From 441a70c073b95d3703ae79703b31d37fcc8e8e0e 2024-03-07 22:41:28 From: Branko Majic Date: 2024-03-07 22:41:28 Subject: [PATCH] MAR-232: Switch to using IP addreses in firewall rules for mail_forwarder role: - Perform lookups on managed machine for the passed-in SMTP relay host, and use those values when populating the firewall rules. --- diff --git a/docs/about.rst b/docs/about.rst index 0834526b09bc910e288446674e365b1e3d293e14..515f83e9cce7cc226164c1176279c90302c59833 100644 --- a/docs/about.rst +++ b/docs/about.rst @@ -17,10 +17,9 @@ supported releases, see :ref:`rolereference`. At the moment, the roles have been written for and tested against **Ansible 2.9.x**. -The roles also utilise the ``dig`` and ``ipv4/ipv6`` lookup plugins -which require ``dnspython`` and ``netaddr`` packages (respectively) to -be installed. Make sure you have the packages available on controller -machine. +The roles also utilise the ``ipv4/ipv6`` lookup plugins which require +``netaddr`` package to be installed. Make sure you have the packages +available on controller machine. Why were these roles created? diff --git a/docs/index.rst b/docs/index.rst index 02b9e50eb7c6f49062d451e393c787a43da2d77b..f0d299c57e70a610661fb44203375853d00b5c2d 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -17,10 +17,9 @@ supported releases, see :ref:`rolereference`. At the moment, the roles have been written for and tested against **Ansible 2.9.x**. -The roles also utilise the ``dig`` and ``ipv4/ipv6`` lookup plugins -which require ``dnspython`` and ``netaddr`` packages (respectively) to -be installed. Make sure you have the packages available on controller -machine. +The roles also utilise the ``ipv4/ipv6`` lookup plugins which require +``netaddr`` package to be installed. Make sure you have the packages +available on controller machine. Contents diff --git a/docs/releasenotes.rst b/docs/releasenotes.rst index c0ede1e2255362c91922d014ceb33b0ea5725e82..6712c167e2d12378510ded8bfc6043d72a23f56a 100644 --- a/docs/releasenotes.rst +++ b/docs/releasenotes.rst @@ -15,6 +15,8 @@ Debian 12 Bookworm. Some minor improvements and fixes. * Dropped support for Debian 10 (Buster). * Added support for Debian 12 (Bookworm). * ``netaddr`` Python package is now required for using the roles. + * ``dnspython`` Python package is no longer required for using the + roles. * ``backup_client`` role @@ -43,9 +45,7 @@ Debian 12 Bookworm. Some minor improvements and fixes. * Parameter ``maintenance_allowed_hosts`` has been dropped and replaced with parameter ``maintenance_allowed_sources``. The new parameter expects a list of IPv4 and IPv6 addresses (or - subnets). Resolvable names can no longer be specified (and this - particular role no longe relies on presence of the ``dnspython`` - package). + subnets). Resolvable names can no longer be specified. * NTP server configuration is now based on use of pools instead of servers. Parameter ``ntp_servers`` has been deprecated and @@ -61,6 +61,20 @@ Debian 12 Bookworm. Some minor improvements and fixes. LDAP server logs can be read via ``journalctl -u slapd`` when necessary. +* ``mail_forwarder`` role + + * Firewall rules for incoming connections from the SMTP relay server + are now based on relay's IPv4 and IPv6 addresses as resolved on + managed machine during deployment time. + + In case the SMTP relay server's IP addresses change, the role + needs to get reapplied against managed machines for those changes + to take place. + + This change in behaviour was introduced to avoid firewall-related + errors due to inability to resolve names via DNS servers during + boot time. + * ``mail_server`` role * Parameter ``mail_server_tls_protocols`` has been dropped and diff --git a/docs/rolereference.rst b/docs/rolereference.rst index a77cdc1a8e526e3c29f82e4e36a5d6a44322db85..a2a4a9469e9a3a2e43c9f24b4c53e42c9548de61 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -1315,8 +1315,15 @@ The role implements the following: * Purges Exim4 configuration (just in case). * Sets-up aliases for the local recipients. * Installs SWAKS (utility for testing SMTP servers). -* Configures firewall to accept SMTP connections from SMTP relay (if one has - been configured). This allows for delivery of bounced e-mails. +* Configures firewall to accept SMTP connections from SMTP relay (if + one has been configured). This allows for delivery of bounced + e-mails. + + .. note:: + Firewall rules are based on IPv4 and IPv6 addresses resolved via + managed server at time of deployment. If the SMTP relay changes + its IP addresess, this role needs to be reapplied against the + managed machines. Postfix is configured as follows: diff --git a/docs/usage.rst b/docs/usage.rst index ee504e37cbe914abe0810c154284db027027163e..8c37423acaf5dc2930cde2af8edf7e9a3c02a1e5 100644 --- a/docs/usage.rst +++ b/docs/usage.rst @@ -148,12 +148,11 @@ packages, and to prepare the environment a bit on the Ansible server: mkdir ~/mysite/ mkvirtualenv -p /usr/bin/python3 -a ~/mysite/ mysite pip install -U pip setuptools - pip install 'ansible~=2.9.0' dnspython netaddr + pip install 'ansible~=2.9.0' netaddr .. warning:: - The ``dnspython`` and ``netaddr`` packages are needed since they - are used internally by some of the roles for the ``dig`` and - ``ipv4/ipv6`` lookup plugins. + The ``netaddr`` package is needed for ``ipv4/ipv6`` lookup plugins + which is used internally by some of the roles. Cloning the *Majic Ansible Roles* diff --git a/requirements.in b/requirements.in index 190917c3f2cd61b19b54f3458d6a87a03cf88846..7c588b1ba82a4cac6be32bf1b279cde2a7dbd978 100644 --- a/requirements.in +++ b/requirements.in @@ -1,6 +1,5 @@ ansible~=2.9.0 defusedxml -dnspython gimmecert~=0.5.0 molecule~=2.22.0 netaddr diff --git a/requirements.txt b/requirements.txt index 459e657d6eb7373169a1ccd7dd9e0029c67f77dc..09f2c79e8dba783a798e4924cfff811f5b6b8f32 100644 --- a/requirements.txt +++ b/requirements.txt @@ -68,8 +68,6 @@ defusedxml==0.7.1 # via -r requirements.in distlib==0.3.8 # via virtualenv -dnspython==2.6.1 - # via -r requirements.in docutils==0.20.1 # via # sphinx @@ -126,7 +124,7 @@ pathspec==0.12.1 # via yamllint pexpect==4.9.0 # via molecule -pip-tools==7.4.0 +pip-tools==7.4.1 # via -r requirements.in platformdirs==4.2.0 # via virtualenv diff --git a/roles/mail_forwarder/tasks/main.yml b/roles/mail_forwarder/tasks/main.yml index b93cd6ef7c5df587a65fb765e6450885e7e98d1c..912c2641734e8b62bf721c9db44548bf6cfaa5e5 100644 --- a/roles/mail_forwarder/tasks/main.yml +++ b/roles/mail_forwarder/tasks/main.yml @@ -70,6 +70,38 @@ state: started enabled: true +- name: Retrieve IPv4 addresses of SMTP relay host + shell: "getent ahostsv4 '{{ smtp_relay_host }}' | awk '{ print $1 }' | sort -u" # noqa 306 + # [306] Shells that use pipes should set the pipefail option + # The getent ahostsv4 command has non-zero exit code if the + # supplies name cannot be resolved. However, that is a valid + # use-case for extracting this information. It effectively means + # that no IPv4 firewall rules will be deployed for allowing + # incoming connections from the SMTP relay host. + changed_when: false + register: smtp_relay_host_ipv4 + +- name: Retrieve IPv6 addresses of SMTP relay host + shell: "getent ahostsv6 '{{ smtp_relay_host }}' | awk '{ print $1 }' | grep -v '^::ffff:' | sort -u" # noqa 306 + # [306] Shells that use pipes should set the pipefail option + # The getent ahostsv6 command has non-zero exit code if the + # supplies name cannot be resolved. However, that is a valid + # use-case for extracting this information. It effectively means + # that no IPv6 firewall rules will be deployed for allowing + # incoming connections from the SMTP relay host. + changed_when: false + register: smtp_relay_host_ipv6 + +- name: Normalise the SMTP relay host IPv4 addresses variable + set_fact: + smtp_relay_host_ipv4: "{{ smtp_relay_host_ipv4.stdout_lines | reject('equalto', '') | list }}" + when: "smtp_relay_host | length != 0" + +- name: Normalise the SMTP relay host IPv6 addresses variable + set_fact: + smtp_relay_host_ipv6: "{{ smtp_relay_host_ipv6.stdout_lines | reject('equalto', '') | list }}" + when: "smtp_relay_host | length != 0" + - name: Deploy firewall configuration for mail forwader template: src: "ferm_mail.conf.j2" diff --git a/roles/mail_forwarder/templates/ferm_mail.conf.j2 b/roles/mail_forwarder/templates/ferm_mail.conf.j2 index c779a9264d395297898804a359134e9e903c890d..853de80c3c53e92f4b8551b7bf22d1232114e2fa 100644 --- a/roles/mail_forwarder/templates/ferm_mail.conf.j2 +++ b/roles/mail_forwarder/templates/ferm_mail.conf.j2 @@ -1,24 +1,30 @@ {% if smtp_relay_host and smtp_from_relay_allowed %} +{% if smtp_relay_host_ipv4 %} domain ip { # Accept incoming connections on port 25 from SMTP relay host. table filter { chain INPUT { # SMTP for server communication. proto tcp dport 25 { - saddr {{ smtp_relay_host }} ACCEPT; +{% for address in smtp_relay_host_ipv4 %} + saddr {{ address }} ACCEPT; +{% endfor %} } } } } +{% endif %} -{% if lookup('dig', smtp_relay_host + '/AAAA') not in ['NXDOMAIN', ''] %} +{% if smtp_relay_host_ipv6 %} domain ip6 { # Accept incoming connections on port 25 from SMTP relay host. table filter { chain INPUT { # SMTP for server communication. proto tcp dport 25 { - saddr {{ smtp_relay_host }} ACCEPT; +{% for address in smtp_relay_host_ipv6 %} + saddr {{ address }} ACCEPT; +{% endfor %} } } }