From 9ddd3e2e6db817c8534b6c3ad3731755fec998e6 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 26 Jul 2022 15:58:43 -0700 Subject: [PATCH] postfix / gateway: add bysender map This is a hack to work around SPF screwing us for @fedoraproject.org aliases. It only fixes email from @redhat.com, but due to bugzilla thats a lot of email. Without this: bugzilla@redhat.com -> user@fedoraproject.org (expands) -> user@gmail.com sent out directly to gmail and gets rejected because we aren't in the redhat.com SPF record. With this: bugzilla@redhat.com -> user@fedoraproject.org (expands) -> user@gmail.com but sent to mx2.redhat.com to deliver. Since mx2.redhat.com definitely is in the redhat.com SPF record the email is delivered fine and SPF checks pass. This won't help for other domains with -all SPF records, but at least it helps for all the redhat.com emails, of which there are a lot going to fedoraproject.org aliases. :) Signed-off-by: Kevin Fenzi --- handlers/restart_services.yml | 3 +++ roles/base/files/postfix/bysender | 1 + roles/base/files/postfix/main.cf/main.cf.gateway | 5 +++++ roles/base/tasks/postfix.yml | 11 +++++++++++ 4 files changed, 20 insertions(+) create mode 100644 roles/base/files/postfix/bysender diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml index b0d6457355..46f8ba29a7 100644 --- a/handlers/restart_services.yml +++ b/handlers/restart_services.yml @@ -97,6 +97,9 @@ - name: rebuild postfix transport command: /usr/sbin/postmap /etc/postfix/transport +- name: rebuild postfix bysender + command: /usr/sbin/postmap /etc/postfix/bysender + - name: rebuild postfix tls_policy command: /usr/sbin/postmap /etc/postfix/tls_policy diff --git a/roles/base/files/postfix/bysender b/roles/base/files/postfix/bysender new file mode 100644 index 0000000000..19fedeffab --- /dev/null +++ b/roles/base/files/postfix/bysender @@ -0,0 +1 @@ +@redhat.com [mx2.redhat.com] diff --git a/roles/base/files/postfix/main.cf/main.cf.gateway b/roles/base/files/postfix/main.cf/main.cf.gateway index d5a30bb840..90f6a3a17a 100644 --- a/roles/base/files/postfix/main.cf/main.cf.gateway +++ b/roles/base/files/postfix/main.cf/main.cf.gateway @@ -773,3 +773,8 @@ message_size_limit = 20971520 # At least one is required to receive email smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination +# +# here we send emails _from_ redhat.com addresses back out the redhat.com mx +# This avoids us sending them and causing SPF failures. +# It depends on them allowing us to relay email out. +sender_dependent_relayhost_maps = hash:/etc/postfix/bysender diff --git a/roles/base/tasks/postfix.yml b/roles/base/tasks/postfix.yml index 3272cb4c06..7e419c5097 100644 --- a/roles/base/tasks/postfix.yml +++ b/roles/base/tasks/postfix.yml @@ -71,6 +71,17 @@ - base - config +- name: install /etc/postfix/bysender file + copy: src="postfix/bysender" dest=/etc/postfix/bysender + when: inventory_hostname.startswith(('bastion')) and env != 'staging' + notify: + - rebuild postfix bysender + - restart postfix + tags: + - postfix + - base + - config + - name: create /etc/postfix/tls_policy copy: src="postfix/tls_policy" dest=/etc/postfix/tls_policy when: inventory_hostname.startswith(('bastion','smtp-mm','pagure')) and env != 'staging'