Make other pools into relay domains

mit-scripts · dehnert · May 23, 2019 · May 23, 2019 · May 23, 2019 · May 23, 2019
commit 17af44294194c5ad74257dce8b1206afb7687ad1
diff --git a/ansible/roles/real-postfix/templates/main.cf.j2 b/ansible/roles/real-postfix/templates/main.cf.j2
@@ -34,7 +34,8 @@ queue_directory = /var/spool/postfix
 mail_owner = postfix
 virtual_alias_domains = {% for vip in vips | rejectattr('type', 'defined') %}{% if (vip.codename|default(ansible_lsb.codename) == ansible_lsb.codename) %}!{{ vip.host }}, !{{ vip.host | replace('.mit.edu', '') }}, {% endif %}{% endfor %}!$myhostname, !localhost, ldap:/etc/postfix/virtual-alias-domains-ldap.cf
 virtual_alias_maps = ldap:/etc/postfix/virtual-alias-maps-ldap-reserved.cf, ldap:/etc/postfix/virtual-alias-maps-ldap.cf
-transport_maps = ldap:/etc/postfix/transport-maps-ldap.cf
+relay_domains = ldap:/etc/postfix/transport-maps-ldap.cf
+transport_maps = $relay_domains
 data_directory = /var/lib/postfix
 authorized_flush_users = fail
 authorized_mailq_users = /etc/postfix/mailq_users

diff --git a/ansible/roles/real-postfix/templates/postfix/transport-maps-ldap.cf.j2 b/ansible/roles/real-postfix/templates/postfix/transport-maps-ldap.cf.j2
@@ -1,21 +1,11 @@
-# Find any vhost with a name or alias matching the domain of the
-# e-mail address.  We're queried with an entire e-mail address, but
-# are only interested in checking whether the domain portion
-# corresponds to a vhost; we'll simply deliver any mail for the vhost
-# to its owner, appending the original lefthand side of the address as
-# an extension.  %d extracts only the domain.  We don't match the
-# scripts.mit.edu vhost here because we don't want to first resolve an
-# arbitrary address to a scripts account, and then end up sending
-# their mail to the owners of the scripts.mit.edu vhost.  The uid
-# attribute, generated by the CoS template
-# cn=vhostOwnerCoS,ou=VirtualHosts,dc=scripts,dc=mit,dc=edu, is the
-# name of the locker that owns the vhost.  Protocol version 3 is
-# necessary to use ldapi.
+# Check if the vhost is served from another pool; if so, we relay to
+# that pool's IP. This is also used as a relay_domains map to tell
+# Postfix it's a relay domain.
 
 server_host = {{ ldap_server }}
 search_base = ou=VirtualHosts,dc=scripts,dc=mit,dc=edu
 query_filter = (&(objectClass=scriptsVhost)(|(scriptsVhostName=%d)(scriptsVhostAlias=%d))(!(scriptsVhostName=scripts.mit.edu))(!(|{% for ip in ansible_all_ipv4_addresses %}(scriptsVhostPoolIPv4={{ip}}){% endfor %})))
 result_attribute = scriptsVhostPoolIPv4
-result_format = smtp:%s
+result_format = relay:%s
 bind = no
 version = 3
diff --git a/ansible/roles/real-postfix/templates/postfix/virtual-alias-domains-ldap.cf.j2 b/ansible/roles/real-postfix/templates/postfix/virtual-alias-domains-ldap.cf.j2
@@ -13,7 +13,7 @@
 
 server_host = {{ ldap_server }}
 search_base = ou=VirtualHosts,dc=scripts,dc=mit,dc=edu
-query_filter = (&(objectClass=scriptsVhost)(|(scriptsVhostName=%s)(scriptsVhostAlias=%s))(!(scriptsVhostName=scripts.mit.edu)))
+query_filter = (&(objectClass=scriptsVhost)(|(scriptsVhostName=%s)(scriptsVhostAlias=%s))(!(scriptsVhostName=scripts.mit.edu))(|{% for ip in ansible_all_ipv4_addresses %}(scriptsVhostPoolIPv4={{ip}}){% endfor %}))
 result_attribute = scriptsVhostName
 result_format = %S
 bind = no

diff --git a/ansible/roles/real-postfix/templates/postfix/virtual-alias-maps-ldap.cf.j2 b/ansible/roles/real-postfix/templates/postfix/virtual-alias-maps-ldap.cf.j2
@@ -14,7 +14,7 @@
 
 server_host = {{ ldap_server }}
 search_base = ou=VirtualHosts,dc=scripts,dc=mit,dc=edu
-query_filter = (&(objectClass=scriptsVhost)(|(scriptsVhostName=%d)(scriptsVhostAlias=%d))(!(scriptsVhostName=scripts.mit.edu))(|{% for ip in ansible_all_ipv4_addresses %}(scriptsVhostPoolIPv4={{ip}}){% endfor %}))
+query_filter = (&(objectClass=scriptsVhost)(|(scriptsVhostName=%d)(scriptsVhostAlias=%d))(!(scriptsVhostName=scripts.mit.edu)))
 result_attribute = uid
 result_format = %s+%U
 bind = no