Add support for SRS

2022-06-06 13:00:51 +02:00 · 2022-06-06 13:00:51 +02:00 · 0771c7b9aa
parent df93903d84
commit 0771c7b9aa
9 changed files with 177 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -128,6 +128,21 @@ postfix_dkim_v_sendreports: 'no'
 postfix_dkim_reportaddress: ''
 postfix_dkim_canonicalization: 'relaxed/relaxed'
 postfix_dkim_minkeybits: 1024
+# SRS
+# Compute it with 'dd if=/dev/urandom bs=18 count=1 2>/dev/null | base64'
+# postfix_srs_secret: 'use a vault'
+postfix_srs_secrets:
+  - '{{ postfix_srs_secret }}'
+postfix_srs_list_exclude_domains: false
+postfix_srs_exclude_domains: []
+postfix_srs_user: 'nobody'
+postfix_srs_sender_enabled: false
+postfix_srs_receiver_enabled: false
+postfix_srs_listen: '127.0.0.1'
+postfix_srs_sender_port: 10001
+postfix_srs_receiver_port: 10002
+postfix_sender_canonical_maps: 'tcp:{{ postfix_srs_listen }}:{{ postfix_srs_sender_port }}'
+postfix_recipient_canonical_maps: 'tcp:{{ postfix_srs_listen }}:{{ postfix_srs_receiver_port }}'

 #############################################################################
 # SMTP server that not accept authenticated clients.
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -25,3 +25,8 @@
  service:
    name: opendkim
    state: restarted
+
+- name: restart postsrsd
+  service:
+    name: postsrsd
+    state: restarted
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -2,6 +2,8 @@
 - import_tasks: smtp-common-packages.yml
 - import_tasks: dkim.yml
  when: postfix_dkim_enabled
+- import_tasks: postsrsd.yml
+  when: postfix_srs_sender_enabled or postfix_srs_receiver_enabled
 - import_tasks: postfix_spf_policy.yml
  when: postfix_spf_policy_install
 - import_tasks: smtp-configuration.yml
--- a/tasks/postsrsd.yml
+++ b/tasks/postsrsd.yml
@ -0,0 +1,61 @@
+---
+- name: Manage the POSTSRSD packages in EL systems
+  block:
+    - name: Install the COPR repo that publishes postsrsd
+      template:
+        src: copr-postsrsd.repo.j2
+        dest: /etc/yum.repos.d/copr-postsrsd.repo
+        owner: root
+        group: root
+        mode: 0644
+
+    - name: Install the POSTSRSD packages on EL
+      yum:
+        pkg: '{{ postfix_srs_pkg }}'
+        state: present
+
+  when: ansible_distribution_file_variety == "RedHat"
+  tags: ['postfix', 'postfix_postsrsd', 'postsrsd']
+
+- name: Manage the POSTSRSD packages in DEB systems
+  block:
+    - name: Install the POSTSRSD packages on DEB
+      apt:
+        pkg: '{{ postfix_srs_pkg }}'
+        state: present
+        cache_valid_time: 1800
+
+  when: ansible_distribution_file_variety == "Debian"
+  tags: ['postfix', 'postfix_postsrsd', 'postsrsd']
+
+- name: POSTSRSD configuration
+  block:
+    - name: Install the postsrsd secret
+      template:
+        src: postsrsd.secret.j2
+        dest: '{{ postfix_srs_conf_file }}'
+        mode: 0440
+        owner: '{{ postfix_srs_user }}'
+        group: 'root'
+      notify: restart postsrsd
+
+    - name: Install the postsrsd configuration file
+      template:
+        src: 'postsrsd.default.j2'
+        dest: '{{ postfix_srs_conf_file }}'
+        owner: root
+        group: root
+        mode: 0644
+      notify: restart postsrsd
+
+  tags: ['postfix', 'postfix_postsrsd', 'postsrsd', 'postfix_conf', 'postsrsd_conf']
+
+- name: Manage the POSTSRSD service
+  block:
+    - name: Ensure that the postsrsd service is started and enabled
+      service:
+        name: postsrsd
+        state: started
+        enabled: true
+
+  tags: ['postfix', 'postfix_postsrsd', 'postsrsd']
--- a/templates/copr-postsrsd.repo.j2
+++ b/templates/copr-postsrsd.repo.j2
@ -0,0 +1,10 @@
+[copr:copr.fedorainfracloud.org:jered:postsrsd]
+name=Copr repo for postsrsd owned by jered
+baseurl=https://download.copr.fedorainfracloud.org/results/jered/postsrsd/epel-{{ ansible_distribution_major_version }}-$basearch/
+type=rpm-md
+skip_if_unavailable=True
+gpgcheck=1
+gpgkey=https://download.copr.fedorainfracloud.org/results/jered/postsrsd/pubkey.gpg
+repo_gpgcheck=0
+enabled=1
+enabled_metadata=1
--- a/templates/main.cf.j2
+++ b/templates/main.cf.j2
@ -385,6 +385,17 @@ alias_database = {% for dbalias in postfix_alias_databases %}{{ dbalias }}{% if
 # trying user and .forward.
 #
 recipient_delimiter = {{ postfix_recipient_delimiter }}
+#
+{% if postfix_srs_sender_enabled %}
+# SRS sender
+sender_canonical_maps = {{ postfix_sender_canonical_maps }}
+sender_canonical_classes = envelope_sender
+{% endif %}
+{% if postfix_srs_receiver_enabled %}
+# SRS recipient
+recipient_canonical_maps = {{ postfix_recipient_canonical_maps }}
+recipient_canonical_classes= envelope_recipient,header_recipient
+{% endif %}

