mauro/ansible-role-postfix-docker
1
0
Fork 0
forked from mauro/ansible-role-postfix
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: mauro:master
Branches Tags
mauro:master mauro/ansible-role-postfix:master
..
compare: mauro/ansible-role-postfix:master
Branches Tags
mauro/ansible-role-postfix:master mauro:master

2 Commits
master ... master

Author SHA1 Message Date
Mauro Torrez
40b0b49574 noreply aliases 2019-09-08 17:40:53 -03:00
Mauro Torrez
9eed7b65fc elimino noreply_aliases 2019-09-08 17:31:55 -03:00
8 changed files with 280 additions and 241 deletions
Expand all files Collapse all files

11
action_plugins/postconf.py
View File

@@ -43,31 +43,28 @@ class ActionModule(ActionBase):
return '{}'.format(self._task.args.get(key, ''))
if key in ('private', 'unprivileged', 'chroot', 'wakeup', 'process_limit'):
return '{}'.format(self._task.args.get(key, ''))
if key == 'container_name':
return '{}'.format(self._task.args.get(key, 'postfix'))
# no default value for key: return as-is
return self._task.args.get(key)
def runcmd(self, reg_name, cmd, param=None):
fullcmd = 'docker exec '+ self.getarg('container_name') + ' ' + cmd
try:
if param:
self.reg[param][reg_name] = self._execute_module(
module_name='command',
module_args=dict(_raw_params=fullcmd)
module_args=dict(_raw_params=cmd)
)
return
self.reg[reg_name] = self._execute_module(
module_name='command',
module_args=dict(_raw_params=fullcmd)
module_args=dict(_raw_params=cmd)
)
except Exception as e:
raise PfWorkflowError(
"{}: {}; failed command line: {}".format(
type(e).__name__,
to_text(e),
fullcmd
cmd
)
)
@@ -209,7 +206,7 @@ class ActionModule(ActionBase):
pass
else:
# remove whole service definition
cmdline = 'postconf -M# {}/{}'.format(self.service,self.stype)
cmdline = 'postconf -M# {}/{}'.format(service,stype)
self.runcmd('cmd_remove_service',cmdline)
# non-absent states: set all fields -----------------------------------

45
defaults/main.yml
View File

@@ -1,29 +1,6 @@
---
# nombre imagen
postfix_image: eumau/postfix
# nombre container
postfix_container: postfix
# volumen con la configuracion de /etc/postfix
postfix_volume: postfix
# volumen con la configuracion ssl
postfix_volume_ssl: postfix_ssl
# nombre de la red docker, seteado por rol docker
docker_network_name: dockernet
# nombre del container dovecot, seteado por rol dovecot
dovecot_container: dovecot
# puertos públicos
postfix_publish_ports:
- "25:25"
- "587:587"
# directorio con reglas, relativo al volumen
postfix_rules_dir: rules
# directorio con reglas
postfix_rules_dir: /etc/postfix/rules
# accepted email domains
postfix_mail_domains: "{{ mail_domains | default(['example.com']) }}"
@@ -56,8 +33,8 @@ postfix_mail_home: "{{ vmail_home | default('/srv/mail') }}"
# LDAP ------------------------------------------------------------------------
# Default LDAP connection parameters
postfix_ldap_server: "{{ ldap_server | default(ldap_container|default('ldap')) }}"
postfix_ldap_port: "{{ ldap_port | default(ldap_port|default('389')) }}"
postfix_ldap_server: "{{ ldap_server | default('localhost') }}"
postfix_ldap_port: "{{ ldap_port | default(389) }}"
postfix_ldap_version: "{{ ldap_version | default(3) }}"
postfix_ldap_scope: "{{ ldap_search_scope | default('sub') }}"
postfix_ldap_bind: "{{ ldap_bind | default(False) }}"
@@ -80,6 +57,10 @@ postfix_submission_enable: yes
# TLS -------------------------------------------------------------------------
# TLS certificate/private key to use
postfix_tls_certificate: "{{ tls_certificate | default('') }}"
postfix_tls_private_key: "{{ tls_certificate_key | default('') }}"
# level of encryption to use for sending mail to the Internet
# only change this if you know what the implications are, see
# http://www.postfix.org/postconf.5.html#smtp_tls_security_level
@@ -142,7 +123,7 @@ postfix_client_access_list: []
# Restricciones aplicadas a los clientes SMTP
postfix_client_restrictions:
- check_client_access pcre:/etc/postfix/{{ postfix_rules_dir }}/client_access_list
- check_client_access pcre:{{ postfix_rules_dir }}/client_access_list
- permit_sasl_authenticated
- permit_mynetworks
- reject_unknown_client_hostname
@@ -164,7 +145,7 @@ postfix_helo_access_list: []
# Requerir HELO/EHLO y aplicarle restricciones
postfix_helo_restrictions:
- check_helo_access hash:/etc/postfix/{{ postfix_rules_dir }}/helo_access_list
- check_helo_access hash:{{ postfix_rules_dir }}/helo_access_list
- permit_mynetworks
- reject_non_fqdn_helo_hostname
- reject_invalid_helo_hostname
@@ -185,7 +166,7 @@ postfix_recipient_access_list: []
# Restricciones al destinatario especificado en RCPT TO
postfix_recipient_restrictions:
- check_recipient_access hash:/etc/postfix/{{ postfix_rules_dir }}/recipient_access_list
- check_recipient_access hash:{{ postfix_rules_dir }}/recipient_access_list
- permit_mynetworks
- permit_sasl_authenticated
- reject_unknown_recipient_domain
@@ -200,7 +181,7 @@ postfix_sender_access_list: []
# Restricciones aplicadas al remitente especificado en MAIL FROM
postfix_sender_restrictions:
- check_sender_access hash:/etc/postfix/{{ postfix_rules_dir }}/sender_access_list
- check_sender_access hash:{{ postfix_rules_dir }}/sender_access_list
- permit_sasl_authenticated
- permit_mynetworks
- reject_unknown_sender_domain
@@ -258,7 +239,7 @@ postfix_postscreen_bare_newline_action: ignore
postfix_postscreen_dnsbl_action: enforce
# mapeo que determina cuáles dnsbls informar al cliente como razón del rechazo a la conexion
postfix_postscreen_dnsbl_reply_map: "pcre:$config_directory/{{ postfix_rules_dir }}/postscreen_dnsbl_reply_map.pcre"
postfix_postscreen_dnsbl_reply_map: "pcre:$config_directory/reglas/postscreen_dnsbl_reply_map.pcre"
# umbral a superar para considerar al host remoto como spammer
postfix_postscreen_dnsbl_threshold: 3

17
files/11-postfix.conf Normal file
View File

@@ -0,0 +1,17 @@
# LMTP delivery service for Postfix
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
group = postfix
user = postfix
}
}
# Authentication service for Postfix
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}

45
handlers/main.yml
View File

@@ -1,45 +1,32 @@
---
- name: restart postfix
docker_container:
name: "{{ postfix_container}}"
state: started
restart: yes
service: name=postfix state=restarted
- name: reload postfix
command: docker exec {{ postfix_container }} postfix reload
service: name=postfix state=restarted
- name: newaliases
command: docker exec {{ postfix_container }} newaliases
command: newaliases
- name: postmap hash aliases
command: >-
docker exec {{ postfix_container }} postmap
hash:{{ postfix_mail_domains[item].alias_lookup.file | default(
'/etc/postfix/'+item+'_aliases') }}
command: "postmap hash:{{ dc[item]['alias_lookup']['file'] }}"
when:
- postfix_mail_domains[item].alias_lookup.provider|default(postfix_lookup_provider) == 'file'
loop: "{{ postfix_mail_domains.keys()|list }}"
- "dc[item]['alias_lookup']['provider'] == 'file'"
with_items: "{{ postfix_mail_domains|belist }}"
- name: postmap hash users
command: >-
docker exec {{ postfix_container }} postmap
hash:{{ postfix_mail_domains[item]..user_lookup.file | default(
'/etc/postfix/'+item+'_users') }}
command: "postmap hash:{{ dc[item]['user_lookup']['file'] }}"
when:
- postfix_mail_domains[item].user_lookup.provider|default(postfix_lookup_provider) == 'file'
loop: "{{ postfix_mail_domains.keys()|list }}"
- "dc[item]['user_lookup']['provider'] == 'file'"
with_items: "{{ postfix_mail_domains|belist }}"
- name: postmap no reply aliases
command: >-
docker exec {{ postfix_container }} postmap
hash:{{ postfix_mail_domains[item].noreply_file | default(
'/etc/postfix/'+item+'_noreply') }}
loop: "{{ postfix_mail_domains.keys()|list }}"
command: "postmap hash:{{ dc[item]['noreply_file'] }}"
with_items: "{{ postfix_mail_domains|belist }}"
- name: postmap access lists
command: docker exec {{ postfix_container }} postmap {{ item }}
loop:
- "/etc/postfix/{{ postfix_rules_dir }}/client_access_list"
- "/etc/postfix/{{ postfix_rules_dir }}/helo_access_list"
- "/etc/postfix/{{ postfix_rules_dir }}/recipient_access_list"
- "/etc/postfix/{{ postfix_rules_dir }}/sender_access_list"
command: postmap {{item}}
with_items:
- "{{ postfix_rules_dir }}/helo_access_list"
- "{{ postfix_rules_dir }}/recipient_access_list"
- "{{ postfix_rules_dir }}/sender_access_list"

26
tasks/lookup_tables.yml
View File

@@ -2,13 +2,9 @@
- name: Template LDAP lookup tables
template:
src: ldap_table.cf.j2
dest: "{{ postfix_mountpoint }}/{{ domain }}_ldap_{{ item }}.cf"
when: >-
postfix_mail_domains[domain][item+'_lookup'].provider
| default(postfix_lookup_provider) == 'ldap' or
( item == 'group' and postfix_ldap_use_group_alias and
postfix_mail_domains[domain]['alias_lookup'].provider
| default(postfix_lookup_provider) == 'ldap' )
dest: /etc/postfix/{{ domain }}_ldap_{{ item }}.cf"
when:
- postfix_mail_domains[domain][item+'_lookup'].provider|default(postfix_lookup_provider) == 'ldap'
loop:
- user
- alias
@@ -18,7 +14,7 @@
- name: Template SQLite lookup tables
template:
src: sqlite_table.cf.j2
dest: "{{ postfix_mountpoint }}/{{ domain }}_sqlite_{{ item }}.cf"
dest: /etc/postfix/{{ domain }}_sqlite_{{ item }}.cf
when:
- postfix_mail_domains[domain][item+'_lookup'].provider|default(postfix_lookup_provider) == 'sqlite'
loop:
@@ -33,9 +29,7 @@
{% if item is string %}{{ item }} /nomailbox/{{ item }}
{% else %}{{ item.user }} {{ item.mailbox }}
{% endif %}{% endfor %}
dest: "{{ postfix_mail_domains[domain].user_lookup.file |
default('/etc/postfix/'+domain+'_users') |
regex_replace('^/etc/postfix',postfix_mountpoint) }}"
dest: "{{ postfix_mail_domains[domain].user_lookup.file|default('/etc/postfix/'+domain+'_users') }}"
marker: "# {mark} ANSIBLE-MANAGED USERS"
create: yes
when:
@@ -48,9 +42,7 @@
{% for key in postfix_mail_domains[domain]['aliases']|default([]) -%}
{{ key.alias }} {{ key.dest }}
{% endfor %}
dest: "{{ postfix_mail_domains[domain].alias_lookup.file |
default('/etc/postfix/'+domain+'_aliases') |
regex_replace('^/etc/postfix',postfix_mountpoint) }}"
dest: "{{ postfix_mail_domains[domain].user_lookup.file|default('/etc/postfix/'+domain+'_aliases') }}"
marker: "# {mark} ANSIBLE-MANAGED ALIASES"
create: yes
when:
@@ -61,9 +53,7 @@
copy:
content: |
{% for address in postfix_mail_domains[domain].noreply_aliases|default(['noreply']) %}
{{ address }}@{{ domain }} _dev_null
{{ address }}@domain _dev_null
{% endfor %}
dest: "{{ postfix_mail_domains[domain].noreply_file |
default('/etc/postfix/'+domain+'_noreply') |
regex_replace('^/etc/postfix',postfix_mountpoint) }}"
dest: "{{ postfix_mail_domains[domain].noreply_file|default('/etc/postfix/'+domain+'_noreply') }}"
notify: postmap no reply aliases

