From 5281cec4c98bc6b3ffcdc049855e708b95efe281 Mon Sep 17 00:00:00 2001 From: Mauro Torrez Date: Mon, 30 Sep 2019 03:00:50 -0300 Subject: [PATCH] use external container --- files/Dockerfile | 22 ---- tasks/main.yml | 281 +++++++++++++++++------------------------------ 2 files changed, 98 insertions(+), 205 deletions(-) delete mode 100644 files/Dockerfile diff --git a/files/Dockerfile b/files/Dockerfile deleted file mode 100644 index 97b92b8..0000000 --- a/files/Dockerfile +++ /dev/null @@ -1,22 +0,0 @@ -FROM debian:buster-slim -LABEL maintainer "Mauro Torrez " -ARG DEBIAN_FRONTEND=noninteractive -ENV LC_ALL C -RUN echo "_dev_null: /dev/null" > /etc/aliases \ - && apt-get update && apt-get install -y --no-install-recommends \ - postfix \ - postfix-pcre \ - postfix-ldap \ - postfix-sqlite \ - libsasl2-modules \ - ssl-cert \ - && rm -rf /var/lib/apt/lists/* \ - && cp /usr/share/postfix/main.cf.debian /etc/postfix/main.cf \ - && mkdir -p /ssl && chmod 700 /ssl \ - && cp /etc/ssl/certs/ssl-cert-snakeoil.pem /ssl/cert.pem \ - && cp /etc/ssl/private/ssl-cert-snakeoil.key /ssl/key.pem - -VOLUME /etc/postfix /ssl -EXPOSE 25/tcp 587/tcp - -CMD postfix start-fg diff --git a/tasks/main.yml b/tasks/main.yml index 9ead138..791ff63 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,25 +1,4 @@ --- -- name: Directorio de build postfix - file: - path: /root/.postfix-docker-image - state: directory - tags: skip_me - -- name: Copiar archivos de build - copy: - src: "{{ item }}" - dest: /root/.postfix-docker-image - loop: - - Dockerfile - tags: skip_me - -- name: Crear imagen {{ postfix_image }} - docker_image: - state: present - name: "{{ postfix_image }}" - path: /root/.postfix-docker-image - tags: skip_me - - name: Activar container postfix docker_container: name: "{{ postfix_container }}" @@ -33,97 +12,18 @@ - name: "{{ docker_network_name }}" ports: "{{ postfix_publish_ports }}" env: - register: container - -- name: Leer info de volumen {{ postfix_volume }} - docker_volume_info: - name: "{{ postfix_volume }}" - register: res - -- name: Leer info de volumen {{ postfix_volume_ssl }} - docker_volume_info: - name: "{{ postfix_volume_ssl }}" - register: ssl - -- name: Exportar informacion de volumen - set_fact: - postfix_container: "{{ lookup('vars','postfix_container') }}" - postfix_volume: "{{ lookup('vars','postfix_volume') }}" - postfix_mountpoint: "{{ res.volume.Mountpoint }}" - postfix_volume_ssl: "{{ lookup('vars','postfix_volume_ssl') }}" - postfix_mountpoint_ssl: "{{ ssl.volume.Mountpoint }}" - -- name: Configurar lookup tables - include_tasks: lookup_tables.yml - loop: "{{ postfix_mail_domains.keys()|list }}" - loop_control: - loop_var: domain - -- name: Directorio de reglas para access lists - file: - name: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}" - state: directory - -- name: Template client access list - blockinfile: - path: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/client_access_list" - create: yes - block: | - # Edit host variable `postfix_client_access_list` to change these values - {% for entry in postfix_client_access_list -%} - {{ entry.regex }} {{ entry.action }} - {% endfor %} - notify: postmap access lists - -- name: Template helo access list - blockinfile: - path: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/helo_access_list" - create: yes - block: | - # Edit host variable `postfix_helo_access_list` to change these values - {% for entry in postfix_helo_access_list -%} - {{ entry.host }} {{ entry.action }} - {% endfor %} - notify: postmap access lists - -- name: Template recipient access list - blockinfile: - path: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/recipient_access_list" - create: yes - block: | - # Edit host variable `postfix_recipient_access_list` to change these values - {% for entry in postfix_recipient_access_list -%} - {{ entry.rcpt }} {{ entry.action }} - {% endfor %} - notify: postmap access lists - -- name: Template sender access list - blockinfile: - path: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/sender_access_list" - create: yes - block: | - # Edit host variable `postfix_sender_access_list` to change these values - {% for entry in postfix_sender_access_list -%} - {{ entry.sender }} {{ entry.action }} - {% endfor %} - notify: postmap access lists - -- name: Configurar main.cf - postconf: - parameter: - maillog_file: /dev/stdout - mydestination: >- + MYDESTINATION: >- {{ postfix_unix_domains | union( [ ansible_fqdn, 'localhost.localdomain', 'localhost'] ) | difference( postfix_mail_domains ) }} - myhostname: + MYHOSTNAME: "{{ postfix_server_name }}" - mydomain: + MYDOMAIN: "{{ postfix_server_domain }}" - mynetworks: >- + MYNETWORKS: >- {{ ['127.0.0.0/8', '[::ffff:127.0.0.0]/104', '[::1]/128'] | union( postfix_local_networks ) }} - virtual_alias_maps: >- + VIRTUAL_ALIAS_MAPS: >- {% for d in postfix_mail_domains.keys()|list %} {% set p = postfix_mail_domains[d].alias_lookup.provider|default(postfix_lookup_provider) %} {% if p == "ldap" %} @@ -137,7 +37,7 @@ hash:/etc/postfix/{{ d }}_aliases {% endif %}, hash:/etc/postfix/{{ d }}_noreply {{ '' if loop.last else ',' }}{% endfor %} - virtual_mailbox_maps: >- + VIRTUAL_MAILBOX_MAPS: >- {% for d in postfix_mail_domains.keys()|list %} {% set p = postfix_mail_domains[d].user_lookup.provider|default(postfix_lookup_provider) %} {% if p == "ldap" %} @@ -147,100 +47,115 @@ {% elif p == "file" %} hash:/etc/postfix/{{ d }}_users {% endif %}{{ '' if loop.last else ',' }}{% endfor %}, - virtual_transport: "lmtp:{{ dovecot_container }}:24" - virtual_mailbox_domains: "{{ postfix_mail_domains }}" - smtpd_sasl_path: "inet:{{ dovecot_container }}:12345" - smtpd_sasl_type: dovecot - smtpd_sasl_auth_enable: "{{ 'yes' if postfix_enable_smtpd_auth else 'no' }}" - smtpd_tls_cert_file: /ssl/cert.pem - smtpd_tls_key_file: /ssl/key.pem - smtp_tls_security_level: + VIRTUAL_TRANSPORT: "lmtp:{{ dovecot_container }}:24" + VIRTUAL_MAILBOX_DOMAINS: "{{ postfix_mail_domains }}" + SMTPD_SASL_PATH: "inet:{{ dovecot_container }}:12345" + SMTPD_SASL_TYPE: dovecot + SMTPD_SASL_AUTH_ENABLE: "{{ 'yes' if postfix_enable_smtpd_auth else 'no' }}" + SMTPD_TLS_CERT_FILE: /ssl/cert.pem + SMTPD_TLS_KEY_FILE: /ssl/key.pem + SMTP_TLS_SECURITY_LEVEL: "{{postfix_incoming_tls_security}}" - smtpd_tls_security_level: + SMTPD_TLS_SECURITY_LEVEL: "{{postfix_outgoing_tls_security}}" - smtpd_tls_auth_only: + SMTPD_TLS_AUTH_ONLY: "{{ 'yes' if postfix_allow_insecure_auth else 'no'}}" - smtpd_tls_session_cache_database: + SMTPD_TLS_SESSION_CACHE_DATABASE: "{{ 'btree:${data_directory}/smtpd_scache' if postfix_tls_session_cache else '' }}" - smtpd_client_restrictions: + SMTPD_CLIENT_RESTRICTIONS: "{{ postfix_client_restrictions }}" - smtpd_data_restrictions: + SMTPD_DATA_RESTRICTIONS: "{{ postfix_data_restrictions }}" - smtpd_helo_restrictions: + SMTPD_HELO_RESTRICTIONS: "{{ postfix_helo_restrictions }}" - smtpd_relay_restrictions: + SMTPD_RELAY_RESTRICTIONS: "{{ postfix_relay_restrictions }}" - smtpd_recipient_restrictions: + SMTPD_RECIPIENT_RESTRICTIONS: "{{ postfix_recipient_restrictions }}" - message_size_limit: + MESSAGE_SIZE_LIMIT: "{{ postfix_message_size_limit }}" - smtpd_helo_required: + SMTPD_HELO_REQUIRED: "{{ 'yes' if postfix_helo_required else 'no' }}" - biff: + BIFF: "{{ 'yes' if postfix_biff else 'no' }}" - notify: reload postfix + SUBMISSION_ENABLE: + "{{ 'yes' if postfix_submission_enable else 'no' }}" + POSTSCREEN_ENABLE: + "{{ 'yes' if postfix_postscreen_enable else 'no' }}" + POSTSCREEN_ACCESS_LIST: + "cidr:/etc/postfix/{{ postfix_rules_dir }}/postscreen_access_list.cidr, permit_mynetworks" + POSTSCREEN_DNSBL_SITES: "\ + {% for entry in