 # DELIVERY TO MAILBOX
 #
--- a/templates/postsrsd.default.j2
+++ b/templates/postsrsd.default.j2
@ -0,0 +1,64 @@
+# Default settings for PostSRSd
+
+# Local domain name.
+# Addresses are rewritten to originate from this domain. The default value
+# is taken from `postconf -h mydomain` and probably okay.
+#
+SRS_DOMAIN={% if domain_name is defined %}{{ domain_name }}{% else %}{{ ansible_fqdn }}{% endif %}
+
+{% if postfix_srs_list_exclude_domains %}
+# Exclude additional domains.
+# You may list domains which shall not be subjected to address rewriting.
+# If a domain name starts with a dot, it matches all subdomains, but not
+# the domain itself. Separate multiple domains by space or comma.
+#
+SRS_EXCLUDE_DOMAINS={% for dom in postfix_srs_exclude_domains %}"{{ dom }}"{% if not loop.last %}, {% endif %}{% endfor %}
+{% endif %}
+
+# First separator character after SRS0 or SRS1.
+# Can be one of: -+=
+SRS_SEPARATOR==
+
+# Secret key to sign rewritten addresses.
+# When postsrsd is installed for the first time, a random secret is generated
+# and stored in /etc/postsrsd.secret. For most installations, that is just fine.
+#
+SRS_SECRET=/etc/postsrsd.secret
+
+# Length of hash to be used in rewritten addresses
+SRS_HASHLENGTH=4
+
+# Minimum length of hash to accept when validating return addresses.
+# When increasing SRS_HASHLENGTH, set this to its previous value and
+# wait for the duration of SRS return address validity (21 days) before
+# increading this value as well.
+SRS_HASHMIN=4
+
+# Local ports for TCP list.
+# These ports are used to bind the TCP list for postfix. If you change
+# these, you have to modify the postfix settings accordingly. The ports
+# are bound to the loopback interface, and should never be exposed on
+# the internet.
+#
+SRS_FORWARD_PORT={{ postfix_srs_sender_port }}
+SRS_REVERSE_PORT={{ postfix_srs_receiver_port }}
+
+# Drop root privileges and run as another user after initialization.
+# This is highly recommended as postsrsd handles untrusted input.
+#
+RUN_AS={{ postfix_srs_user }}
+
+# Bind to this address
+#
+SRS_LISTEN_ADDR={{ postfix_srs_listen }}
+
+# Jail daemon in chroot environment
+#
+CHROOT=/run/postsrsd
+
+# Additional Options
+# PostSRSd understands a few rarely needed extra options:
+# -A     always rewrite email addresses, even from SRS_DOMAIN
+# -t<n>  set connection timeout to <n> seconds (default: 1800)
+#
+#SRS_EXTRA_OPTIONS=-A
--- a/templates/postsrsd.secret.j2
+++ b/templates/postsrsd.secret.j2
@ -0,0 +1,3 @@
+{% for sec in postfix_srs_secrets %}
+{{ sec }}
+{% endfor %}
--- a/vars/main.yml
+++ b/vars/main.yml
@ -10,3 +10,9 @@ postfix_dkim_base_dir: /etc/opendkim
 postfix_dkim_user: opendkim
 postfix_dkim_group: opendkim
 postfix_dkim_conf: /etc/opendkim.conf
+
+# Conf files and data files
+postfix_srs_secret_file: '/etc/postsrsd.secret'
+postfix_srs_conf_file: '/etc/default/postsrsd'
+postfix_srs_pkg: postsrsd
+postfix_srs_el_repo: copr-postsrsd.repo