From 087f4bb74dd66b28be5f8020714fcbea8015e4d1 Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Wed, 11 Nov 2020 13:29:22 +0100
Subject: [PATCH] groups/{gce,home}: send mail via mx0.kunbox.net

---
 PORT_MAP.md                     |  3 ++-
 bundles/postfix/files/main.cf   |  4 ++++
 bundles/postfix/files/master.cf |  2 ++
 groups/locations.py             | 12 ++++++++++++
 4 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/PORT_MAP.md b/PORT_MAP.md
index b0dc0d7..058a146 100644
--- a/PORT_MAP.md
+++ b/PORT_MAP.md
@@ -21,7 +21,8 @@ Rule of thumb: keep ports below 10000 free for stuff that reserves ports.
 | 143         | dovecot              | dovecot imap |
 | 443         | nginx                | https |
 | 587         | postfix              | postfix submission |
-| 993         | dovecot              | dovecot imap
+| 993         | dovecot              | dovecot imap |
+| 2525        | postfix              | postfix postscreen |
 | 4190        | dovecot              | dovecot managesieve |
 | 5232        | radicale             | radicale |
 | 5432        | postgresql           | postgres |
diff --git a/bundles/postfix/files/main.cf b/bundles/postfix/files/main.cf
index 3f9fe84..ddc2efa 100644
--- a/bundles/postfix/files/main.cf
+++ b/bundles/postfix/files/main.cf
@@ -13,6 +13,10 @@ inet_protocols = all
 message_size_limit = ${node.metadata.get('postfix', {}).get('message_size_limit_mb', 10)*1024*1024}
 alias_database = hash:/etc/aliases
 
+% if 'relayhost' in node.metadata.get('postfix', {}):
+relayhost = ${node.metadata['postfix']['relayhost']}
+% endif
+
 % if node.has_bundle('postfixadmin'):
 inet_interfaces = all
 % else:
diff --git a/bundles/postfix/files/master.cf b/bundles/postfix/files/master.cf
index 56c584d..c48e1b3 100644
--- a/bundles/postfix/files/master.cf
+++ b/bundles/postfix/files/master.cf
@@ -5,6 +5,8 @@
 % if node.has_bundle('postfixadmin'):
 smtp      inet  n       -       y       -       1       postscreen
     -o smtpd_sasl_auth_enable=no
+2525      inet  n       -       y       -       1       postscreen
+    -o smtpd_sasl_auth_enable=no
 % else:
 smtp      inet  n       -       y       -       1       smtpd
 % endif
diff --git a/groups/locations.py b/groups/locations.py
index 34c78bf..ad40492 100644
--- a/groups/locations.py
+++ b/groups/locations.py
@@ -17,6 +17,12 @@ groups['gce'] = {
             '8.8.8.8',
             '8.8.4.4',
         },
+        'postfix': {
+            # It's fine to do this without authentificating to the relayhost.
+            # These Systems are not supposed to send mail anywhere else
+            # than our own domains.
+            'relayhost': '[mx0.kunbox.net]:2525',
+        },
     },
 }
 
@@ -43,6 +49,12 @@ groups['home'] = {
         'nameservers': {
             '172.19.138.1',
         },
+        'postfix': {
+            # It's fine to do this without authentificating to the relayhost.
+            # These Systems are not supposed to send mail anywhere else
+            # than our own domains.
+            'relayhost': '[mx0.kunbox.net]:2525',
+        },
     },
 }