Don't apply SRS to locally bound mail #534
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
group: ansible
jchristgit
reviewed
Sep 3, 2024
Comment on lines
51
to
57
| # Handle SRS | ||
| default_transport = smtp:127.0.0.1:10027 |
There was a problem hiding this comment.
This comment could do with some improvement. How does it handle SRS?
ansible/roles/postfix/tasks/main.yml
Outdated
| -o sender_canonical_maps=pcre:/etc/postfix/sender-canonical-maps,tcp:127.0.0.1:10001 | ||
| -o sender_canonical_classes=envelope_sender | ||
|
|
||
| 127.0.0.1:10027 inet n - - - - smtpd |
There was a problem hiding this comment.
Can we use a regular service name (e.g. smtpd-optional-srs) and a unix socket for this, please?
ansible/roles/postfix/tasks/main.yml
Outdated
| -o sender_canonical_classes=envelope_sender | ||
|
|
||
| 127.0.0.1:10027 inet n - - - - smtpd | ||
| -o syslog_name=postfix/srs |
There was a problem hiding this comment.
Suggested change
| -o syslog_name=postfix/srs | |
| -o syslog_name=postfix/smtpd/optional-srs |
ansible/roles/postfix/tasks/main.yml
Outdated
| @@ -187,6 +197,19 @@ | |||
| -o smtpd_sasl_type=dovecot | |||
| -o smtpd_sasl_path=private/auth | |||
|
|
|||
| cleanup-srs unix n - - - 0 cleanup | |||
| -o syslog_name=postfix/srs | |||
There was a problem hiding this comment.
Suggested change
| -o syslog_name=postfix/srs | |
| -o syslog_name=postfix/cleanup/optional-srs |
|
Pretty smart implementation. I have to admit the intermingling of Postfix daemons is a bit hard to see through at first but it's pretty genius. Turns out that that configuration file format is very, very flexible. |
|
Btw, we should probably contribute docs for this upstream. It seems useful. |
|
Nevermind, I see, you've copied this from upstream yourself. roehling/postsrsd#76 |
This template returns the address verbatim if it's a local domain else it returns nothing. Based on this, we can use these addresses for SRS, it will either use the verbatim address or pass onto SRSd for a rewrite.
jb3
force-pushed
the
jb3/mail/conditional-srs
branch
from
c344621
to
eb79092
Compare
|
Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In #528 changes were made to prevent mail from internal domains being rewritten
with the Sender Rewrite Scheme since we can correctly authenticate any mail sent
from our domains.
Similarly, if we are the last stop on an envelopes journey (i.e. the mail will
arrive to a local mailbox) there is no need for us to apply sender rewriting as
we have no further mailservers to pass the message onto (and so the message is
fully received and validated at this point).
This PR introduces a new SMTP daemon which we set as the
default_transportwhich conditionally rewrites with SRS only when the expanded destination address
is not a locally handled inbox.
This allows for mail heading for an external server such as Google or Outlook to
be rewritten and remain valid under SPF but mail that lands in our inboxes not
be rewritten (you can validate this by checking that the
Return-Pathdoesn'thave SRS in it for local mail).