Postfix fix for focal

[kushaldas]

Status

Ready for review

Description of Changes

Fixes #5775

Adds postfix configuration for Focal based on http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions

Testing

• Create Focal prod VMs
• ssh into both and do sudo apt install ubuntu-release-upgrader-core because the latest Bento box does not have that.
• Apply the following the patch on your tails vm, and then do ./securedrop-admin install to install SecureDrop on Focal.

diff --git a/install_files/ansible-base/roles/install-fpf-repo/defaults/main.yml b/install_files/ansible-base/roles/install-fpf-repo/defaults/main.yml
index d186993df..6354113fa 100644
--- a/install_files/ansible-base/roles/install-fpf-repo/defaults/main.yml
+++ b/install_files/ansible-base/roles/install-fpf-repo/defaults/main.yml
@@ -10,7 +10,7 @@
 #
 # For testing/QA, set this URL to another apt server. You must also update
 # the associated public key for the apt repo for testing/QA.
-apt_repo_url: https://apt.freedom.press
+apt_repo_url: https://apt-test.freedom.press
 
 # By default, install packages from the apt-repo, but under
 # staging hosts we'll prefer locally-built deb packages
@@ -20,7 +20,7 @@ install_local_packages: False
 # May be overridden in staging to install from a test/QA server,
 # the Release file for which will *not* be signed with the prod key.
 apt_repo_pubkey_files:
-  - fpf-signing-key.pub
+  - apt-test-signing-key.pub
 
 # Enabling support for xenial by default.
 apt_repo_target_distro: "{{ ansible_distribution_release }}"

• login to the mon server and check for any postfix error in the /var/log/syslog file.

Deployment

Any special considerations for deployment? Consider both:

1. Upgrading existing production instances.
2. New installs.

Checklist

If you made changes to the server application code:

• Linting (make lint) and tests (make test) pass in the development container

If you made changes to securedrop-admin:

• Linting and tests (make -C admin test) pass in the admin development container

If you made changes to the system configuration:

• Configuration tests pass

If you added or removed a file deployed with the application:

• I have updated AppArmor rules to include the change

If you made non-trivial code changes:

• I have written a test plan and validated it for this PR

Choose one of the following:

• I have opened a PR in the docs repo for these changes, or will do so later
• I would appreciate help with the documentation
• These changes do not require documentation

If you added or updated a code dependency:

Choose one of the following:

• I have performed a diff review and pasted the contents to the packaging wiki
• I would like someone else to do the diff review

[emkll]

Thanks @kushaldas , it appears that while the changes proposed here work in staging environments, they will not work in production context (see inline).

Furthermore, could you please elaborate on the following directive in the PR description:

sudo apt install ubuntu-release-upgrader-core

Does this warrant a follow up issue?

[emkll]

In it's current form, this condition will never be met in production context on a Focal install. This is because securedrop_target_distribution is mainly used for the package build logic, and defaults to xenial in

securedrop/install_files/ansible-base/group_vars/all/securedrop

Line 29 in 2de09b4

securedrop_target_distribution: xenial

In staging context, is it overriden in

securedrop/molecule/libvirt-staging-focal/ansible-override-vars.yml

Line 10 in 2de09b4

securedrop_target_distribution: "focal"

This means that while CI/tests are passing (they are using staging environments), the logic as written here will not work in production VMs nor hardware; the condition tested will never be met since securedrop_target_distribution is undefined. Using ansible_distribution_release should work for all cases (staging and production) here.

[emkll]

Thanks @kushaldas . As discussed in #5777 (review) , I believe the variable you are looking for is ansible_distribution_release, and not ansible_distribution, which may explain the legitimate test failures in https://app.circleci.com/pipelines/github/freedomofpress/securedrop/1828/workflows/9c782e72-1972-40e1-8517-521ed4b1a0c7/jobs/49990 .

I have taken the liberty of force pushing this branch and rebasing on latest develop. Approving based on the diff, but please take a look and merge once CI is passing.