From 1e105b4da7ec6ab166b52dc42421710af6869409 Mon Sep 17 00:00:00 2001
From: Julian Rother <julian@cccv.de>
Date: Sat, 1 Apr 2023 03:16:45 +0200
Subject: [PATCH] Add SRS support with postsrsd

---
 defaults/main.yml     |  4 +++
 handlers/main.yml     |  3 +++
 tasks/main.yml        | 17 ++++++++++++
 templates/main.cf.j2  |  8 +++++-
 templates/postsrsd.j2 | 62 +++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 93 insertions(+), 1 deletion(-)
 create mode 100644 templates/postsrsd.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index a1e3a32..cecf1d4 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -53,3 +53,7 @@ postfix:
   metrics_address: "127.0.0.1:9154"
   recipient_canonical_maps: ''
   local_header_rewrite_clients: ''
+  srs:
+    enable: false
+    domain: ~
+    exclude_domains: []
diff --git a/handlers/main.yml b/handlers/main.yml
index 2696fd3..d3905b6 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -6,3 +6,6 @@
 
 - name: restart prometheus-postfix-exporter
   service: name=prometheus-postfix-exporter state=restarted
+
+- name: restart postsrsd
+  service: name=postsrsd state=restarted
diff --git a/tasks/main.yml b/tasks/main.yml
index 1bdc0d4..bfbafbe 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -18,6 +18,23 @@
   notify:
   - restart prometheus-postfix-exporter
 
+- name: install postsrsd
+  when: postfix.srs.enable
+  apt:
+    pkg:
+    - postsrsd
+
+- name: configure postsrsd
+  when: postfix.srs.enable
+  template:
+    src: postsrsd.j2
+    dest: /etc/default/postsrsd
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+  - restart postsrsd
+
 - name: Install and setup utilities for LDAP
   when: postfix.ldap.enable
   block:
diff --git a/templates/main.cf.j2 b/templates/main.cf.j2
index be88708..e932eab 100644
--- a/templates/main.cf.j2
+++ b/templates/main.cf.j2
@@ -154,5 +154,11 @@ non_smtpd_milters = {{ ' '.join(postfix.non_smtpd_milters) }}
 # passwords or other confidential information
 notify_classes =
 
-recipient_canonical_maps = {{ postfix.recipient_canonical_maps }}
+{% if postfix.srs.enable %}
+sender_canonical_maps = tcp:localhost:10001
+sender_canonical_classes = envelope_sender
+{% endif %}
+
+recipient_canonical_maps = {{ postfix.recipient_canonical_maps }}{% if postfix.srs.enable %} tcp:127.0.0.1:10002{% endif %}
+
 local_header_rewrite_clients = {{ postfix.local_header_rewrite_clients }}
diff --git a/templates/postsrsd.j2 b/templates/postsrsd.j2
new file mode 100644
index 0000000..87bb689
--- /dev/null
+++ b/templates/postsrsd.j2
@@ -0,0 +1,62 @@
+# Default settings for PostSRSd
+
+# Local domain name.
+# Addresses are rewritten to originate from this domain. The default value
+# is taken from `postconf -h mydomain` and probably okay.
+#
+SRS_DOMAIN={{ postfix.srs.domain }}
+
+# Exclude additional domains.
+# You may list domains which shall not be subjected to address rewriting.
+# If a domain name starts with a dot, it matches all subdomains, but not
+# the domain itself. Separate multiple domains by space or comma.
+#
+SRS_EXCLUDE_DOMAINS={{ postfix.srs.exclude_domains|join(',') }}
+
+# First separator character after SRS0 or SRS1.
+# Can be one of: -+=
+SRS_SEPARATOR==
+
+# Secret key to sign rewritten addresses.
+# When postsrsd is installed for the first time, a random secret is generated
+# and stored in /etc/postsrsd.secret. For most installations, that's just fine.
+#
+SRS_SECRET=/etc/postsrsd.secret
+
+# Length of hash to be used in rewritten addresses
+SRS_HASHLENGTH=4
+
+# Minimum length of hash to accept when validating return addresses.
+# When increasing SRS_HASHLENGTH, set this to its previous value and
+# wait for the duration of SRS return address validity (21 days) before
+# increading this value as well.
+SRS_HASHMIN=4
+
+# Local ports for TCP list.
+# These ports are used to bind the TCP list for postfix. If you change
+# these, you have to modify the postfix settings accordingly. The ports
+# are bound to the loopback interface, and should never be exposed on
+# the internet.
+#
+SRS_FORWARD_PORT=10001
+SRS_REVERSE_PORT=10002
+
+# Drop root privileges and run as another user after initialization.
+# This is highly recommended as postsrsd handles untrusted input.
+#
+RUN_AS=postsrsd
+
+# Bind to this address
+#
+SRS_LISTEN_ADDR=127.0.0.1
+
+# Jail daemon in chroot environment
+#
+CHROOT=/var/lib/postsrsd
+
+# Additional Options
+# PostSRSd understands a few rarely needed extra options:
+# -A     always rewrite email addresses, even from SRS_DOMAIN
+# -t<n>  set connection timeout to <n> seconds (default: 1800)
+#
+#SRS_EXTRA_OPTIONS=-A