postfix: add rate-limiting exceptions for our own nodes

2 files changed, 19 insertions, 2 deletions

diff --git a/cluster/prod/app/email/config/postfix/main.cf b/cluster/prod/app/email/config/postfix/main.cf
index 5593716..ca9c87d 100644
--- a/cluster/prod/app/email/config/postfix/main.cf
+++ b/cluster/prod/app/email/config/postfix/main.cf
@@ -83,11 +83,14 @@ smtpd_forbid_unauth_pipelining = yes
 smtpd_discard_ehlo_keywords = chunking
 smtpd_forbid_bare_newline = yes
 
-smtpd_client_connection_rate_limit = 2
-
 #===
 # Rate limiting
 #===
+smtpd_client_connection_rate_limit = 2
+# do not rate-limit ourselves
+# in particular, useful for forgejo who opens a lot of SMTP connections
+smtpd_client_event_limit_exceptions = $mynetworks /etc/postfix/rate-limit-exceptions
+
 slow_destination_recipient_limit = 20
 slow_destination_concurrency_limit = 2
 
diff --git a/cluster/prod/app/email/deploy/email.hcl b/cluster/prod/app/email/deploy/email.hcl
index 10e4d50..7eea2ea 100644
--- a/cluster/prod/app/email/deploy/email.hcl
+++ b/cluster/prod/app/email/deploy/email.hcl
@@ -382,6 +382,20 @@ job "email" {
         destination = "secrets/postfix/transport"
       }
 
+      template {
+        data = <<EOH
+        {{- range ls "diplonat/autodiscovery/ipv4" }}
+          {{- with $a := .Value | parseJSON }} {{ $a.address }}
+          {{- end }}
+        {{- end }}
+        {{- range ls "diplonat/autodiscovery/ipv6" }}
+          {{- with $a := .Value | parseJSON }} [{{ $a.address }}]
+          {{- end }}
+        {{- end }}
+        EOH
+        destination = "secrets/postfix/rate-limit-exceptions"
+      }
+
       # --- secrets ---
       template {
         data = "{{ with $d := key \"tricot/certs/smtp.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}"