From cc7260fea36c51defb89709d5ad7a5b6702d623b Mon Sep 17 00:00:00 2001 From: Mauro Torrez Date: Sat, 7 Sep 2019 19:27:12 -0300 Subject: [PATCH] WIP: conversion a docker --- defaults/main.yml | 21 ++++- files/11-postfix.conf | 6 ++ files/Dockerfile | 16 ++++ handlers/main.yml | 36 +++++---- tasks/lookup_tables.yml | 16 ++-- tasks/main.yml | 171 ++++++++++++++-------------------------- 6 files changed, 131 insertions(+), 135 deletions(-) create mode 100644 files/Dockerfile diff --git a/defaults/main.yml b/defaults/main.yml index abda1f5..0be12fe 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,23 @@ --- -# directorio con reglas -postfix_rules_dir: /etc/postfix/rules +# nombre imagen +postfix_image: my_postfix + +# nombre container +postfix_container: postfix + +# volumen con la configuracion de /etc/postfix +postfix_volume: postfix + +# nombre de la red docker, seteado por rol docker +docker_network_name: dockernet + +# puertos públicos +postfix_publish_ports: + - 25 + - 587 + +# directorio con reglas, relativo al volumen +postfix_rules_dir: rules # accepted email domains postfix_mail_domains: "{{ mail_domains | default(['example.com']) }}" diff --git a/files/11-postfix.conf b/files/11-postfix.conf index 40fd6b7..522f162 100644 --- a/files/11-postfix.conf +++ b/files/11-postfix.conf @@ -5,6 +5,12 @@ service lmtp { group = postfix user = postfix } + +service lmtp { + inet_listener lmtp { + address = 192.168.0.24 127.0.0.1 ::1 + port = 24 + } } # Authentication service for Postfix diff --git a/files/Dockerfile b/files/Dockerfile new file mode 100644 index 0000000..5dfa8d2 --- /dev/null +++ b/files/Dockerfile @@ -0,0 +1,16 @@ +FROM debian:buster-slim +LABEL maintainer "Mauro Torrez " +ARG DEBIAN_FRONTEND=noninteractive +ENV LC_ALL C +RUN echo "_dev_null: /dev/null" > /etc/aliases \ + && apt-get update && apt-get install -y --no-install-recommends \ + postfix \ + postfix-pcre \ + postfix-ldap \ + postfix-sqlite \ + libsasl2-modules \ + ssl-cert \ + && rm -rf /var/lib/apt/lists/* \ + && cp /usr/share/postfix/main.cf.debian /etc/postfix/main.cf +VOLUME /etc/postfix +CMD postfix start-fg diff --git a/handlers/main.yml b/handlers/main.yml index aad3fe2..caea071 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,32 +1,36 @@ --- - name: restart postfix - service: name=postfix state=restarted + docker_container: + name: "{{ postfix_container}}" + state: started + restart: yes - name: reload postfix - service: name=postfix state=restarted + command: docker exec {{ postfix_container }} postfix reload - name: newaliases - command: newaliases + command: docker exec {{ postfix_container }} newaliases - name: postmap hash aliases - command: "postmap hash:{{ dc[item]['alias_lookup']['file'] }}" + command: "docker exec {{ postfix_container }} postmap hash:{{ postfix_mail_domains[item].alias_lookup.file }}" when: - - "dc[item]['alias_lookup']['provider'] == 'file'" - with_items: "{{ postfix_mail_domains|belist }}" + - postfix_mail_domains[item].alias_lookup.provider|default(postfix_lookup_provider) == 'file' + loop: "{{ postfix_mail_domains.keys()|list }}" - name: postmap hash users - command: "postmap hash:{{ dc[item]['user_lookup']['file'] }}" + command: "docker exec {{ postfix_container }} postmap hash:{{ postfix_mail_domains[item].user_lookup.file }}" when: - - "dc[item]['user_lookup']['provider'] == 'file'" - with_items: "{{ postfix_mail_domains|belist }}" + - postfix_mail_domains[item].user_lookup.provider|default(postfix_lookup_provider) == 'file' + loop: "{{ postfix_mail_domains.keys()|list }}" - name: postmap no reply aliases - command: "postmap hash:{{ dc[item]['noreply_file'] }}" - with_items: "{{ postfix_mail_domains|belist }}" + command: "docker exec {{ postfix_container }} postmap hash:{{ postfix_mail_domains[item].noreply_file }}" + loop: "{{ postfix_mail_domains.keys()|list }}" - name: postmap access lists - command: postmap {{item}} - with_items: - - "{{ postfix_rules_dir }}/helo_access_list" - - "{{ postfix_rules_dir }}/recipient_access_list" - - "{{ postfix_rules_dir }}/sender_access_list" + command: docker exec {{ postfix_container }} postmap {{ item }} + loop: + - "/etc/postfix/{{ postfix_rules_dir }}/client_access_list" + - "/etc/postfix/{{ postfix_rules_dir }}/helo_access_list" + - "/etc/postfix/{{ postfix_rules_dir }}/recipient_access_list" + - "/etc/postfix/{{ postfix_rules_dir }}/sender_access_list" diff --git a/tasks/lookup_tables.yml b/tasks/lookup_tables.yml index 7dadd1d..5c6834a 100644 --- a/tasks/lookup_tables.yml +++ b/tasks/lookup_tables.yml @@ -2,7 +2,7 @@ - name: Template LDAP lookup tables template: src: ldap_table.cf.j2 - dest: /etc/postfix/{{ domain }}_ldap_{{ item }}.cf" + dest: "{{ postfix_mountpoint }}/{{ domain }}_ldap_{{ item }}.cf" when: - postfix_mail_domains[domain][item+'_lookup'].provider|default(postfix_lookup_provider) == 'ldap' loop: @@ -14,7 +14,7 @@ - name: Template SQLite lookup tables template: src: sqlite_table.cf.j2 - dest: /etc/postfix/{{ domain }}_sqlite_{{ item }}.cf + dest: "{{ postfix_mountpoint }}/{{ domain }}_sqlite_{{ item }}.cf" when: - postfix_mail_domains[domain][item+'_lookup'].provider|default(postfix_lookup_provider) == 'sqlite' loop: @@ -29,7 +29,9 @@ {% if item is string %}{{ item }} /nomailbox/{{ item }} {% else %}{{ item.user }} {{ item.mailbox }} {% endif %}{% endfor %} - dest: "{{ postfix_mail_domains[domain].user_lookup.file|default('/etc/postfix/'+domain+'_users') }}" + dest: "{{ postfix_mail_domains[domain].user_lookup.file | + default('/etc/postfix/'+domain+'_users') | + replace_regexp('^/etc/postfix',postfix_mountpoint) }}" marker: "# {mark} ANSIBLE-MANAGED USERS" create: yes when: @@ -42,7 +44,9 @@ {% for key in postfix_mail_domains[domain]['aliases']|default([]) -%} {{ key.alias }} {{ key.dest }} {% endfor %} - dest: "{{ postfix_mail_domains[domain].user_lookup.file|default('/etc/postfix/'+domain+'_aliases') }}" + dest: "{{ postfix_mail_domains[domain].user_lookup.file | + default('/etc/postfix/'+domain+'_aliases') | + replace_regexp('^/etc/postfix',postfix_mountpoint) }}" marker: "# {mark} ANSIBLE-MANAGED ALIASES" create: yes when: @@ -55,5 +59,7 @@ {% for address in postfix_mail_domains[domain].noreply_aliases|default(['noreply']) %} {{ address }}@domain _dev_null {% endfor %} - dest: "{{ postfix_mail_domains[domain].noreply_file|default('/etc/postfix/'+domain+'_noreply') }}" + dest: "{{ postfix_mail_domains[domain].noreply_file | + default('/etc/postfix/'+domain+'_noreply') | + replace_regexp('^/etc/postfix',postfix_mountpoint) }}" notify: postmap no reply aliases diff --git a/tasks/main.yml b/tasks/main.yml index b9ec129..72341b0 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,97 +1,49 @@ --- -# - name: "Load default config for domains" -# set_fact: -# dc: "{{ dc|default({})|combine( { item: { -# 'user_lookup': { -# 'provider': 'file', -# 'file': vmail_home +'/'+item+'_users', -# 'domain': item, -# 'server_host': postfix_ldap_server, -# 'server_port': postfix_ldap_port, -# 'version': postfix_ldap_version, -# 'scope': postfix_ldap_scope, -# 'bind': postfix_ldap_bind, -# 'bind_dn': postfix_ldap_bind_dn, -# 'bind_pw': postfix_ldap_bind_pw, -# 'start_tls': postfix_ldap_start_tls, -# 'tls_ca_cert_file': postfix_ldap_tls_ca_cert_file, -# 'tls_ca_cert_dir': postfix_ldap_tls_ca_cert_dir, -# 'search_base': -# 'ou=People,'+item.split('.')|map('regex_replace','^','dc=')|join(','), -# 'query_filter': '(&(objectClass=inetOrgPerson)(uid=%u))', -# 'result_attribute': 'uid', -# 'result_format': vmail_home+'/mail/'+item+'/%s/', -# 'dbpath': vmail_home+'/'+item+'_users.sqlite', -# 'query': postfix_sqlite_user_query -# }, -# 'users': [], -# 'alias_lookup': { -# 'provider': 'file', -# 'file': vmail_home +'/'+item+'_aliases', -# 'domain': item, -# 'server_host': postfix_ldap_server, -# 'server_port': postfix_ldap_port, -# 'version': postfix_ldap_version, -# 'scope': postfix_ldap_scope, -# 'bind': postfix_ldap_bind, -# 'bind_dn': postfix_ldap_bind_dn, -# 'bind_pw': postfix_ldap_bind_pw, -# 'start_tls': postfix_ldap_start_tls, -# 'tls_ca_cert_file': postfix_ldap_tls_ca_cert_file, -# 'tls_ca_cert_dir': postfix_ldap_tls_ca_cert_dir, -# 'search_base': -# 'ou=Alias,'+item.split('.')|map('regex_replace','^','dc=')|join(','), -# 'query_filter': '(&(objectClass=nisMailAlias)(cn=%u))', -# 'result_attribute': 'rfc822MailMember', -# 'result_format': '%s', -# 'dbpath': vmail_home+'/'+item+'_aliases.sqlite', -# 'query': postfix_sqlite_alias_query -# }, -# 'aliases': [], -# 'use_group_as_alias': postfix_ldap_use_group_alias, -# 'group_lookup': { -# 'provider': 'ldap', -# 'domain': item, -# 'server_host': postfix_ldap_server, -# 'server_port': postfix_ldap_port, -# 'version': postfix_ldap_version, -# 'scope': postfix_ldap_scope, -# 'bind': postfix_ldap_bind, -# 'bind_dn': postfix_ldap_bind_dn, -# 'bind_pw': postfix_ldap_bind_pw, -# 'start_tls': postfix_ldap_start_tls, -# 'tls_ca_cert_file': postfix_ldap_tls_ca_cert_file, -# 'tls_ca_cert_dir': postfix_ldap_tls_ca_cert_dir, -# 'search_base': -# 'ou=Group,'+item.split('.')|map('regex_replace','^','dc=')|join(','), -# 'query_filter': '(&(objectClass=posixGroup)(cn=%u))', -# 'result_attribute': 'memberUid', -# 'result_format': '%s@{{d}}', -# }, -# 'noreply_aliases': [ 'noreply' ], -# 'noreply_file': vmail_home +'/'+item+'_noreply', -# } }, recursive=True) }}" -# with_items: "{{ postfix_mail_domains }}" +- name: Directorio de build postfix + file: + path: /root/.postfix-docker-image + state: directory + tags: skip_me -# - name: "Override config for domains" -# set_fact: -# dc: '{{ dc | combine(postfix_domain_config, recursive=True) }}' - -- name: Instalar Postfix - apt: - name: - - postfix - - postfix-pcre - - postfix-ldap - - postfix-sqlite - state: present - notify: restart postfix - -- name: Servicio delivery+auth mediante Dovecot +- name: Copiar archivos de build copy: - src: 11-postfix.conf - dest: /etc/dovecot/conf.d/11-postfix.conf - notify: restart dovecot + src: "{{ item }}" + dest: /root/.postfix-docker-image + loop: + - Dockerfile + tags: skip_me + +- name: Crear imagen {{ postfix_image }} + docker_image: + state: present + name: "{{ postfix_image }}" + path: /root/.postfix-docker-image + tags: skip_me + +- name: Activar container postfix + docker_container: + name: "{{ postfix_container }}" + state: started + restart_policy: unless-stopped + image: "{{ postfix_image }}" + volumes: + - "{{ postfix_volume }}:/etc/postfix/" + networks: + - name: "{{ docker_network_name }}" + ports: "{{ postfix_publish_ports }}" + env: + register: container + +- name: Leer info de volumen {{ postfix_volume }} + docker_volume_info: + name: "{{ postfix_volume }}" + register: res + +- name: Exportar informacion de volumen + set_fact: + postfix_container: "{{ lookup('vars','postfix_container') }}" + postfix_volume: "{{ lookup('vars','postfix_volume') }}" + postfix_mountpoint: "{{ res.volume.Mountpoint }}" - name: Configurar lookup tables include_tasks: lookup_tables.yml @@ -99,32 +51,25 @@ loop_control: loop_var: domain -- name: Alias local para usuario no-reply - blockinfile: - block: | - _dev_null: /dev/null - marker: "# {mark} ANSIBLE-MANAGED ALIASES" - path: /etc/aliases - notify: newaliases - - name: Directorio de reglas para access lists file: - name: "{{ postfix_rules_dir }}" + name: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}" state: directory - name: Template client access list blockinfile: - path: "{{ postfix_rules_dir }}/client_access_list" + path: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/client_access_list" create: yes block: | # Edit host variable `postfix_client_access_list` to change these values {% for entry in postfix_client_access_list -%} {{ entry.regex }} {{ entry.action }} {% endfor %} + notify: postmap access lists - name: Template helo access list blockinfile: - path: "{{ postfix_rules_dir }}/helo_access_list" + path: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/helo_access_list" create: yes block: | # Edit host variable `postfix_helo_access_list` to change these values @@ -135,7 +80,7 @@ - name: Template recipient access list blockinfile: - path: "{{ postfix_rules_dir }}/recipient_access_list" + path: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/recipient_access_list" create: yes block: | # Edit host variable `postfix_recipient_access_list` to change these values @@ -146,7 +91,7 @@ - name: Template sender access list blockinfile: - path: "{{ postfix_rules_dir }}/sender_access_list" + path: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/sender_access_list" create: yes block: | # Edit host variable `postfix_sender_access_list` to change these values @@ -193,12 +138,14 @@ {% elif p == "file" %} hash:/etc/postfix/{{ d }}_users {% endif %}{{ '' if loop.last else ',' }}{% endfor %}, - virtual_transport: - lmtp:unix:private/dovecot-lmtp + # FIXME usar container dovecot + # virtual_transport: + # lmtp:unix:private/dovecot-lmtp virtual_mailbox_domains: "{{ postfix_mail_domains }}" - smtpd_sasl_path: private/auth - smtpd_sasl_type: dovecot + # FIXME usar container dovecot + # smtpd_sasl_path: private/auth + # smtpd_sasl_type: dovecot smtpd_sasl_auth_enable: "{{ 'yes' if postfix_enable_smtpd_auth else 'no' }}" smtpd_tls_cert_file: @@ -231,7 +178,7 @@ "{{ 'yes' if postfix_biff else 'no' }}" notify: reload postfix -- name: "Enable submission service" +- name: Enable submission service postconf: service: submission type: inet @@ -246,15 +193,15 @@ smtpd_tls_security_level: encrypt syslog_name: postfix/submission notify: reload postfix - when: "postfix_submission_enable == True" + when: postfix_submission_enable == True -- name: "Disable submission service" +- name: Disable submission service postconf: service: submission type: inet state: absent notify: reload postfix - when: "postfix_submission_enable == False" + when: postfix_submission_enable == False - name: "Enable postscreen" include_tasks: postscreen.yml