure_firewall
tags:
- firewall
......@@ -11,13 +11,8 @@ smtputf8_enable = no
append_dot_mydomain = no
{% if postfix_smtpd_public %}
smtpd_tls_cert_file = /etc/letsencrypt/live/{{mail_domain}}/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/{{mail_domain}}/privkey.pem
{% else %}
smtpd_tls_cert_file = /etc/letsencrypt/live/{{inventory_hostname}}/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/{{inventory_hostname}}/privkey.pem
{% endif %}
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
smtpd_tls_eecdh_grade = ultra
......@@ -34,11 +29,7 @@ smtpd_tls_mandatory_ciphers=high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHAA
smtp_tls_loglevel = 1
{% if postfix_relayhost %}
smtp_tls_security_level = encrypt
{% else %}
smtp_tls_security_level = may
{% endif %}
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
......@@ -51,11 +42,7 @@ daemon_directory = /usr/lib/postfix/bin
mydomain = {{inventory_hostname}}
myhostname = {{inventory_hostname}}
myorigin = archlinux.org
{% if postfix_server %}
mydestination = archlinux.org
{% else %}
mydestination =
{% endif %}
default_database_type=btree
indexed = ${default_database_type}:${config_directory}
......@@ -82,7 +69,6 @@ smtp_connection_cache_on_demand = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
{% if postfix_smtpd_public %}
# custom restriction classes
policy_check =
# postfwd (rate-limiting)
......@@ -121,7 +107,6 @@ smtpd_recipient_restrictions =
# some rate limiting rules only work after data so check it again
smtpd_end_of_data_restrictions =
$policy_check
{% endif %}
address_verify_map = ${default_database_type}:/var/lib/postfix/verify_cache
......@@ -132,19 +117,6 @@ unknown_address_reject_code = 550
smtpd_reject_footer = For assistance contact <postmaster@archlinux.org>. Please provide the following information in your problem report: time ($localtime), client ($client_address) and server ($server_name).
{% if postfix_relayhost %}
# relay all outbound mail via {{postfix_relayhost}}
# the square brackets prevents postfix from trying to lookup mx records
relayhost = [{{postfix_relayhost}}]:465
smtp_tls_wrappermode = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = ${indexed}/relay_passwords
# allow plaintext authentication only over tls secured connections
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous
{% endif %}
{% if postfix_server %}
smtpd_sasl_auth_enable = yes
smtpd_tls_auth_only = yes
......@@ -168,13 +140,10 @@ non_smtpd_milters=inet:localhost:11332
# Pass internal mails through filters so they get signed by opendkim
# XXX: Be careful not to have filters that may reject mails!
internal_mail_filter_classes = bounce
{% endif %}
{% if postfix_server %}
smtpd_sender_login_maps =
${indexed}/smtp_sender_map,
${indexed}/users
{% endif %}
smtpd_helo_required = yes
smtpd_client_connection_rate_limit = 400
......@@ -185,7 +154,6 @@ alias_maps = ${indexed}/aliases
alias_database = ${indexed}/aliases
{% if postfix_server %}
virtual_alias_maps =
${indexed}/users
pcre:${config_directory}/users.pcre
......@@ -197,7 +165,6 @@ local_recipient_maps =
$alias_maps
pcre:${config_directory}/transport.pcre
relocated_maps = ${indexed}/relocated
{% endif %}
relay_domains =
{%if postfix_patchwork_enabled %}
......@@ -212,9 +179,7 @@ transport_maps =
patchwork_destination_recipient_limit = 1
{% endif %}
{% if postfix_server %}
wiki_bouncehandler_destination_recipient_limit = 1
{% endif %}
authorized_mailq_users = root
......
......@@ -12,16 +12,10 @@
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
{% if postfix_smtpd_public %}
smtp inet n - n - - smtpd
-o smtpd_client_connection_count_limit=20
-o smtpd_proxy_options=speed_adjust
{% else %}
localhost:smtp inet n - n - - smtpd
-o smtpd_tls_security_level=none
{% endif %}
{% if postfix_server %}
msa_cleanup unix n - n - 0 cleanup
-o header_checks=pcre:/etc/postfix/msa_header_checks
submissions inet n - n - - smtpd
......@@ -32,7 +26,6 @@ submissions inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=$submission_recipient_restrictions
-o smtpd_client_connection_count_limit=10
{% endif %}
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
......@@ -94,7 +87,5 @@ patchwork unix - n n - - pipe
flags=DFRX user={{postfix_patchwork_user}} argv={{postfix_patchwork_mail_handler}}
{% endif %}
{% if postfix_server %}
wiki_bouncehandler unix - n n - - pipe
flags=DFRX user={{postfix_wiki_bounce_user}} argv=/usr/bin/systemd-cat {{postfix_wiki_bounce_mail_handler}} {{postfix_wiki_bounce_config}}
{% endif %}
......@@ -3,9 +3,7 @@
#
#lists.archlinux.org mailman:
{% if not postfix_relayhost %}
gmail.com smtp-ipv4:
{% endif %}
{% if postfix_patchwork_enabled %}
patchwork@archlinux.org patchwork:
{% endif %}
#
# {{ansible_managed}}
#
{% if postfix_server %}
/wikibounce-[\w.]+-\w+-\w+-\w...............@archlinux.org/ wiki_bouncehandler:
{% endif %}
---
postfix_relayhost: "mail.archlinux.org"
---
- name: reload postfix
service: name=postfix state=reloaded
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment