base / postfix / bastion/gateway: fix up email flow to @redhat.com

Recently, redhat.com changed internal MX servers. The new servers are have rate limits on incoming emails from one ip and admins there don't want to add a bunch of exceptions, so we need to adjust our end to not flood connections to them. Currently, connections burst up to 100 (the smtp postfix default) which goes over their limits and causes the internal MX to reject emails from us for a while. So, this change: * Adds some domains to fast_flush. This allows us to use postqueue -s domain to flush emails to a particular domain. * Changes the smtp limit to 40. This is under the redhat.com limit. * Has ansible actually install the master.cf.gateway on bastion servers. Currently they were using the stock/default one. * Enables the tlsproxy service, which is actually needed to get that tls reuse working. After these changes, we keep few connections to the redhat.com mx open, but we reuse them and send more emails over existing connections. No 'too many connection emails' have happened since the changes. The queue slowly seems to be processing down. Since this was causing an outage of email, I have already applied these things to bastion01, but I'd like to make sure we match up to whats in ansible. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2022-04-22 11:51:44 -07:00 · 2022-04-22 11:51:44 -07:00 · 6d3114e3bd
commit 6d3114e3bd
parent 120acfb3e7
3 changed files with 5 additions and 3 deletions
--- a/roles/base/files/postfix/main.cf/main.cf.gateway
+++ b/roles/base/files/postfix/main.cf/main.cf.gateway
@ -594,7 +594,7 @@ recipient_delimiter = +
 # eligible for this service. By default, they are all domains that
 # this server is willing to relay mail to.
 # 
-#fast_flush_domains = $relay_domains
+fast_flush_domains = $relay_domains,redhat.com,gmail.com,google.com

 # SHOW SOFTWARE VERSION OR NOT
 #
--- a/roles/base/files/postfix/master.cf/master.cf.gateway
+++ b/roles/base/files/postfix/master.cf/master.cf.gateway
@ -6,7 +6,8 @@
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (yes)   (never) (100)
 # ==========================================================================
-smtp      inet  n       -       n       -       -       smtpd
+smtp       inet  n       -       n       -       40      smtpd
+tlsproxy   unix  -       -       n       -       -       tlsproxy
 #submission inet n       -       n       -       -       smtpd
 #  -o smtpd_enforce_tls=yes
 #  -o smtpd_sasl_auth_enable=yes
@ -38,6 +39,7 @@ virtual   unix  -       n       n       -       -       virtual
 lmtp      unix  -       -       n       -       -       lmtp
 anvil     unix  -       -       n       -       1       anvil
 scache	  unix	-	-	n	-	1	scache
+postlog   unix-dgram n  -       n       -       1       postlogd
 #
 # ====================================================================
 # Interfaces to non-Postfix software. Be sure to examine the manual
--- a/roles/base/tasks/postfix.yml
+++ b/roles/base/tasks/postfix.yml
@ -22,7 +22,7 @@
    - "postfix/master.cf/master.cf.{{ host_group }}"
    - "postfix/master.cf/master.cf.{{ postfix_group }}"
    - "postfix/master.cf/master.cf"
-  when: inventory_hostname.startswith(('smtp-mm', 'mailman', 'noc02'))
+  when: inventory_hostname.startswith(('smtp-mm', 'mailman', 'noc02', 'bastion'))
  notify:
  - restart postfix
  tags: