diff --git a/docs/releasenotes.rst b/docs/releasenotes.rst index 1cfa02cfcfdb7baeba3bc2de4384cad4bc55cf00..9dfdb55c448892b728389655eff11c1e7144a6c5 100644 --- a/docs/releasenotes.rst +++ b/docs/releasenotes.rst @@ -56,6 +56,12 @@ New features/improvements: * Tests have been updated to work with latest Molecule/Testinfra as part of the Ansible upgrade process. +* ``mail_forwader`` role + + * The role now supports specifying the maximum mail message size + limit for the SMTP server to accept via + ``mail_message_size_limit`` role parameter. + * ``mail_server`` role * The role now supports specifying the maximum mail message size diff --git a/docs/rolereference.rst b/docs/rolereference.rst index 20f2be3a761b9902019f4e22dbf798ee4d5ebddb..61dcb33d7e33b8d442cda2692f792be02b311acc 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -1286,6 +1286,16 @@ Parameters recipients/aliases, while the value provided should be a space-separated list of mail addresses (or local users) where the mails should be forwarded. +**mail_message_size_limit** (integer, optional, ``10240000``) + Maximum size of message in bytes that the SMTP server should accept + for incoming mails. If the mail message size exceeds the listed + value, it will be rejected by the server. The size is also + advertised as part of SMTP server capabilities (in response to the + ``ehlo`` SMTP command). Changing the value is primarily useful when + SMTP from relay is allowed (via the ``smtp_from_relay_allowed`` + parameter), since incoming SMTP communication is otherwise not + allowed at all. + **smtp_from_relay_allowed** (boolean, optional, ``True``) Specify if SMTP traffic from SMTP relay should be allowed or not (for bounced messages, for example). This parameter should be set to ``False`` on systems diff --git a/roles/mail_forwarder/defaults/main.yml b/roles/mail_forwarder/defaults/main.yml index e7dcda4ed297d54c66f03a91194cc5814bfdbc15..9c75026da95130464a22ecd45debea346b2ad525 100644 --- a/roles/mail_forwarder/defaults/main.yml +++ b/roles/mail_forwarder/defaults/main.yml @@ -5,3 +5,4 @@ smtp_from_relay_allowed: true smtp_relay_host: "" smtp_relay_truststore: "{{ lookup('file', tls_certificate_dir + '/truststore.pem') }}" smtp_relay_host_port: null +mail_message_size_limit: 10240000 diff --git a/roles/mail_forwarder/molecule/default/group_vars/parameters-optional.yml b/roles/mail_forwarder/molecule/default/group_vars/parameters-optional.yml index cc643b03c25e1630886fd286648f466ba9ac4260..f09e3c2d8eedd1a7693bbe3b3707c95c22094a40 100644 --- a/roles/mail_forwarder/molecule/default/group_vars/parameters-optional.yml +++ b/roles/mail_forwarder/molecule/default/group_vars/parameters-optional.yml @@ -2,6 +2,7 @@ local_mail_aliases: root: "root testuser" +mail_message_size_limit: 20480001 smtp_from_relay_allowed: true smtp_relay_host: mail-server smtp_relay_host_port: 27 diff --git a/roles/mail_forwarder/molecule/default/tests/test_default.py b/roles/mail_forwarder/molecule/default/tests/test_default.py index 71028f2eed4e2dfb55ec8597b37e3dc2c99b1be1..2c9c90d342a4f07e134d35456654127207d1b5be 100644 --- a/roles/mail_forwarder/molecule/default/tests/test_default.py +++ b/roles/mail_forwarder/molecule/default/tests/test_default.py @@ -117,7 +117,8 @@ def test_smtp_server_uses_correct_dh_parameters(host): with host.sudo(): expected_dhparam = host.file('/etc/ssl/private/%s_smtp.dh.pem' % hostname).content_string.rstrip() - connection = host.run("gnutls-cli --no-ca-verification --starttls-proto=smtp --port 25 --priority 'NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA384:+DHE-RSA:+SHA384:+AEAD:+AES-256-GCM' --verbose localhost") + connection = host.run("gnutls-cli --no-ca-verification --starttls-proto=smtp --port 25 " + "--priority 'NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA384:+DHE-RSA:+SHA384:+AEAD:+AES-256-GCM' --verbose localhost") output = connection.stdout begin_marker = "-----BEGIN DH PARAMETERS-----" diff --git a/roles/mail_forwarder/molecule/default/tests/test_mandatory.py b/roles/mail_forwarder/molecule/default/tests/test_mandatory.py index 622504e2b7fafbfb388ebefd7861da3f09241d50..77987ffa153ca7271cb361eb612a59ed71c5e39f 100644 --- a/roles/mail_forwarder/molecule/default/tests/test_mandatory.py +++ b/roles/mail_forwarder/molecule/default/tests/test_mandatory.py @@ -68,3 +68,17 @@ def test_direct_mail_sending(host): pattern = r"%s: to=, relay=domain1\[[^]]*\]:25.*status=sent" % message_id assert re.search(pattern, mail_log.content_string) is not None + + +def test_mail_message_size_limit(host): + """ + Tests if the mail message size limit advertised by the SMTP server + is correct. + """ + + capabilities = host.run("(echo 'ehlo localhost' && sleep 2) | telnet localhost 25") + begin = capabilities.stdout.find("250-SIZE") + end = capabilities.stdout.find("\n", begin) + mail_message_size_limit = capabilities.stdout[begin:end] + + assert mail_message_size_limit == "250-SIZE 10240000" diff --git a/roles/mail_forwarder/molecule/default/tests/test_optional.py b/roles/mail_forwarder/molecule/default/tests/test_optional.py index d0375369d89ca382de7f772b4fd57381708d061b..ea1441c69781911a5a1cfa627dd1aba3629d4f20 100644 --- a/roles/mail_forwarder/molecule/default/tests/test_optional.py +++ b/roles/mail_forwarder/molecule/default/tests/test_optional.py @@ -126,3 +126,17 @@ def test_tls_enforced_towards_relay_mail_server(host): pattern = r"%s: to=, relay=domain1.*status=deferred \(Server certificate not verified\)" % message_id assert re.search(pattern, mail_log.content_string) is not None + + +def test_mail_message_size_limit(host): + """ + Tests if the mail message size limit advertised by the SMTP server + is correct. + """ + + capabilities = host.run("(echo 'ehlo localhost' && sleep 2) | telnet localhost 25") + begin = capabilities.stdout.find("250-SIZE") + end = capabilities.stdout.find("\n", begin) + mail_message_size_limit = capabilities.stdout[begin:end] + + assert mail_message_size_limit == "250-SIZE 20480001" diff --git a/roles/mail_forwarder/templates/main.cf.j2 b/roles/mail_forwarder/templates/main.cf.j2 index 35f1f0a704341ed634f26121c5bb78c1aa626a96..6322eb1b18acb175035d1228c3d24d6865fc3b8f 100644 --- a/roles/mail_forwarder/templates/main.cf.j2 +++ b/roles/mail_forwarder/templates/main.cf.j2 @@ -47,3 +47,6 @@ recipient_delimiter = + # Fall-back to using native lookups (/etc/hosts etc) if DNS lookup fails. Useful # for local overrides of mail servers. smtp_host_lookup = dns, native + +# Explicitly set maximum allowed mail size that should be accepted. +message_size_limit = {{ mail_message_size_limit }}