Should fix:
https://pagure.io/fedora-infrastructure/issue/12361
Basically postfix default is:
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
so if the user is a local user or an alias, it's valid.
However, sssd and ipa show all users (even ones with no
access to that host). This means we were accepting and delivering
(locally) emails for anyuser@fedoraproject.org.
Setting this to just $alias_maps will just treat aliases as valid
and ignore all the local users. This should be fine as we use
aliases to send even to root or other system users.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
I followed the instruction from
https://pagure.io/fedora-infrastructure/issue/8455#comment-913675, but this is
my first time I actually doing anything in postfix configuration, so I'm not
sure if everything I did is correct.
The SMTP port on the machine seems to be open according to group_vars for the
mailman_stg.
Signed-off-by: Michal Konecny <mkonecny@redhat.com>
I'm pushing this during freeze as it's required to avoid an outage of
our logs. For some reason we hit a large backlog and log01 rsyslog
stopped logging. Bumping this up seems to have fixed it.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This map wasn't there, causing bastion02 to basically reject emails.
So, instead just comment it out because we aren't using it anyhow.
We are luckly bastion01's postfix hasn't been restarted and breaking it
there.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
RHEL turned off chunking in postfix for various reasons. This causes a
lot of logs from spam and other servers. Turning off logging this as
it is not supported.
Signed-off-by: Stephen Smoogen <ssmoogen@redhat.com>
This host needs to have it's own self signed certs and needs some more
config to allow the auth and allow authenticated users to relay.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We need this to try and relay in emails.
It turns out to be bordering on impossible to do this sanely with our
current setup, so make a fedora vm that lets us use saslauthdb to have a
specific (small) list of users that can authenticate and relay emails
via bastion and out. We can't do this on rhel, because they don't build
the saslauthdb backend. We can't use any of the other backends because
they either don't work or would allow any fedora user to relay, which we
do not want.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This is a hack to work around SPF screwing us for @fedoraproject.org
aliases. It only fixes email from @redhat.com, but due to bugzilla thats
a lot of email.
Without this:
bugzilla@redhat.com -> user@fedoraproject.org (expands) ->
user@gmail.com sent out directly to gmail and gets rejected because
we aren't in the redhat.com SPF record.
With this:
bugzilla@redhat.com -> user@fedoraproject.org (expands) ->
user@gmail.com but sent to mx2.redhat.com to deliver. Since
mx2.redhat.com definitely is in the redhat.com SPF record the email is
delivered fine and SPF checks pass.
This won't help for other domains with -all SPF records, but at least it
helps for all the redhat.com emails, of which there are a lot going to
fedoraproject.org aliases. :)
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
