mauro/ansible-role-postfix-docker
1
0
Fork 0
forked from mauro/ansible-role-postfix
Code Issues Pull Requests Releases Wiki Activity

use external container

Browse Source
This commit is contained in:
Mauro Torrez 2019-09-30 03:00:50 -03:00
parent 3ccf612b3f
commit 5281cec4c9
2 changed files with 98 additions and 205 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
files/Dockerfile
View File

@ -1,22 +0,0 @@
FROM debian:buster-slim
LABEL maintainer "Mauro Torrez <mauro@mau.ro>"
ARG DEBIAN_FRONTEND=noninteractive
ENV LC_ALL C
RUN echo "_dev_null: /dev/null" > /etc/aliases \
&& apt-get update && apt-get install -y --no-install-recommends \
postfix \
postfix-pcre \
postfix-ldap \
postfix-sqlite \
libsasl2-modules \
ssl-cert \
&& rm -rf /var/lib/apt/lists/* \
&& cp /usr/share/postfix/main.cf.debian /etc/postfix/main.cf \
&& mkdir -p /ssl && chmod 700 /ssl \
&& cp /etc/ssl/certs/ssl-cert-snakeoil.pem /ssl/cert.pem \
&& cp /etc/ssl/private/ssl-cert-snakeoil.key /ssl/key.pem
VOLUME /etc/postfix /ssl
EXPOSE 25/tcp 587/tcp
CMD postfix start-fg