365
tasks/main.yml
View File

@@ -1,151 +1,97 @@
---
- name: Activar container postfix
docker_container:
name: "{{ postfix_container }}"
state: started
restart_policy: unless-stopped
image: "{{ postfix_image }}"
volumes:
- "{{ postfix_volume }}:/etc/postfix"
- "{{ postfix_volume_ssl }}:/ssl"
networks:
- name: "{{ docker_network }}"
ports: "{{ postfix_publish_ports }}"
env:
MYDESTINATION: >-
{{ postfix_unix_domains |
union( [ ansible_fqdn, 'localhost.localdomain', 'localhost'] ) |
difference( postfix_mail_domains ) | join(', ') }}
MYHOSTNAME:
"{{ postfix_server_name }}"
MYDOMAIN:
"{{ postfix_server_domain }}"
MYNETWORKS: >-
{{ ['127.0.0.0/8', '[::ffff:127.0.0.0]/104', '[::1]/128'] |
union( postfix_local_networks ) | join(', ') }}
VIRTUAL_ALIAS_MAPS: >-
{% for d in postfix_mail_domains.keys()|list %}
{% set p = postfix_mail_domains[d].alias_lookup.provider|default(postfix_lookup_provider) %}
{% if p == "ldap" %}
ldap:/etc/postfix/{{ d }}_ldap_alias.cf
{% if postfix_mail_domains[d].alias_lookup.use_group_as_alias|default(postfix_ldap_use_group_alias) %},
ldap:/etc/postfix/{{ d }}_ldap_group.cf
{% endif %}
{% elif p == "sqlite" %}
sqlite:/etc/postfix/{{d}}_sqlite_alias.cf
{% elif p == "file" %}
hash:/etc/postfix/{{ d }}_aliases
{% endif %}, hash:/etc/postfix/{{ d }}_noreply
{{ '' if loop.last else ',' }}{% endfor %}
VIRTUAL_MAILBOX_MAPS: >-
{% for d in postfix_mail_domains.keys()|list %}
{% set p = postfix_mail_domains[d].user_lookup.provider|default(postfix_lookup_provider) %}
{% if p == "ldap" %}
ldap:/etc/postfix/{{ d }}_ldap_user.cf
{% elif p == "sqlite" %}
sqlite:/etc/postfix/{{ d }}_sqlite_user.cf
{% elif p == "file" %}
hash:/etc/postfix/{{ d }}_users
{% endif %}{{ '' if loop.last else ',' }}{% endfor %},
VIRTUAL_TRANSPORT: "lmtp:{{ dovecot_container }}:24"
VIRTUAL_MAILBOX_DOMAINS: "{{ postfix_mail_domains | join (', ') }}"
SMTPD_SASL_PATH: "inet:{{ dovecot_container }}:12345"
SMTPD_SASL_TYPE: dovecot
SMTPD_SASL_AUTH_ENABLE: "{{ 'yes' if postfix_enable_smtpd_auth else 'no' }}"
SMTPD_TLS_CERT_FILE: /ssl/cert.pem
SMTPD_TLS_KEY_FILE: /ssl/key.pem
SMTP_TLS_SECURITY_LEVEL:
"{{postfix_incoming_tls_security}}"
SMTPD_TLS_SECURITY_LEVEL:
"{{postfix_outgoing_tls_security}}"
SMTPD_TLS_AUTH_ONLY:
"{{ 'yes' if postfix_allow_insecure_auth else 'no'}}"
SMTPD_TLS_SESSION_CACHE_DATABASE:
"{{ 'btree:${data_directory}/smtpd_scache' if postfix_tls_session_cache else '' }}"
SMTPD_CLIENT_RESTRICTIONS:
"{{ postfix_client_restrictions | join(', ') }}"
SMTPD_DATA_RESTRICTIONS:
"{{ postfix_data_restrictions | join(', ') }}"
SMTPD_HELO_RESTRICTIONS:
"{{ postfix_helo_restrictions | join(', ') }}"
SMTPD_RELAY_RESTRICTIONS:
"{{ postfix_relay_restrictions | join(', ') }}"
SMTPD_RECIPIENT_RESTRICTIONS:
"{{ postfix_recipient_restrictions | join(', ') }}"
MESSAGE_SIZE_LIMIT:
"{{ postfix_message_size_limit | string }}"
SMTPD_HELO_REQUIRED:
"{{ 'yes' if postfix_helo_required else 'no' }}"
BIFF:
"{{ 'yes' if postfix_biff else 'no' }}"
SUBMISSION_ENABLE:
"{{ 'yes' if postfix_submission_enable else 'no' }}"
POSTSCREEN_ENABLE:
"{{ 'yes' if postfix_postscreen_enable else 'no' }}"
POSTSCREEN_ACCESS_LIST:
"cidr:/etc/postfix/{{ postfix_rules_dir }}/postscreen_access_list.cidr, permit_mynetworks"
POSTSCREEN_DNSBL_SITES: "\
{% for entry in postfix_postscreen_dnsbl_sites -%}\
{% if entry is string -%}{{ entry }}{% elif entry is mapping -%}\
{{ entry.site }}{{ '*' if entry.score is defined else '' }}\
