Mailman 3 Core Charm

Merge ~kotodama/mailman3-core-charm/+git/mailman3-core-charm:strict_hosts_checks into mailman3-core-charm:master

  1. Git
  2. lp:~kotodama/mailman3-core-charm/+git/mailman3-core-charm
  3. strict_hosts_checks
  4. Merge into master
Proposed by Loïc Gomez
Status: Merged
Approved by: Tom Haddon
Approved revision: 1720db2753d89c40c47fe4604d0e37454299f819
Merged at revision: b7c5c9c2fb7259e310f984e9a94c9ee3c343b388
Proposed branch: ~kotodama/mailman3-core-charm/+git/mailman3-core-charm:strict_hosts_checks
Merge into: mailman3-core-charm:master
Diff against target: 99 lines (+49/-7)
2 files modified
config.yaml (+11/-0)
reactive/mailman3_core.py (+38/-7)
Reviewer Review Type Date Requested Status
Tom Haddon Approve
Canonical IS Reviewers Pending
Review via email: mp+408097@code.launchpad.net

Commit message

Add strict_hosts_check option enabling hostname checks in smtpd_recipient_restrictions
Fix `postconf' command mistyped as `postmap'

To post a comment you must log in.
Revision history for this message
Loïc Gomez (kotodama) wrote (last edit ):

See https://pastebin.ubuntu.com/p/xKWX7hwW4b/ for juju config tests.

Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

This merge proposal is being monitored by mergebot. Change the status to Approved to merge.

Revision history for this message
Tom Haddon (mthaddon) wrote :

LGTM, thx

review: Approve
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

Change successfully merged at revision b7c5c9c2fb7259e310f984e9a94c9ee3c343b388

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/config.yaml b/config.yaml
2index 4dba6bf..61aefd4 100644
3--- a/config.yaml
4+++ b/config.yaml
5@@ -40,6 +40,17 @@ options:
6 type: boolean
7 description: |
8 Enable Postfix SPF extensions
9+ enable_strict_host_checks:
10+ default: ""
11+ type: string
12+ description: |
13+ Enable strict hostname checks in smtpd_recipient_restrictions.
14+
15+ Set to "true" to enable, or "test" to enable checks in test mode.
16+
17+ Test mode will prefix the restrictions with warn_if_reject, so that
18+ potential rejections will appear in the server logs but won't actually
19+ reject messages.
20 spamassassin_policy:
21 default: ""
22 type: string
23diff --git a/reactive/mailman3_core.py b/reactive/mailman3_core.py
24index 4334c05..081cdcb 100644
25--- a/reactive/mailman3_core.py
26+++ b/reactive/mailman3_core.py
27@@ -98,7 +98,7 @@ def configure_postfix():
28 subprocess.check_output(['postconf', 'relay_domains=hash:/var/lib/mailman3/data/postfix_domains'])
29 subprocess.check_output(['postmap', '/var/lib/mailman3/data/postfix_domains'])
30
31- subprocess.check_output(['postmap', 'smtpd_sender_restrictions=reject_unknown_sender_domain'])
32+ subprocess.check_output(['postconf', 'smtpd_sender_restrictions=reject_unknown_sender_domain'])
33
34 # HyperKitty expects messages will all have the 'Message-ID' header,
35 # unfortunately not all clients do so let's work around it (LP: #1776658)
36@@ -110,6 +110,8 @@ def configure_postfix():
37 if config["enable_spf"]:
38 configure_postfix_spf()
39
40+ configure_recipient_restrictions()
41+
42 host.service_reload('postfix')
43 # Open the SMTP port
44 hookenv.open_port(25)
45@@ -117,6 +119,40 @@ def configure_postfix():
46 hookenv.status_set('active', 'ready')
47
48
49+# Configure smtpd_recipient_restrictions depending on if SPF is enabled
50+# and if strict hosts checking is enabled or in test mode
51+def configure_recipient_restrictions():
52+ config = hookenv.config()
53+
54+ smtpd_rr = [
55+ "permit_sasl_authenticated",
56+ "permit_mynetworks"
57+ ]
58+
59+ rr_shc = [
60+ "reject_non_fqdn_helo_hostname",
61+ "reject_non_fqdn_recipient",
62+ "reject_non_fqdn_sender",
63+ "reject_invalid_helo_hostname",
64+ "reject_unknown_recipient_domain",
65+ "reject_unknown_sender_domain"
66+ ]
67+
68+ if config["enable_strict_host_checks"] == 'true':
69+ smtpd_rr.extend(rr_shc)
70+ elif config["enable_strict_host_checks"] == 'test':
71+ smtpd_rr.extend(["warn_if_reject " + e for e in rr_shc])
72+
73+ smtpd_rr.append("reject_unauth_destination")
74+
75+ if config["enable_spf"]:
76+ smtpd_rr.append("check_policy_service unix:private/policy-spf")
77+
78+ # postconf accepts space-separated restrictions, but we also may have
79+ # whitespace when using eg. warn_if_reject, so let's use commas.
80+ postconf(key="smtpd_recipient_restrictions", value=",".join(smtpd_rr))
81+
82+
83 def configure_spamassassin():
84 config = hookenv.config()
85 default_config = ('ENABLED=0\n'
86@@ -147,12 +183,7 @@ def configure_spamassassin():
87 def configure_postfix_spf():
88 config = hookenv.config()
89 postconf(key="policy-spf_time_limit", value="3600s")
90- postconf(key="smtpd_recipient_restrictions", value=(
91- "permit_sasl_authenticated "
92- "permit_mynetworks "
93- "reject_unauth_destination "
94- "check_policy_service unix:private/policy-spf"
95- ))
96+
97 if not postconf(key="policy-spf", args=("-F",)): # Check to see if spf is already configured.
98 spf_master_cf = os.path.join(hookenv.charm_dir(), "files/spf_master.cf")
99 with open(spf_master_cf) as f:

Subscribers

People subscribed via source and target branches