GitLab

Especially DNSSEC employs big payloads.  The original EDNS buffer size
of 4096 isn't recommended anymore, modern clients advertise 1232 bytes
instead (the glibc stub resolver uses the even more conservative 1200
bytes), and servers similarly truncate their responses to avoid having
them fragmented.  This initiates TCP fallback, which, if not allowed,
leads to "DANE error: tlsa lookup DEFER" failure messages from the
Exim remote_smtp transport (after a long connect timeout).

https://labs.apnic.net/?p=1390
https://dnsflagday.net/2020/

For transparency let's try to keep all the list domain configuration
in one place, no /etc/aliases, .forward, .procmailrc and similar.  And
no accidental local delivery.

It was (rightfully) confused by the MX record pointing to ourselves.
Also hardwire the ipv6forum@ipv6forum.hu redirect to keep the
configuration in one place.  At the same time this puts it on equal
footing with the lista.edu.hu domain (mostly).

The dependency runs the mailman role with --tags apache, wasting time.

This sidesteps a DoS possibility and does not lie to our usual
firewall check (which considers kernel log freshness).

A standard STARTTLS + LOGIN authenticated submission service is
useful in mobile situations, so support it as a side project.

Now that we don't use satellite config anymore it can make a
difference.

But accept local recipients from local (not TCP/IP) and loopback SMTP
connections only.

Replace common.exim with a specialized router.  This enables meaninful
sender and recipient verification, because all addresses aren't
routable anymore.  And doesn't put mailing list load on our redirector
service.