postfix_postscreen_dnsbl_sites -%}\ + {% if entry is string -%}{{ entry }}{% elif entry is mapping -%}\ + {{ entry.site }}{{ '*' if entry.score is defined else '' }}\ + {{ entry.score | default('') }}{% endif %}\ + {{ '' if loop.last else ', ' }}{% endfor %}" + POSTSCREEN_DNSBL_REPLY_MAP: + "pcre:/etc/postfix/{{ postfix_rules_dir }}/postscreen_dnsbl_mask.pcre" + POSTSCREEN_BLACKLIST_ACTION: + "{{ postfix_postscreen_blacklist_action }}" + POSTSCREEN_DNSBL_ACTION: + "{{ postfix_postscreen_dnsbl_action }}" + POSTSCREEN_DNSBL_THRESHOLD: + "{{ postfix_postscreen_dnsbl_threshold }}" + POSTSCREEN_DNSBL_WHITELIST_THRESHOLD: + "{{ postfix_postscreen_dnsbl_whitelist_threshold }}" + POSTSCREEN_GREET_ACTION: + "{{ postfix_postscreen_greet_action }}" -- name: Disable chroot for services - postconf: - service: "{{ item.0 }}" - type: "{{ item.1 }}" - chroot: "n" - notify: reload postfix - loop: - - [smtp, inet] - - [pickup, unix] - - [cleanup, unix] - - [qmgr, unix] - - [tlsmgr, unix] - - [rewrite, unix] - - [bounce, unix] - - [defer, unix] - - [trace, unix] - - [verify, unix] - - [flush, unix] - - [smtp, unix] - - [relay, unix] - - [showq, unix] - - [error, unix] - - [retry, unix] - - [discard, unix] - - [lmtp, unix] - - [anvil, unix] - - [scache, unix] + register: container -- name: Enable submission service - postconf: - service: submission - type: inet - private: 'n' - chroot: 'n' - command: smtpd - parameter: - milter_macro_daemon_name: ORIGINATING - smtpd_client_restrictions: - - permit_sasl_authenticated - - reject - smtpd_sasl_auth_enable: 'yes' - smtpd_tls_security_level: encrypt - syslog_name: postfix/submission - notify: reload postfix - when: postfix_submission_enable == True +# FIXME: resolver access lists y tables en Docker -- name: Disable submission service - postconf: - service: submission - type: inet - state: absent - notify: reload postfix - when: postfix_submission_enable == False +# - name: Configurar lookup tables +# include_tasks: lookup_tables.yml +# loop: "{{ postfix_mail_domains.keys()|list }}" +# loop_control: +# loop_var: domain -# - name: "Enable postscreen" -# include_tasks: postscreen.yml -# when: "postfix_postscreen_enable == True" +# - name: Template client access list +# blockinfile: +# path: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/client_access_list" +# create: yes +# block: | +# # Edit host variable `postfix_client_access_list` to change these values +# {% for entry in postfix_client_access_list -%} +# {{ entry.regex }} {{ entry.action }} +# {% endfor %} +# notify: postmap access lists -# - name: "Disable postscreen" -# include_tasks: postscreen_disable.yml -# when: "postfix_postscreen_enable == False" +# - name: Template helo access list +# blockinfile: +# path: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/helo_access_list" +# create: yes +# block: | +# # Edit host variable `postfix_helo_access_list` to change these values +# {% for entry in postfix_helo_access_list -%} +# {{ entry.host }} {{ entry.action }} +# {% endfor %} +# notify: postmap access lists + +# - name: Template recipient access list +# blockinfile: +# path: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/recipient_access_list" +# create: yes +# block: | +# # Edit host variable `postfix_recipient_access_list` to change these values +# {% for entry in postfix_recipient_access_list -%} +# {{ entry.rcpt }} {{ entry.action }} +# {% endfor %} +# notify: postmap access lists + +# - name: Template sender access list +# blockinfile: +# path: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/sender_access_list" +# create: yes +# block: | +# # Edit host variable `postfix_sender_access_list` to change these values +# {% for entry in postfix_sender_access_list -%} +# {{ entry.sender }} {{ entry.action }} +# {% endfor %} +# notify: postmap access lists # TODO: mensajes