Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

postfix / gateway: add bysender map

Browse source 
This is a hack to work around SPF screwing us for @fedoraproject.org
aliases. It only fixes email from @redhat.com, but due to bugzilla thats
a lot of email.

Without this:
bugzilla@redhat.com -> user@fedoraproject.org (expands) ->
user@gmail.com sent out directly to gmail and gets rejected because
we aren't in the redhat.com SPF record.

With this:

bugzilla@redhat.com -> user@fedoraproject.org (expands) ->
user@gmail.com but sent to mx2.redhat.com to deliver. Since
mx2.redhat.com definitely is in the redhat.com SPF record the email is
delivered fine and SPF checks pass.

This won't help for other domains with -all SPF records, but at least it
helps for all the redhat.com emails, of which there are a lot going to
fedoraproject.org aliases. :)

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit is contained in:
Kevin Fenzi 2022-07-26 15:58:43 -07:00
parent 7cf2d7b56a
commit 9ddd3e2e6d
4 changed files with 20 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
handlers/restart_services.yml
View file

@ -97,6 +97,9 @@
- name: rebuild postfix transport
command: /usr/sbin/postmap /etc/postfix/transport
- name: rebuild postfix bysender
command: /usr/sbin/postmap /etc/postfix/bysender
- name: rebuild postfix tls_policy
command: /usr/sbin/postmap /etc/postfix/tls_policy

1
roles/base/files/postfix/bysender Normal file
View file

@ -0,0 +1 @@
@redhat.com [mx2.redhat.com]

5
roles/base/files/postfix/main.cf/main.cf.gateway
View file

@ -773,3 +773,8 @@ message_size_limit = 20971520
# At least one is required to receive email
smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination
#
# here we send emails _from_ redhat.com addresses back out the redhat.com mx
# This avoids us sending them and causing SPF failures.
# It depends on them allowing us to relay email out.
sender_dependent_relayhost_maps = hash:/etc/postfix/bysender

11
roles/base/tasks/postfix.yml
View file

@ -71,6 +71,17 @@
- base
- config
- name: install /etc/postfix/bysender file
copy: src="postfix/bysender" dest=/etc/postfix/bysender
when: inventory_hostname.startswith(('bastion')) and env != 'staging'
notify:
- rebuild postfix bysender
- restart postfix
tags:
- postfix
- base
- config
- name: create /etc/postfix/tls_policy
copy: src="postfix/tls_policy" dest=/etc/postfix/tls_policy
when: inventory_hostname.startswith(('bastion','smtp-mm','pagure')) and env != 'staging'