diff --git a/docs/rolereference.rst b/docs/rolereference.rst index 3feb770c857178951e2ecdc5bde4a7b74c301f0e..53f26db315944fdae628b5eb4fe898cde4ab3c93 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -1230,6 +1230,13 @@ Parameters recipients/aliases, while the value provided should be a space-separated list of mail addresses (or local users) where the mails should be forwarded. +**smtp_from_relay_allowed** (boolean, optional, ``True``) + Specify if SMTP traffic from SMTP relay should be allowed or not (for bounced + messages, for example). This parameter should be set to ``False`` on systems + behind NAT or on systems that may not have constant network connectivity (such + as laptops) to avoid firewall failures since SMTP relay name needs to be + resolvable. + **smtp_relay_host** (string, optional, ``None``) SMTP server via which the mails are sent out for non-local recipients. @@ -1264,6 +1271,8 @@ Here is an example configuration for setting-up the mail forwarder: smtp_relay_host: mail.example.com + smtp_from_relay_allowed: False + smtp_relay_truststore: /etc/ssl/certs/example_ca_chain.pem diff --git a/docs/usage.rst b/docs/usage.rst index 585ff930cc1b593b080dc097b739f4c6a2fd8dd0..fc973b77ce3d0e69c00c13fe4f77644e9769b5a5 100644 --- a/docs/usage.rst +++ b/docs/usage.rst @@ -635,6 +635,10 @@ setting-up a mail server host (with authenticated IMAP, SMTP, mail storage etc), and one for setting-up a local SMTP mail forwarder (for having the rest of your servers relay their mails to the mail server host). +.. note:: + Should you ever need to deploy the forwarder role on a laptop or machine + behind NAT, make sure to look at ``smtp_from_relay_allowed`` parameter. + The mail server role looks-up available mail domains, users, and aliases in the LDAP directory. This has already been set-up on the server ``comms.example.com``, but some changes will be required. diff --git a/roles/mail_forwarder/defaults/main.yml b/roles/mail_forwarder/defaults/main.yml index 1f33be08495e45b08fd6c5e8a8d4b49d4231d397..50426184d36507fb14078c1d1360e93c1425cdbf 100644 --- a/roles/mail_forwarder/defaults/main.yml +++ b/roles/mail_forwarder/defaults/main.yml @@ -1,5 +1,6 @@ --- local_mail_aliases: {} +smtp_from_relay_allowed: True smtp_relay_host: "" -smtp_relay_truststore: "{{ lookup('file', tls_certificate_dir + '/truststore.pem') }}" \ No newline at end of file +smtp_relay_truststore: "{{ lookup('file', tls_certificate_dir + '/truststore.pem') }}" diff --git a/roles/mail_forwarder/molecule.yml b/roles/mail_forwarder/molecule.yml index f95379690441e0f942ce69a4fea940e459a69959..0acdf4c75f37a643af6133687caff1c371d59bbc 100644 --- a/roles/mail_forwarder/molecule.yml +++ b/roles/mail_forwarder/molecule.yml @@ -49,5 +49,12 @@ vagrant: ip: 10.31.127.31 auto_config: yes + - name: parameters-no-incoming + interfaces: + - network_name: private_network + type: static + ip: 10.31.127.32 + auto_config: yes + verifier: name: testinfra diff --git a/roles/mail_forwarder/playbook.yml b/roles/mail_forwarder/playbook.yml index 33f4bd3acf57f37ff87a41a961bfbdafe9e022b0..3d0a337a35a9dcd0998d7aa48cc6eeede28170e5 100644 --- a/roles/mail_forwarder/playbook.yml +++ b/roles/mail_forwarder/playbook.yml @@ -19,6 +19,7 @@ 10.31.127.20: "client1" 10.31.127.30: "parameters-mandatory" 10.31.127.31: "parameters-optional" + 10.31.127.32: "parameters-no-incoming" - hosts: client1 tasks: @@ -120,6 +121,7 @@ - role: mail_forwarder local_mail_aliases: root: "root testuser" + smtp_from_relay_allowed: True smtp_relay_host: mail-server smtp_relay_truststore: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}" @@ -127,6 +129,17 @@ ca_certificates: testca: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}" +- hosts: parameters-no-incoming + roles: + - role: mail_forwarder + smtp_relay_host: mail-server + smtp_from_relay_allowed: False + smtp_relay_truststore: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}" + + # common + ca_certificates: + testca: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}" + - hosts: parameters-optional tasks: diff --git a/roles/mail_forwarder/templates/ferm_mail.conf.j2 b/roles/mail_forwarder/templates/ferm_mail.conf.j2 index ac4309290439f2915bbdaf674681cbe03fcfc5b4..c779a9264d395297898804a359134e9e903c890d 100644 --- a/roles/mail_forwarder/templates/ferm_mail.conf.j2 +++ b/roles/mail_forwarder/templates/ferm_mail.conf.j2 @@ -1,4 +1,4 @@ -{% if smtp_relay_host %} +{% if smtp_relay_host and smtp_from_relay_allowed %} domain ip { # Accept incoming connections on port 25 from SMTP relay host. table filter { diff --git a/roles/mail_forwarder/tests/test_connectivity_from_client.py b/roles/mail_forwarder/tests/test_connectivity_from_client.py index 1bdccffe8044535fd9700a7d30a82286f4327764..759fa385d657df15a48fd471921155562b0241d8 100644 --- a/roles/mail_forwarder/tests/test_connectivity_from_client.py +++ b/roles/mail_forwarder/tests/test_connectivity_from_client.py @@ -15,6 +15,12 @@ def test_connectivity_from_client(Command, Sudo): ping = Command('hping3 -S -p 25 -c 1 parameters-mandatory') assert ping.rc != 0 + assert "100% packet loss" in ping.stderr ping = Command('hping3 -S -p 25 -c 1 parameters-optional') assert ping.rc != 0 + assert "100% packet loss" in ping.stderr + + ping = Command('hping3 -S -p 25 -c 1 parameters-no-incoming') + assert "100% packet loss" in ping.stderr + assert ping.rc != 0 diff --git a/roles/mail_forwarder/tests/test_connectivity_from_relay.py b/roles/mail_forwarder/tests/test_connectivity_from_relay.py index 8deb5b4d284f1e1ba326d1cf8c18a61c3350a231..dfeddd3886d867b1ba3e9f0d7ae6de026e60d97e 100644 --- a/roles/mail_forwarder/tests/test_connectivity_from_relay.py +++ b/roles/mail_forwarder/tests/test_connectivity_from_relay.py @@ -15,10 +15,15 @@ def test_connectivity_from_relay(Command, Sudo): ping = Command('hping3 -S -p 25 -c 1 parameters-mandatory') assert ping.rc != 0 + assert "100% packet loss" in ping.stderr ping = Command('hping3 -S -p 25 -c 1 parameters-optional') assert ping.rc == 0 + ping = Command('hping3 -S -p 25 -c 1 parameters-no-incoming') + assert "100% packet loss" in ping.stderr + assert ping.rc != 0 + def test_mail_reception_from_relay(Command, Sudo): """