281
tasks/main.yml
View File

@ -1,25 +1,4 @@
--- ---
- name: Directorio de build postfix
file:
path: /root/.postfix-docker-image
state: directory
tags: skip_me
- name: Copiar archivos de build
copy:
src: "{{ item }}"
dest: /root/.postfix-docker-image
loop:
- Dockerfile
tags: skip_me
- name: Crear imagen {{ postfix_image }}
docker_image:
state: present
name: "{{ postfix_image }}"
path: /root/.postfix-docker-image
tags: skip_me
- name: Activar container postfix - name: Activar container postfix
docker_container: docker_container:
name: "{{ postfix_container }}" name: "{{ postfix_container }}"
@ -33,97 +12,18 @@
- name: "{{ docker_network_name }}" - name: "{{ docker_network_name }}"
ports: "{{ postfix_publish_ports }}" ports: "{{ postfix_publish_ports }}"
env: env:
register: container MYDESTINATION: >-
- name: Leer info de volumen {{ postfix_volume }}
docker_volume_info:
name: "{{ postfix_volume }}"
register: res
- name: Leer info de volumen {{ postfix_volume_ssl }}
docker_volume_info:
name: "{{ postfix_volume_ssl }}"
register: ssl
- name: Exportar informacion de volumen
set_fact:
postfix_container: "{{ lookup('vars','postfix_container') }}"
postfix_volume: "{{ lookup('vars','postfix_volume') }}"
postfix_mountpoint: "{{ res.volume.Mountpoint }}"
postfix_volume_ssl: "{{ lookup('vars','postfix_volume_ssl') }}"
postfix_mountpoint_ssl: "{{ ssl.volume.Mountpoint }}"
- name: Configurar lookup tables
include_tasks: lookup_tables.yml
loop: "{{ postfix_mail_domains.keys()|list }}"
loop_control:
loop_var: domain
- name: Directorio de reglas para access lists
file:
name: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}"
state: directory
- name: Template client access list
blockinfile:
path: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/client_access_list"
create: yes
block: |
# Edit host variable `postfix_client_access_list` to change these values
{% for entry in postfix_client_access_list -%}
{{ entry.regex }} {{ entry.action }}
{% endfor %}
notify: postmap access lists
- name: Template helo access list
blockinfile:
path: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/helo_access_list"
create: yes
block: |
# Edit host variable `postfix_helo_access_list` to change these values
{% for entry in postfix_helo_access_list -%}
{{ entry.host }} {{ entry.action }}
{% endfor %}
notify: postmap access lists
- name: Template recipient access list
blockinfile:
path: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/recipient_access_list"
create: yes
block: |
# Edit host variable `postfix_recipient_access_list` to change these values
{% for entry in postfix_recipient_access_list -%}
{{ entry.rcpt }} {{ entry.action }}
{% endfor %}
notify: postmap access lists
- name: Template sender access list
blockinfile:
path: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/sender_access_list"
create: yes
block: |
# Edit host variable `postfix_sender_access_list` to change these values
{% for entry in postfix_sender_access_list -%}
{{ entry.sender }} {{ entry.action }}
{% endfor %}
notify: postmap access lists
- name: Configurar main.cf
postconf:
parameter:
maillog_file: /dev/stdout
mydestination: >-
{{ postfix_unix_domains | {{ postfix_unix_domains |
union( [ ansible_fqdn, 'localhost.localdomain', 'localhost'] ) | union( [ ansible_fqdn, 'localhost.localdomain', 'localhost'] ) |
difference( postfix_mail_domains ) }} difference( postfix_mail_domains ) }}
myhostname: MYHOSTNAME:
"{{ postfix_server_name }}" "{{ postfix_server_name }}"
mydomain: MYDOMAIN:
"{{ postfix_server_domain }}" "{{ postfix_server_domain }}"
mynetworks: >- MYNETWORKS: >-
{{ ['127.0.0.0/8', '[::ffff:127.0.0.0]/104', '[::1]/128'] | {{ ['127.0.0.0/8', '[::ffff:127.0.0.0]/104', '[::1]/128'] |
union( postfix_local_networks ) }} union( postfix_local_networks ) }}
virtual_alias_maps: >- VIRTUAL_ALIAS_MAPS: >-
{% for d in postfix_mail_domains.keys()|list %} {% for d in postfix_mail_domains.keys()|list %}
{% set p = postfix_mail_domains[d].alias_lookup.provider|default(postfix_lookup_provider) %} {% set p = postfix_mail_domains[d].alias_lookup.provider|default(postfix_lookup_provider) %}
{% if p == "ldap" %} {% if p == "ldap" %}
@ -137,7 +37,7 @@
hash:/etc/postfix/{{ d }}_aliases hash:/etc/postfix/{{ d }}_aliases
{% endif %}, hash:/etc/postfix/{{ d }}_noreply {% endif %}, hash:/etc/postfix/{{ d }}_noreply
{{ '' if loop.last else ',' }}{% endfor %} {{ '' if loop.last else ',' }}{% endfor %}
virtual_mailbox_maps: >- VIRTUAL_MAILBOX_MAPS: >-
{% for d in postfix_mail_domains.keys()|list %} {% for d in postfix_mail_domains.keys()|list %}
{% set p = postfix_mail_domains[d].user_lookup.provider|default(postfix_lookup_provider) %} {% set p = postfix_mail_domains[d].user_lookup.provider|default(postfix_lookup_provider) %}
{% if p == "ldap" %} {% if p == "ldap" %}
@ -147,100 +47,115 @@
{% elif p == "file" %} {% elif p == "file" %}
hash:/etc/postfix/{{ d }}_users hash:/etc/postfix/{{ d }}_users
{% endif %}{{ '' if loop.last else ',' }}{% endfor %}, {% endif %}{{ '' if loop.last else ',' }}{% endfor %},
virtual_transport: "lmtp:{{ dovecot_container }}:24" VIRTUAL_TRANSPORT: "lmtp:{{ dovecot_container }}:24"
virtual_mailbox_domains: "{{ postfix_mail_domains }}" VIRTUAL_MAILBOX_DOMAINS: "{{ postfix_mail_domains }}"
smtpd_sasl_path: "inet:{{ dovecot_container }}:12345" SMTPD_SASL_PATH: "inet:{{ dovecot_container }}:12345"
smtpd_sasl_type: dovecot SMTPD_SASL_TYPE: dovecot
smtpd_sasl_auth_enable: "{{ 'yes' if postfix_enable_smtpd_auth else 'no' }}" SMTPD_SASL_AUTH_ENABLE: "{{ 'yes' if postfix_enable_smtpd_auth else 'no' }}"
smtpd_tls_cert_file: /ssl/cert.pem SMTPD_TLS_CERT_FILE: /ssl/cert.pem
smtpd_tls_key_file: /ssl/key.pem SMTPD_TLS_KEY_FILE: /ssl/key.pem
smtp_tls_security_level: SMTP_TLS_SECURITY_LEVEL:
"{{postfix_incoming_tls_security}}" "{{postfix_incoming_tls_security}}"
smtpd_tls_security_level: SMTPD_TLS_SECURITY_LEVEL:
"{{postfix_outgoing_tls_security}}" "{{postfix_outgoing_tls_security}}"
smtpd_tls_auth_only: SMTPD_TLS_AUTH_ONLY:
"{{ 'yes' if postfix_allow_insecure_auth else 'no'}}" "{{ 'yes' if postfix_allow_insecure_auth else 'no'}}"
smtpd_tls_session_cache_database: SMTPD_TLS_SESSION_CACHE_DATABASE:
"{{ 'btree:${data_directory}/smtpd_scache' if postfix_tls_session_cache else '' }}" "{{ 'btree:${data_directory}/smtpd_scache' if postfix_tls_session_cache else '' }}"
smtpd_client_restrictions: SMTPD_CLIENT_RESTRICTIONS:
"{{ postfix_client_restrictions }}" "{{ postfix_client_restrictions }}"
smtpd_data_restrictions: SMTPD_DATA_RESTRICTIONS:
"{{ postfix_data_restrictions }}" "{{ postfix_data_restrictions }}"
smtpd_helo_restrictions: SMTPD_HELO_RESTRICTIONS:
"{{ postfix_helo_restrictions }}" "{{ postfix_helo_restrictions }}"
smtpd_relay_restrictions: SMTPD_RELAY_RESTRICTIONS:
"{{ postfix_relay_restrictions }}" "{{ postfix_relay_restrictions }}"
smtpd_recipient_restrictions: SMTPD_RECIPIENT_RESTRICTIONS:
"{{ postfix_recipient_restrictions }}" "{{ postfix_recipient_restrictions }}"
message_size_limit: MESSAGE_SIZE_LIMIT:
"{{ postfix_message_size_limit }}" "{{ postfix_message_size_limit }}"
smtpd_helo_required: SMTPD_HELO_REQUIRED:
"{{ 'yes' if postfix_helo_required else 'no' }}" "{{ 'yes' if postfix_helo_required else 'no' }}"
biff: BIFF:
"{{ 'yes' if postfix_biff else 'no' }}" "{{ 'yes' if postfix_biff else 'no' }}"
notify: reload postfix SUBMISSION_ENABLE:
"{{ 'yes' if postfix_submission_enable else 'no' }}"
POSTSCREEN_ENABLE:
"{{ 'yes' if postfix_postscreen_enable else 'no' }}"
POSTSCREEN_ACCESS_LIST:
"cidr:/etc/postfix/{{ postfix_rules_dir }}/postscreen_access_list.cidr, permit_mynetworks"
POSTSCREEN_DNSBL_SITES: "\
{% for entry in postfix_postscreen_dnsbl_sites -%}\
{% if entry is string -%}{{ entry }}{% elif entry is mapping -%}\
{{ entry.site }}{{ '*' if entry.score is defined else '' }}\
{{ entry.score | default('') }}{% endif %}\
{{ '' if loop.last else ', ' }}{% endfor %}"
POSTSCREEN_DNSBL_REPLY_MAP:
"pcre:/etc/postfix/{{ postfix_rules_dir }}/postscreen_dnsbl_mask.pcre"
POSTSCREEN_BLACKLIST_ACTION:
"{{ postfix_postscreen_blacklist_action }}"
POSTSCREEN_DNSBL_ACTION:
"{{ postfix_postscreen_dnsbl_action }}"
POSTSCREEN_DNSBL_THRESHOLD:
"{{ postfix_postscreen_dnsbl_threshold }}"
POSTSCREEN_DNSBL_WHITELIST_THRESHOLD:
"{{ postfix_postscreen_dnsbl_whitelist_threshold }}"
POSTSCREEN_GREET_ACTION:
"{{ postfix_postscreen_greet_action }}"
- name: Disable chroot for services register: container
postconf:
service: "{{ item.0 }}"
type: "{{ item.1 }}"
chroot: "n"
notify: reload postfix
loop:
- [smtp, inet]
- [pickup, unix]
- [cleanup, unix]
- [qmgr, unix]
- [tlsmgr, unix]
- [rewrite, unix]
- [bounce, unix]
- [defer, unix]
- [trace, unix]
- [verify, unix]
- [flush, unix]
- [smtp, unix]
- [relay, unix]
- [showq, unix]
- [error, unix]
- [retry, unix]
- [discard, unix]
- [lmtp, unix]
- [anvil, unix]
- [scache, unix]
- name: Enable submission service # FIXME: resolver access lists y tables en Docker
postconf:
service: submission
type: inet
private: 'n'
chroot: 'n'
command: smtpd
parameter:
milter_macro_daemon_name: ORIGINATING
smtpd_client_restrictions:
- permit_sasl_authenticated
- reject
smtpd_sasl_auth_enable: 'yes'
smtpd_tls_security_level: encrypt
syslog_name: postfix/submission
notify: reload postfix
when: postfix_submission_enable == True
- name: Disable submission service # - name: Configurar lookup tables
postconf: # include_tasks: lookup_tables.yml
service: submission # loop: "{{ postfix_mail_domains.keys()|list }}"
type: inet # loop_control:
state: absent # loop_var: domain
notify: reload postfix
when: postfix_submission_enable == False
# - name: "Enable postscreen" # - name: Template client access list
# include_tasks: postscreen.yml # blockinfile:
# when: "postfix_postscreen_enable == True" # path: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/client_access_list"
# create: yes
# block: |
# # Edit host variable `postfix_client_access_list` to change these values
# {% for entry in postfix_client_access_list -%}
# {{ entry.regex }} {{ entry.action }}
# {% endfor %}
# notify: postmap access lists
# - name: "Disable postscreen" # - name: Template helo access list
# include_tasks: postscreen_disable.yml # blockinfile:
# when: "postfix_postscreen_enable == False" # path: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/helo_access_list"
# create: yes
# block: |
# # Edit host variable `postfix_helo_access_list` to change these values
# {% for entry in postfix_helo_access_list -%}
# {{ entry.host }} {{ entry.action }}
# {% endfor %}
# notify: postmap access lists
# - name: Template recipient access list
# blockinfile:
# path: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/recipient_access_list"
# create: yes
# block: |
# # Edit host variable `postfix_recipient_access_list` to change these values
# {% for entry in postfix_recipient_access_list -%}
# {{ entry.rcpt }} {{ entry.action }}
# {% endfor %}
# notify: postmap access lists
# - name: Template sender access list
# blockinfile:
# path: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/sender_access_list"
# create: yes
# block: |
# # Edit host variable `postfix_sender_access_list` to change these values
# {% for entry in postfix_sender_access_list -%}
# {{ entry.sender }} {{ entry.action }}
# {% endfor %}
# notify: postmap access lists
# TODO: mensajes # TODO: mensajes