# HG changeset patch # User IBBoard # Date 1583591374 0 # Node ID 63e0b5149cfb03fdc152bb5495f65fd982800421 # Parent 49b7689da25b55872da0109d4957b64a378c4de2 Add fallback relays to Postfix This allows us to reliably send to IPv4 servers via Mythic-Beasts' mailserver rather than getting random IPs from the NAT64 servers. The firewall rules should ensure Postfix doesn't try to send email out via NAT64 and falls back to the relay. IPv6 will still go directly. diff -r 49b7689da25b -r 63e0b5149cfb manifests/nodes.pp --- a/manifests/nodes.pp Tue Mar 03 20:26:15 2020 +0000 +++ b/manifests/nodes.pp Sat Mar 07 14:29:34 2020 +0000 @@ -20,8 +20,10 @@ primary_ip => '2a00:1098:82:52::1', proxy_4to6_ip_prefix => '2a00:1098:82:52::01d4', # ::old4 for IPv4! proxy_upstream => ['2a00:1098::82:1000:3b:1:1', '2a00:1098::80:1000:3b:1:1'], + nat64_ranges => ['2a00:1098:0:80:1000:3a::/96', '2a00:1098:0:82:1000:3a::/96'], mailserver => 'mail.ibboard.co.uk', imapserver => 'imap.ibboard.co.uk', + mailrelays => ['mx.mythic-beasts.com'], firewall_cmd => 'iptables', } # If the console fails to start, you may need to run "restorecon /etc/systemd/system/getty.target.wants/*" diff -r 49b7689da25b -r 63e0b5149cfb manifests/templates.pp --- a/manifests/templates.pp Tue Mar 03 20:26:15 2020 +0000 +++ b/manifests/templates.pp Sat Mar 07 14:29:34 2020 +0000 @@ -30,8 +30,10 @@ $primary_ip, $proxy_4to6_ip_prefix = undef, $proxy_upstream = undef, + $nat64_ranges = [], $mailserver, $imapserver, + $mailrelays = [], $firewall_cmd = 'iptables', ) { @@ -89,6 +91,8 @@ mailserver_ip => $primary_ip, proxy_ip => $proxy_4to6_ip_prefix != undef ? { true => "${proxy_4to6_ip_prefix}:10", default => undef }, proxy_upstream => $proxy_upstream, + nat64_ranges => $nat64_ranges, + mailrelays => $mailrelays, } } @@ -470,16 +474,20 @@ $primary_ip, $proxy_4to6_ip_prefix = undef, $proxy_upstream = undef, + $nat64_ranges = [], $mailserver, $imapserver, + $mailrelays = [], $firewall_cmd = 'iptables', ){ class { 'basevpsnode': primary_ip => $primary_ip, proxy_4to6_ip_prefix => $proxy_4to6_ip_prefix, proxy_upstream => $proxy_upstream, + nat64_ranges => $nat64_ranges, mailserver => $mailserver, imapserver => $imapserver, + mailrelays => $mailrelays, firewall_cmd => $firewall_cmd, } @@ -713,12 +721,16 @@ $mailserver_ip, $proxy_ip = undef, $proxy_upstream = [], + $nat64_ranges = [], + $mailrelays = [], ){ class { 'postfix': mailserver => $mailserver, mailserver_ip => $mailserver_ip, mailserver_proxy => $proxy_ip, proxy_upstream => $proxy_upstream, + mailrelays => $mailrelays, + nat64_ranges => $nat64_ranges, protocols => $mailserver_ip =~ Stdlib::IP::Address::V6 ? { true => 'all', default => 'ipv4' }, } class { 'dovecot': diff -r 49b7689da25b -r 63e0b5149cfb modules/postfix/manifests/init.pp --- a/modules/postfix/manifests/init.pp Tue Mar 03 20:26:15 2020 +0000 +++ b/modules/postfix/manifests/init.pp Sat Mar 07 14:29:34 2020 +0000 @@ -3,9 +3,10 @@ Stdlib::IP::Address $mailserver_ip, Optional[Stdlib::IP::Address::V6] $mailserver_proxy = undef, Array[Stdlib::IP::Address::V6] $proxy_upstream = [], + Optional[Array[Stdlib::Host]] $mailrelays = [], + Optional[Array[Stdlib::IP::Address::V6]] $nat64_ranges = [], Enum['all', 'ipv4', 'ipv6'] $protocols='all' ){ - if $mailserver_ip =~ Stdlib::IP::Address::V4 { $lo_ip = '127.0.0.1' $lo_networks = '127.0.0.0/8' @@ -45,6 +46,18 @@ } } + $nat64_ranges.each |Stdlib::IP::Address::V6 $nat64_range| { + # Block SMTP to the NAT64 range so that we don't fail SPF checks + # The server *should* attempt it then fall back to the relay + firewall { "200 Prevent SMTP over NAT64 to $nat64_range": + destination => $nat64_range, + dport => [25, 265, 587], + proto => tcp, + action => 'reject', + chain => 'OUTPUT', + } + } + exec { 'postmap-files': command => 'for file in helo_whitelist recipient_bcc sender_access valias valias-blacklist virtual vmailbox transport; do postmap $file; done', cwd => '/etc/postfix/', @@ -74,6 +87,7 @@ 'mailserver_proxy' => $mailserver_proxy, 'lo_ip' => $lo_ip, 'lo_networks' => $lo_networks, + 'fallback_relays' => $mailrelays, } ), } diff -r 49b7689da25b -r 63e0b5149cfb modules/postfix/templates/master.cf.epp --- a/modules/postfix/templates/master.cf.epp Tue Mar 03 20:26:15 2020 +0000 +++ b/modules/postfix/templates/master.cf.epp Sat Mar 07 14:29:34 2020 +0000 @@ -3,6 +3,7 @@ Optional[Stdlib::IP::Address] $mailserver_proxy = undef, Stdlib::IP::Address $lo_ip, Stdlib::IP::Address $lo_networks, + Optional[Array[Stdlib::Host]] $fallback_relays = [] | -%> # @@ -77,6 +78,9 @@ <%- } else { -%> -o smtp_bind_address=<%= $mailserver_ip %> <%- } -%> + <%- if size($fallback_relays) > 0 { -%> + -o smtp_fallback_relays=<%= join($fallback_relays.map |$relay| { "[$relay]" }, ", ") %> + <%- } -%> # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - n - - smtp -o smtp_fallback_relay=