diff --git a/defaults/main.yml b/defaults/main.yml index 6a3dbbb..d508821 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -128,6 +128,21 @@ postfix_dkim_v_sendreports: 'no' postfix_dkim_reportaddress: '' postfix_dkim_canonicalization: 'relaxed/relaxed' postfix_dkim_minkeybits: 1024 +# SRS +# Compute it with 'dd if=/dev/urandom bs=18 count=1 2>/dev/null | base64' +# postfix_srs_secret: 'use a vault' +postfix_srs_secrets: + - '{{ postfix_srs_secret }}' +postfix_srs_list_exclude_domains: false +postfix_srs_exclude_domains: [] +postfix_srs_user: 'nobody' +postfix_srs_sender_enabled: false +postfix_srs_receiver_enabled: false +postfix_srs_listen: '127.0.0.1' +postfix_srs_sender_port: 10001 +postfix_srs_receiver_port: 10002 +postfix_sender_canonical_maps: 'tcp:{{ postfix_srs_listen }}:{{ postfix_srs_sender_port }}' +postfix_recipient_canonical_maps: 'tcp:{{ postfix_srs_listen }}:{{ postfix_srs_receiver_port }}' ############################################################################# # SMTP server that not accept authenticated clients. diff --git a/handlers/main.yml b/handlers/main.yml index 8960c74..b5c5d23 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -25,3 +25,8 @@ service: name: opendkim state: restarted + +- name: restart postsrsd + service: + name: postsrsd + state: restarted diff --git a/tasks/main.yml b/tasks/main.yml index 0ffd8d6..272a76e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,6 +2,8 @@ - import_tasks: smtp-common-packages.yml - import_tasks: dkim.yml when: postfix_dkim_enabled +- import_tasks: postsrsd.yml + when: postfix_srs_sender_enabled or postfix_srs_receiver_enabled - import_tasks: postfix_spf_policy.yml when: postfix_spf_policy_install - import_tasks: smtp-configuration.yml diff --git a/tasks/postsrsd.yml b/tasks/postsrsd.yml new file mode 100644 index 0000000..505babd --- /dev/null +++ b/tasks/postsrsd.yml @@ -0,0 +1,61 @@ +--- +- name: Manage the POSTSRSD packages in EL systems + block: + - name: Install the COPR repo that publishes postsrsd + template: + src: copr-postsrsd.repo.j2 + dest: /etc/yum.repos.d/copr-postsrsd.repo + owner: root + group: root + mode: 0644 + + - name: Install the POSTSRSD packages on EL + yum: + pkg: '{{ postfix_srs_pkg }}' + state: present + + when: ansible_distribution_file_variety == "RedHat" + tags: ['postfix', 'postfix_postsrsd', 'postsrsd'] + +- name: Manage the POSTSRSD packages in DEB systems + block: + - name: Install the POSTSRSD packages on DEB + apt: + pkg: '{{ postfix_srs_pkg }}' + state: present + cache_valid_time: 1800 + + when: ansible_distribution_file_variety == "Debian" + tags: ['postfix', 'postfix_postsrsd', 'postsrsd'] + +- name: POSTSRSD configuration + block: + - name: Install the postsrsd secret + template: + src: postsrsd.secret.j2 + dest: '{{ postfix_srs_conf_file }}' + mode: 0440 + owner: '{{ postfix_srs_user }}' + group: 'root' + notify: restart postsrsd + + - name: Install the postsrsd configuration file + template: + src: 'postsrsd.default.j2' + dest: '{{ postfix_srs_conf_file }}' + owner: root + group: root + mode: 0644 + notify: restart postsrsd + + tags: ['postfix', 'postfix_postsrsd', 'postsrsd', 'postfix_conf', 'postsrsd_conf'] + +- name: Manage the POSTSRSD service + block: + - name: Ensure that the postsrsd service is started and enabled + service: + name: postsrsd + state: started + enabled: true + + tags: ['postfix', 'postfix_postsrsd', 'postsrsd'] diff --git a/templates/copr-postsrsd.repo.j2 b/templates/copr-postsrsd.repo.j2 new file mode 100644 index 0000000..05ca94c --- /dev/null +++ b/templates/copr-postsrsd.repo.j2 @@ -0,0 +1,10 @@ +[copr:copr.fedorainfracloud.org:jered:postsrsd] +name=Copr repo for postsrsd owned by jered +baseurl=https://download.copr.fedorainfracloud.org/results/jered/postsrsd/epel-{{ ansible_distribution_major_version }}-$basearch/ +type=rpm-md +skip_if_unavailable=True +gpgcheck=1 +gpgkey=https://download.copr.fedorainfracloud.org/results/jered/postsrsd/pubkey.gpg +repo_gpgcheck=0 +enabled=1 +enabled_metadata=1 diff --git a/templates/main.cf.j2 b/templates/main.cf.j2 index 0af570f..6ad36b4 100644 --- a/templates/main.cf.j2 +++ b/templates/main.cf.j2 @@ -385,6 +385,17 @@ alias_database = {% for dbalias in postfix_alias_databases %}{{ dbalias }}{% if # trying user and .forward. # recipient_delimiter = {{ postfix_recipient_delimiter }} +# +{% if postfix_srs_sender_enabled %} +# SRS sender +sender_canonical_maps = {{ postfix_sender_canonical_maps }} +sender_canonical_classes = envelope_sender +{% endif %} +{% if postfix_srs_receiver_enabled %} +# SRS recipient +recipient_canonical_maps = {{ postfix_recipient_canonical_maps }} +recipient_canonical_classes= envelope_recipient,header_recipient +{% endif %} # DELIVERY TO MAILBOX # diff --git a/templates/postsrsd.default.j2 b/templates/postsrsd.default.j2 new file mode 100644 index 0000000..a0bd731 --- /dev/null +++ b/templates/postsrsd.default.j2 @@ -0,0 +1,64 @@ +# Default settings for PostSRSd + +# Local domain name. +# Addresses are rewritten to originate from this domain. The default value +# is taken from `postconf -h mydomain` and probably okay. +# +SRS_DOMAIN={% if domain_name is defined %}{{ domain_name }}{% else %}{{ ansible_fqdn }}{% endif %} + +{% if postfix_srs_list_exclude_domains %} +# Exclude additional domains. +# You may list domains which shall not be subjected to address rewriting. +# If a domain name starts with a dot, it matches all subdomains, but not +# the domain itself. Separate multiple domains by space or comma. +# +SRS_EXCLUDE_DOMAINS={% for dom in postfix_srs_exclude_domains %}"{{ dom }}"{% if not loop.last %}, {% endif %}{% endfor %} +{% endif %} + +# First separator character after SRS0 or SRS1. +# Can be one of: -+= +SRS_SEPARATOR== + +# Secret key to sign rewritten addresses. +# When postsrsd is installed for the first time, a random secret is generated +# and stored in /etc/postsrsd.secret. For most installations, that is just fine. +# +SRS_SECRET=/etc/postsrsd.secret + +# Length of hash to be used in rewritten addresses +SRS_HASHLENGTH=4 + +# Minimum length of hash to accept when validating return addresses. +# When increasing SRS_HASHLENGTH, set this to its previous value and +# wait for the duration of SRS return address validity (21 days) before +# increading this value as well. +SRS_HASHMIN=4 + +# Local ports for TCP list. +# These ports are used to bind the TCP list for postfix. If you change +# these, you have to modify the postfix settings accordingly. The ports +# are bound to the loopback interface, and should never be exposed on +# the internet. +# +SRS_FORWARD_PORT={{ postfix_srs_sender_port }} +SRS_REVERSE_PORT={{ postfix_srs_receiver_port }} + +# Drop root privileges and run as another user after initialization. +# This is highly recommended as postsrsd handles untrusted input. +# +RUN_AS={{ postfix_srs_user }} + +# Bind to this address +# +SRS_LISTEN_ADDR={{ postfix_srs_listen }} + +# Jail daemon in chroot environment +# +CHROOT=/run/postsrsd + +# Additional Options +# PostSRSd understands a few rarely needed extra options: +# -A always rewrite email addresses, even from SRS_DOMAIN +# -t set connection timeout to seconds (default: 1800) +# +#SRS_EXTRA_OPTIONS=-A diff --git a/templates/postsrsd.secret.j2 b/templates/postsrsd.secret.j2 new file mode 100644 index 0000000..675b40d --- /dev/null +++ b/templates/postsrsd.secret.j2 @@ -0,0 +1,3 @@ +{% for sec in postfix_srs_secrets %} +{{ sec }} +{% endfor %} diff --git a/vars/main.yml b/vars/main.yml index 175c924..4861881 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -10,3 +10,9 @@ postfix_dkim_base_dir: /etc/opendkim postfix_dkim_user: opendkim postfix_dkim_group: opendkim postfix_dkim_conf: /etc/opendkim.conf + +# Conf files and data files +postfix_srs_secret_file: '/etc/postsrsd.secret' +postfix_srs_conf_file: '/etc/default/postsrsd' +postfix_srs_pkg: postsrsd +postfix_srs_el_repo: copr-postsrsd.repo