Browse Source

mailserver: add VERP marking of outgoing an unmarking of incoming mails

master
iburadempa 11 months ago
parent
commit
b0bc240ee5
6 changed files with 73 additions and 0 deletions
  1. +3
    -0
      mail_system.yml
  2. +27
    -0
      mail_system/tasks/database.yml
  3. +2
    -0
      mail_system/tasks/postfix.yml
  4. +10
    -0
      mail_system/templates/postfix/main.cf
  5. +10
    -0
      mail_system/templates/postfix/recipient_canonical_maps.cf
  6. +21
    -0
      mail_system/templates/postfix/sender_canonical_maps.cf

+ 3
- 0
mail_system.yml View File

@@ -27,9 +27,12 @@
# overwrite_config: no
# reject_sender_login_mismatch: yes
# mynetworks: "10.0.0.0/24 [2a01:XXXX:XXXX:XXXX::]/64"
# verp_marker: rstxyz
# dovecot:
# auth_default_realm: mymaindomain.org
#
# Take care thate the verp_marker only contains [a-z0-9]+ (NO UPPER CASE LETTERS!).
#
# (Use ansible-vault encrypt_string zo encrypt the password.)
#
# TODOs after running this playbook:


+ 27
- 0
mail_system/tasks/database.yml View File

@@ -131,3 +131,30 @@
table: shared_folders_anyone
columns: from_user
idxname: shared_folders__from

- name: database table mail_from
postgresql_table:
login_host: "{{ mailserver.postgresql.host }}"
port: "{{ mailserver.postgresql.port }}"
login_user: "{{ mailserver.postgresql.username }}"
login_password: "{{ mailserver.postgresql.password }}"
db: "{{ mailserver.postgresql.dbname }}"
ssl_mode: disable
name: mail_from
columns:
- id bigserial primary key
- t timestamp default now()
- original varchar(250) not null
- rewritten varchar(250) not null

- name: database index mail_from__rewritten
postgresql_idx:
login_host: "{{ mailserver.postgresql.host }}"
port: "{{ mailserver.postgresql.port }}"
login_user: "{{ mailserver.postgresql.username }}"
login_password: "{{ mailserver.postgresql.password }}"
db: "{{ mailserver.postgresql.dbname }}"
ssl_mode: disable
table: mail_from
columns: rewritten
idxname: mail_from__rewritten

+ 2
- 0
mail_system/tasks/postfix.yml View File

@@ -72,6 +72,8 @@
- relay_domains.cf
- relay_recipient_maps.cf
- transport_maps.cf
- sender_canonical_maps.cf
- recipient_canonical_maps.cf

- name: restart postfix
systemd:


+ 10
- 0
mail_system/templates/postfix/main.cf View File

@@ -95,6 +95,16 @@ smtpd_relay_restrictions =
# rspamd


# VERP marking
# Envelope sender addresses matching mydomains are marked.
# The marker is removed from envelope recipient addresses.
canonical_classes = envelope_sender, envelope_recipient
sender_canonical_classes = envelope_sender
sender_canonical_maps = pgsql:/etc/postfix/sender_canonical_maps.cf
recipient_canonical_classes = envelope_recipient
recipient_canonical_maps = pgsql:/etc/postfix/recipient_canonical_maps.cf


# useful for log analysis
enable_long_queue_ids = yes



+ 10
- 0
mail_system/templates/postfix/recipient_canonical_maps.cf View File

@@ -0,0 +1,10 @@
# THIS FILE IS CONTROLLED BY ANSIBLE - DO NOT CHANGE IN DEPLOYMENT!


# man pgsql_table

user = {{ mailserver.postgresql.username }}
password = {{ mailserver.postgresql.password }}
dbname = {{ mailserver.postgresql.dbname }}
hosts = {{ mailserver.postgresql.host }}
query = select regexp_replace('%s', '\+(.*){{ mailserver.postfix.verp_marker }}-\d+@', '+\1@')

+ 21
- 0
mail_system/templates/postfix/sender_canonical_maps.cf View File

@@ -0,0 +1,21 @@
# THIS FILE IS CONTROLLED BY ANSIBLE - DO NOT CHANGE IN DEPLOYMENT!


# man pgsql_table

user = {{ mailserver.postgresql.username }}
password = {{ mailserver.postgresql.password }}
dbname = {{ mailserver.postgresql.dbname }}
hosts = {{ mailserver.postgresql.host }}
query = insert into mail_from (id, original, rewritten)
values (nextval('mail_from_id_seq'), '%s',
case
when regexp_replace('%s', '.*@([^@]+)$', '\1') in (select name from domains)
then case
when '%s'~*'{{ mailserver.postfix.verp_marker }}-\d+@'
then '%s'
else regexp_replace('%s', '^(.*)@[^@]+$', '\1') || case when '%s'~'\+' then '{{ mailserver.postfix.verp_marker }}-' else '+{{ mailserver.postfix.verp_marker }}-' end || lastval()::text || '@' || regexp_replace('%s', '.*@([^@]+)$', '\1')
end
else '%s'
end
) on conflict (rewritten) do nothing returning rewritten

Loading…
Cancel
Save