From 6d3114e3bd8e7c691fa079e8e2c3a63e8d669f90 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 22 Apr 2022 11:51:44 -0700 Subject: [PATCH] base / postfix / bastion/gateway: fix up email flow to @redhat.com Recently, redhat.com changed internal MX servers. The new servers are have rate limits on incoming emails from one ip and admins there don't want to add a bunch of exceptions, so we need to adjust our end to not flood connections to them. Currently, connections burst up to 100 (the smtp postfix default) which goes over their limits and causes the internal MX to reject emails from us for a while. So, this change: * Adds some domains to fast_flush. This allows us to use postqueue -s domain to flush emails to a particular domain. * Changes the smtp limit to 40. This is under the redhat.com limit. * Has ansible actually install the master.cf.gateway on bastion servers. Currently they were using the stock/default one. * Enables the tlsproxy service, which is actually needed to get that tls reuse working. After these changes, we keep few connections to the redhat.com mx open, but we reuse them and send more emails over existing connections. No 'too many connection emails' have happened since the changes. The queue slowly seems to be processing down. Since this was causing an outage of email, I have already applied these things to bastion01, but I'd like to make sure we match up to whats in ansible. Signed-off-by: Kevin Fenzi --- roles/base/files/postfix/main.cf/main.cf.gateway | 2 +- roles/base/files/postfix/master.cf/master.cf.gateway | 4 +++- roles/base/tasks/postfix.yml | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/roles/base/files/postfix/main.cf/main.cf.gateway b/roles/base/files/postfix/main.cf/main.cf.gateway index cbb82ba021..7a941373e3 100644 --- a/roles/base/files/postfix/main.cf/main.cf.gateway +++ b/roles/base/files/postfix/main.cf/main.cf.gateway @@ -594,7 +594,7 @@ recipient_delimiter = + # eligible for this service. By default, they are all domains that # this server is willing to relay mail to. # -#fast_flush_domains = $relay_domains +fast_flush_domains = $relay_domains,redhat.com,gmail.com,google.com # SHOW SOFTWARE VERSION OR NOT # diff --git a/roles/base/files/postfix/master.cf/master.cf.gateway b/roles/base/files/postfix/master.cf/master.cf.gateway index 32d395cbb3..55c4ccc125 100644 --- a/roles/base/files/postfix/master.cf/master.cf.gateway +++ b/roles/base/files/postfix/master.cf/master.cf.gateway @@ -6,7 +6,8 @@ # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== -smtp inet n - n - - smtpd +smtp inet n - n - 40 smtpd +tlsproxy unix - - n - - tlsproxy #submission inet n - n - - smtpd # -o smtpd_enforce_tls=yes # -o smtpd_sasl_auth_enable=yes @@ -38,6 +39,7 @@ virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache +postlog unix-dgram n - n - 1 postlogd # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual diff --git a/roles/base/tasks/postfix.yml b/roles/base/tasks/postfix.yml index a5f7524baf..63708ba49a 100644 --- a/roles/base/tasks/postfix.yml +++ b/roles/base/tasks/postfix.yml @@ -22,7 +22,7 @@ - "postfix/master.cf/master.cf.{{ host_group }}" - "postfix/master.cf/master.cf.{{ postfix_group }}" - "postfix/master.cf/master.cf" - when: inventory_hostname.startswith(('smtp-mm', 'mailman', 'noc02')) + when: inventory_hostname.startswith(('smtp-mm', 'mailman', 'noc02', 'bastion')) notify: - restart postfix tags: