mailserver: add VERP marking of outgoing an unmarking of incoming mails

mail_system.yml

@@ -27,9 +27,12 @@
 #     overwrite_config: no
 #     reject_sender_login_mismatch: yes
 #     mynetworks: "10.0.0.0/24 [2a01:XXXX:XXXX:XXXX::]/64"
+#     verp_marker: rstxyz
 #   dovecot:
 #     auth_default_realm: mymaindomain.org
 #
+# Take care thate the verp_marker only contains [a-z0-9]+ (NO UPPER CASE LETTERS!).
+#
 # (Use ansible-vault encrypt_string zo encrypt the password.)
 #
 # TODOs after running this playbook:

mail_system/tasks/database.yml

@@ -131,3 +131,30 @@
     table: shared_folders_anyone
     columns: from_user
     idxname: shared_folders__from
+
+- name: database table mail_from
+  postgresql_table:
+    login_host: "{{ mailserver.postgresql.host }}"
+    port: "{{ mailserver.postgresql.port }}"
+    login_user: "{{ mailserver.postgresql.username }}"
+    login_password: "{{ mailserver.postgresql.password }}"
+    db: "{{ mailserver.postgresql.dbname }}"
+    ssl_mode: disable
+    name: mail_from
+    columns:
+    - id bigserial primary key
+    - t timestamp default now()
+    - original varchar(250) not null
+    - rewritten varchar(250) not null
+
+- name: database index mail_from__rewritten
+  postgresql_idx:
+    login_host: "{{ mailserver.postgresql.host }}"
+    port: "{{ mailserver.postgresql.port }}"
+    login_user: "{{ mailserver.postgresql.username }}"
+    login_password: "{{ mailserver.postgresql.password }}"
+    db: "{{ mailserver.postgresql.dbname }}"
+    ssl_mode: disable
+    table: mail_from
+    columns: rewritten
+    idxname: mail_from__rewritten

mail_system/tasks/postfix.yml

@@ -72,6 +72,8 @@
     - relay_domains.cf
     - relay_recipient_maps.cf
     - transport_maps.cf
+    - sender_canonical_maps.cf
+    - recipient_canonical_maps.cf
 
 - name: restart postfix
   systemd:

mail_system/templates/postfix/main.cf

@@ -95,6 +95,16 @@ smtpd_relay_restrictions =
 # rspamd
 
 
+# VERP marking
+# Envelope sender addresses matching mydomains are marked.
+# The marker is removed from envelope recipient addresses.
+canonical_classes = envelope_sender, envelope_recipient
+sender_canonical_classes = envelope_sender
+sender_canonical_maps = pgsql:/etc/postfix/sender_canonical_maps.cf
+recipient_canonical_classes = envelope_recipient
+recipient_canonical_maps = pgsql:/etc/postfix/recipient_canonical_maps.cf
+
+
 # useful for log analysis
 enable_long_queue_ids = yes
 

mail_system/templates/postfix/recipient_canonical_maps.cf

@@ -0,0 +1,10 @@
+# THIS FILE IS CONTROLLED BY ANSIBLE - DO NOT CHANGE IN DEPLOYMENT!
+
+
+# man pgsql_table
+
+user = {{ mailserver.postgresql.username }}
+password = {{ mailserver.postgresql.password }}
+dbname = {{ mailserver.postgresql.dbname }}
+hosts = {{ mailserver.postgresql.host }}
+query = select regexp_replace('%s', '\+(.*){{ mailserver.postfix.verp_marker }}-\d+@', '+\1@')

mail_system/templates/postfix/sender_canonical_maps.cf

@@ -0,0 +1,21 @@
+# THIS FILE IS CONTROLLED BY ANSIBLE - DO NOT CHANGE IN DEPLOYMENT!
+
+
+# man pgsql_table
+
+user = {{ mailserver.postgresql.username }}
+password = {{ mailserver.postgresql.password }}
+dbname = {{ mailserver.postgresql.dbname }}
+hosts = {{ mailserver.postgresql.host }}
+query = insert into mail_from (id, original, rewritten)
+  values (nextval('mail_from_id_seq'), '%s',
+    case
+    when regexp_replace('%s', '.*@([^@]+)$', '\1') in (select name from domains)
+    then case
+         when '%s'~*'{{ mailserver.postfix.verp_marker }}-\d+@'
+         then '%s'
+         else regexp_replace('%s', '^(.*)@[^@]+$', '\1') || case when '%s'~'\+' then '{{ mailserver.postfix.verp_marker }}-' else '+{{ mailserver.postfix.verp_marker }}-' end || lastval()::text || '@' || regexp_replace('%s', '.*@([^@]+)$', '\1')
+         end
+    else '%s'
+    end
+  ) on conflict (rewritten) do nothing returning rewritten