Add SRS support

2022-06-06 12:56:18 +02:00 · 2022-06-06 12:56:18 +02:00 · d65295f798
parent 62777745f1
commit d65295f798
4 changed files with 138 additions and 0 deletions
--- a/tasks/postsrsd.yml
+++ b/tasks/postsrsd.yml
@ -0,0 +1,61 @@
+---
+- name: Manage the POSTSRSD packages in EL systems
+  block:
+    - name: Install the COPR repo that publishes postsrsd
+      template:
+        src: copr-postsrsd.repo.j2
+        dest: /etc/yum.repos.d/copr-postsrsd.repo
+        owner: root
+        group: root
+        mode: 0644
+
+    - name: Install the POSTSRSD packages on EL
+      yum:
+        pkg: '{{ postfix_srs_pkg }}'
+        state: present
+
+  when: ansible_distribution_file_variety == "RedHat"
+  tags: ['postfix', 'postfix_postsrsd', 'postsrsd']
+
+- name: Manage the POSTSRSD packages in DEB systems
+  block:
+    - name: Install the POSTSRSD packages on DEB
+      apt:
+        pkg: '{{ postfix_srs_pkg }}'
+        state: present
+        cache_valid_time: 1800
+
+  when: ansible_distribution_file_variety == "Debian"
+  tags: ['postfix', 'postfix_postsrsd', 'postsrsd']
+
+- name: POSTSRSD configuration
+  block:
+    - name: Install the postsrsd secret
+      template:
+        src: postsrsd.secret.j2
+        dest: '{{ postfix_srs_conf_file }}'
+        mode: 0440
+        owner: '{{ postfix_srs_user }}'
+        group: 'root'
+      notify: restart postsrsd
+
+    - name: Install the postsrsd configuration file
+      template:
+        src: 'postsrsd.default.j2'
+        dest: '{{ postfix_srs_conf_file }}'
+        owner: root
+        group: root
+        mode: 0644
+      notify: restart postsrsd
+
+  tags: ['postfix', 'postfix_postsrsd', 'postsrsd', 'postfix_conf', 'postsrsd_conf']
+
+- name: Manage the POSTSRSD service
+  block:
+    - name: Ensure that the postsrsd service is started and enabled
+      service:
+        name: postsrsd
+        state: started
+        enabled: true
+
+  tags: ['postfix', 'postfix_postsrsd', 'postsrsd']
--- a/templates/copr-postsrsd.repo.j2
+++ b/templates/copr-postsrsd.repo.j2
@ -0,0 +1,10 @@
+[copr:copr.fedorainfracloud.org:jered:postsrsd]
+name=Copr repo for postsrsd owned by jered
+baseurl=https://download.copr.fedorainfracloud.org/results/jered/postsrsd/epel-{{ ansible_distribution_major_version }}-$basearch/
+type=rpm-md
+skip_if_unavailable=True
+gpgcheck=1
+gpgkey=https://download.copr.fedorainfracloud.org/results/jered/postsrsd/pubkey.gpg
+repo_gpgcheck=0
+enabled=1
+enabled_metadata=1
--- a/templates/postsrsd.default.j2
+++ b/templates/postsrsd.default.j2
@ -0,0 +1,64 @@
+# Default settings for PostSRSd
+
+# Local domain name.
+# Addresses are rewritten to originate from this domain. The default value
+# is taken from `postconf -h mydomain` and probably okay.
+#
+SRS_DOMAIN={% if domain_name is defined %}{{ domain_name }}{% else %}{{ ansible_fqdn }}{% endif %}
+
+{% if postfix_srs_list_exclude_domains %}
+# Exclude additional domains.
+# You may list domains which shall not be subjected to address rewriting.
+# If a domain name starts with a dot, it matches all subdomains, but not
+# the domain itself. Separate multiple domains by space or comma.
+#
+SRS_EXCLUDE_DOMAINS={% for dom in postfix_srs_exclude_domains %}"{{ dom }}"{% if not loop.last %}, {% endif %}{% endfor %}
+{% endif %}
+
+# First separator character after SRS0 or SRS1.
+# Can be one of: -+=
+SRS_SEPARATOR==
+
+# Secret key to sign rewritten addresses.
+# When postsrsd is installed for the first time, a random secret is generated
+# and stored in /etc/postsrsd.secret. For most installations, that is just fine.
+#
+SRS_SECRET=/etc/postsrsd.secret
+
+# Length of hash to be used in rewritten addresses
+SRS_HASHLENGTH=4
+
+# Minimum length of hash to accept when validating return addresses.
+# When increasing SRS_HASHLENGTH, set this to its previous value and
+# wait for the duration of SRS return address validity (21 days) before
+# increading this value as well.
+SRS_HASHMIN=4
+
+# Local ports for TCP list.
+# These ports are used to bind the TCP list for postfix. If you change
+# these, you have to modify the postfix settings accordingly. The ports
+# are bound to the loopback interface, and should never be exposed on
+# the internet.
+#
+SRS_FORWARD_PORT={{ postfix_srs_sender_port }}
+SRS_REVERSE_PORT={{ postfix_srs_receiver_port }}
+
+# Drop root privileges and run as another user after initialization.
+# This is highly recommended as postsrsd handles untrusted input.
+#
+RUN_AS={{ postfix_srs_user }}
+
+# Bind to this address
+#
+SRS_LISTEN_ADDR={{ postfix_srs_listen }}
+
+# Jail daemon in chroot environment
+#
+CHROOT=/run/postsrsd
+
+# Additional Options
+# PostSRSd understands a few rarely needed extra options:
+# -A     always rewrite email addresses, even from SRS_DOMAIN
+# -t<n>  set connection timeout to <n> seconds (default: 1800)
+#
+#SRS_EXTRA_OPTIONS=-A
--- a/templates/postsrsd.secret.j2
+++ b/templates/postsrsd.secret.j2
@ -0,0 +1,3 @@
+{% for sec in postfix_srs_secrets %}
+{{ sec }}
+{% endfor %}