Merge pull request #331 from YunoHost/fix-srs

[fix] Attempt to fix Sender Rewriting Scheme with postsrsd
2024-09-03 20:06:10 +02:00 · 2018-08-23 21:22:22 +02:00 · 2018-08-23 21:22:22 +02:00 · 4ffbf6bfff
commit 4ffbf6bfff
parent 6f2de77f54 226ee1abcb
5 changed files with 61 additions and 5 deletions
--- a/data/hooks/conf_regen/19-postfix
+++ b/data/hooks/conf_regen/19-postfix
@ -10,15 +10,25 @@ do_pre_regen() {
  postfix_dir="${pending_dir}/etc/postfix"
  mkdir -p "$postfix_dir"

+  default_dir="${pending_dir}/etc/default/"
+  mkdir -p "$default_dir"
+
  # install plain conf files
  cp plain/* "$postfix_dir"

  # prepare main.cf conf file
  main_domain=$(cat /etc/yunohost/current_host)
+  domain_list=$(sudo yunohost domain list --output-as plain --quiet | tr '\n' ' ')
+
  cat main.cf \
    | sed "s/{{ main_domain }}/${main_domain}/g" \
    > "${postfix_dir}/main.cf"

+  cat postsrsd \
+    | sed "s/{{ main_domain }}/${main_domain}/g" \
+    | sed "s/{{ domain_list }}/${domain_list}/g" \
+    > "${default_dir}/postsrsd"
+
  # adapt it for IPv4-only hosts
  if [ ! -f /proc/net/if_inet6 ]; then
    sed -i \
@ -34,7 +44,8 @@ do_post_regen() {
  regen_conf_files=$1

  [[ -z "$regen_conf_files" ]] \
-    || sudo service postfix restart
+    || { sudo service postfix restart && sudo service postsrsd restart; }
+
 }

 FORCE=${2:-0}
--- a/data/templates/postfix/main.cf
+++ b/data/templates/postfix/main.cf
@ -137,8 +137,10 @@ smtpd_recipient_restrictions =
    permit

 # SRS
-sender_canonical_maps = regexp:/etc/postfix/sender_canonical
+sender_canonical_maps = tcp:localhost:10001
 sender_canonical_classes = envelope_sender
+recipient_canonical_maps = tcp:localhost:10002
+recipient_canonical_classes= envelope_recipient,header_recipient

 # Ignore some headers
 smtp_header_checks = regexp:/etc/postfix/header_checks
--- a/data/templates/postfix/postsrsd
+++ b/data/templates/postfix/postsrsd
@ -0,0 +1,43 @@
+# Default settings for postsrsd
+
+# Local domain name.
+# Addresses are rewritten to originate from this domain. The default value
+# is taken from `postconf -h mydomain` and probably okay.
+#
+SRS_DOMAIN={{ main_domain }}
+
+# Exclude additional domains.
+# You may list domains which shall not be subjected to address rewriting.
+# If a domain name starts with a dot, it matches all subdomains, but not
+# the domain itself. Separate multiple domains by space or comma.
+# We have to put some "dummy" stuff at start and end... see this comment :
+# https://github.com/roehling/postsrsd/issues/64#issuecomment-284003762
+SRS_EXCLUDE_DOMAINS=dummy {{ domain_list }} dummy
+
+# First separator character after SRS0 or SRS1.
+# Can be one of: -+=
+SRS_SEPARATOR==
+
+# Secret key to sign rewritten addresses.
+# When postsrsd is installed for the first time, a random secret is generated
+# and stored in /etc/postsrsd.secret. For most installations, that's just fine.
+#
+SRS_SECRET=/etc/postsrsd.secret
+
+# Local ports for TCP list.
+# These ports are used to bind the TCP list for postfix. If you change
+# these, you have to modify the postfix settings accordingly. The ports
+# are bound to the loopback interface, and should never be exposed on
+# the internet.
+#
+SRS_FORWARD_PORT=10001
+SRS_REVERSE_PORT=10002
+
+# Drop root privileges and run as another user after initialization.
+# This is highly recommended as postsrsd handles untrusted input.
+#
+RUN_AS=postsrsd
+
+# Jail daemon in chroot environment
+CHROOT=/var/lib/postsrsd
+
--- a/debian/control
+++ b/debian/control
@ -18,7 +18,7 @@ Depends: ${python:Depends}, ${misc:Depends}
 , ca-certificates, netcat-openbsd, iproute
 , mariadb-server, php-mysql | php-mysqlnd
 , slapd, ldap-utils, sudo-ldap, libnss-ldapd, unscd
- , postfix-ldap, postfix-policyd-spf-perl, postfix-pcre, procmail, mailutils
+ , postfix-ldap, postfix-policyd-spf-perl, postfix-pcre, procmail, mailutils, postsrsd
 , dovecot-ldap, dovecot-lmtpd, dovecot-managesieved
 , dovecot-antispam, fail2ban
 , nginx-extras (>=1.6.2), php-fpm, php-ldap, php-intl
--- a/src/yunohost/domain.py
+++ b/src/yunohost/domain.py
@ -114,7 +114,7 @@ def domain_add(operation_logger, auth, domain, dyndns=False):

        # Don't regen these conf if we're still in postinstall
        if os.path.exists('/etc/yunohost/installed'):
-            service_regen_conf(names=['nginx', 'metronome', 'dnsmasq'])
+            service_regen_conf(names=['nginx', 'metronome', 'dnsmasq', 'postfix'])
            app_ssowatconf(auth)

    except Exception, e:
@ -171,7 +171,7 @@ def domain_remove(operation_logger, auth, domain, force=False):
    else:
        raise MoulinetteError(errno.EIO, m18n.n('domain_deletion_failed'))

-    service_regen_conf(names=['nginx', 'metronome', 'dnsmasq'])
+    service_regen_conf(names=['nginx', 'metronome', 'dnsmasq', 'postfix'])
    app_ssowatconf(auth)

    hook_callback('post_domain_remove', args=[domain])