2 files changed, 9 insertions, 4 deletions

diff --git a/ansible/roles/postfix/tasks/main.yml b/ansible/roles/postfix/tasks/main.yml
index de775ce..57293ad 100644
--- a/ansible/roles/postfix/tasks/main.yml
+++ b/ansible/roles/postfix/tasks/main.yml
@@ -198,12 +198,12 @@
         -o smtpd_sasl_path=private/auth
 
       cleanup-srs     unix n - - - 0 cleanup
-        -o syslog_name=postfix/srs
+        -o syslog_name=postfix/cleanup/optional-srs
         -o sender_canonical_maps=pcre:/etc/postfix/sender-canonical-maps,tcp:127.0.0.1:10001
         -o sender_canonical_classes=envelope_sender
 
-      127.0.0.1:10027 inet n - - - - smtpd
-        -o syslog_name=postfix/srs
+      127.0.0.1:10027 inet n - y - - smtpd
+        -o syslog_name=postfix/cleanup/optional-srs
         -o smtpd_milters=
         -o cleanup_service_name=cleanup-srs
         -o smtpd_tls_security_level=none
diff --git a/ansible/roles/postfix/templates/main.cf.j2 b/ansible/roles/postfix/templates/main.cf.j2
index 835b8f8..496dab4 100644
--- a/ansible/roles/postfix/templates/main.cf.j2
+++ b/ansible/roles/postfix/templates/main.cf.j2
@@ -48,7 +48,12 @@ myhostname = {{ postfix_mailserver_name }}
 
 policyd-spf_time_limit = 3600
 
-# Handle SRS
+# Set the default transport to our private separate smtpd instance
+# which will conditionally apply SRS (Sender Rewrite Scheme).
+#
+# If the mail is destined for a local inbox, no SRS is needed as we
+# are the final hop. If the mail is destined for a forwarding address
+# we apply SRS so that SPF and other validations will pass.
 default_transport = smtp:127.0.0.1:10027
 recipient_canonical_maps = tcp:localhost:10002
 recipient_canonical_classes = envelope_recipient,header_recipient