{{ entry.score | default('') }}{% endif %}\
{{ '' if loop.last else ', ' }}{% endfor %}"
POSTSCREEN_DNSBL_REPLY_MAP:
"pcre:/etc/postfix/{{ postfix_rules_dir }}/postscreen_dnsbl_mask.pcre"
POSTSCREEN_BLACKLIST_ACTION:
"{{ postfix_postscreen_blacklist_action }}"
POSTSCREEN_DNSBL_ACTION:
"{{ postfix_postscreen_dnsbl_action }}"
POSTSCREEN_DNSBL_THRESHOLD:
"{{ postfix_postscreen_dnsbl_threshold | string}}"
POSTSCREEN_DNSBL_WHITELIST_THRESHOLD:
"{{ postfix_postscreen_dnsbl_whitelist_threshold | string }}"
POSTSCREEN_GREET_ACTION:
"{{ postfix_postscreen_greet_action }}"
# - name: "Load default config for domains"
# set_fact:
# dc: "{{ dc|default({})|combine( { item: {
# 'user_lookup': {
# 'provider': 'file',
# 'file': vmail_home +'/'+item+'_users',
# 'domain': item,
# 'server_host': postfix_ldap_server,
# 'server_port': postfix_ldap_port,
# 'version': postfix_ldap_version,
# 'scope': postfix_ldap_scope,
# 'bind': postfix_ldap_bind,
# 'bind_dn': postfix_ldap_bind_dn,
# 'bind_pw': postfix_ldap_bind_pw,
# 'start_tls': postfix_ldap_start_tls,
# 'tls_ca_cert_file': postfix_ldap_tls_ca_cert_file,
# 'tls_ca_cert_dir': postfix_ldap_tls_ca_cert_dir,
# 'search_base':
# 'ou=People,'+item.split('.')|map('regex_replace','^','dc=')|join(','),
# 'query_filter': '(&(objectClass=inetOrgPerson)(uid=%u))',
# 'result_attribute': 'uid',
# 'result_format': vmail_home+'/mail/'+item+'/%s/',
# 'dbpath': vmail_home+'/'+item+'_users.sqlite',
# 'query': postfix_sqlite_user_query
# },
# 'users': [],
# 'alias_lookup': {
# 'provider': 'file',
# 'file': vmail_home +'/'+item+'_aliases',
# 'domain': item,
# 'server_host': postfix_ldap_server,
# 'server_port': postfix_ldap_port,
# 'version': postfix_ldap_version,
# 'scope': postfix_ldap_scope,
# 'bind': postfix_ldap_bind,
# 'bind_dn': postfix_ldap_bind_dn,
# 'bind_pw': postfix_ldap_bind_pw,
# 'start_tls': postfix_ldap_start_tls,
# 'tls_ca_cert_file': postfix_ldap_tls_ca_cert_file,
# 'tls_ca_cert_dir': postfix_ldap_tls_ca_cert_dir,
# 'search_base':
# 'ou=Alias,'+item.split('.')|map('regex_replace','^','dc=')|join(','),
# 'query_filter': '(&(objectClass=nisMailAlias)(cn=%u))',
# 'result_attribute': 'rfc822MailMember',
# 'result_format': '%s',
# 'dbpath': vmail_home+'/'+item+'_aliases.sqlite',
# 'query': postfix_sqlite_alias_query
# },
# 'aliases': [],
# 'use_group_as_alias': postfix_ldap_use_group_alias,
# 'group_lookup': {
# 'provider': 'ldap',
# 'domain': item,
# 'server_host': postfix_ldap_server,
# 'server_port': postfix_ldap_port,
# 'version': postfix_ldap_version,
# 'scope': postfix_ldap_scope,
# 'bind': postfix_ldap_bind,
# 'bind_dn': postfix_ldap_bind_dn,
# 'bind_pw': postfix_ldap_bind_pw,
# 'start_tls': postfix_ldap_start_tls,
# 'tls_ca_cert_file': postfix_ldap_tls_ca_cert_file,
# 'tls_ca_cert_dir': postfix_ldap_tls_ca_cert_dir,
# 'search_base':
# 'ou=Group,'+item.split('.')|map('regex_replace','^','dc=')|join(','),
# 'query_filter': '(&(objectClass=posixGroup)(cn=%u))',
# 'result_attribute': 'memberUid',
# 'result_format': '%s@{{d}}',
# },
# 'noreply_aliases': [ 'noreply' ],
# 'noreply_file': vmail_home +'/'+item+'_noreply',
# } }, recursive=True) }}"
# with_items: "{{ postfix_mail_domains }}"
register: container
# - name: "Override config for domains"
# set_fact:
# dc: '{{ dc | combine(postfix_domain_config, recursive=True) }}'
- name: Exportar informacion de container
set_fact:
postfix_container: "{{ lookup('vars','postfix_container') }}"
- name: Instalar Postfix
apt:
name:
- postfix
- postfix-pcre
- postfix-ldap
- postfix-sqlite
state: present
notify: restart postfix
- when: postfix_volume[0] != '/'
block:
- name: Leer info de volumen {{ postfix_volume }}
docker_volume_info:
name: "{{ postfix_volume }}"
register: res_cfg
- name: Exportar informacion de volumen
set_fact:
postfix_volume: "{{ lookup('vars','postfix_volume') }}"
postfix_mountpoint: "{{ res_cfg.volume.Mountpoint }}"
- when: postfix_volume[0] == '/'
block:
- name: Exportar informacion de volumen
set_fact:
postfix_volume: "{{ lookup('vars','postfix_volume') }}"
postfix_mountpoint: "{{ lookup('vars','postfix_volume') }}"
- when: postfix_volume_ssl[0] != '/'
block:
- name: Leer info de volumen {{ postfix_volume_ssl }}
docker_volume_info:
name: "{{ postfix_volume_ssl }}"
register: res_ssl
- name: Exportar informacion de volumen
set_fact:
postfix_volume_ssl: "{{ lookup('vars','postfix_volume_ssl') }}"
postfix_mountpoint_ssl: "{{ res_ssl.volume.Mountpoint }}"
- when: postfix_volume_ssl[0] == '/'
block:
- name: Exportar informacion de volumen
set_fact:
postfix_volume_ssl: "{{ lookup('vars','postfix_volume_ssl') }}"
postfix_mountpoint_ssl: "{{ lookup('vars','postfix_volume_ssl') }}"
# FIXME: resolver access lists y tables en Docker
- name: Servicio delivery+auth mediante Dovecot
copy:
src: 11-postfix.conf
dest: /etc/dovecot/conf.d/11-postfix.conf
notify: restart dovecot
- name: Configurar lookup tables
include_tasks: lookup_tables.yml
@@ -153,20 +99,32 @@
loop_control:
loop_var: domain
- name: Alias local para usuario no-reply
blockinfile:
block: |
_dev_null: /dev/null
marker: "# {mark} ANSIBLE-MANAGED ALIASES"
path: /etc/aliases
notify: newaliases
- name: Directorio de reglas para access lists
file:
name: "{{ postfix_rules_dir }}"
state: directory
- name: Template client access list
blockinfile:
path: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/client_access_list"
path: "{{ postfix_rules_dir }}/client_access_list"
create: yes
block: |
# Edit host variable `postfix_client_access_list` to change these values
{% for entry in postfix_client_access_list -%}
{{ entry.regex }} {{ entry.action }}
{% endfor %}
notify: postmap access lists
- name: Template helo access list
blockinfile:
path: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/helo_access_list"
path: "{{ postfix_rules_dir }}/helo_access_list"
create: yes
block: |
# Edit host variable `postfix_helo_access_list` to change these values
@@ -177,7 +135,7 @@
- name: Template recipient access list
blockinfile:
path: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/recipient_access_list"
path: "{{ postfix_rules_dir }}/recipient_access_list"
create: yes
block: |
# Edit host variable `postfix_recipient_access_list` to change these values
@@ -188,7 +146,7 @@
- name: Template sender access list
blockinfile:
path: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/sender_access_list"
path: "{{ postfix_rules_dir }}/sender_access_list"
create: yes
block: |
# Edit host variable `postfix_sender_access_list` to change these values
@@ -197,6 +155,115 @@
{% endfor %}
notify: postmap access lists
- name: Configurar main.cf
postconf:
parameter:
mydestination: >-
{{ postfix_unix_domains |
union( [ ansible_fqdn, 'localhost.localdomain', 'localhost'] ) |
difference( postfix_mail_domains ) }}
myhostname:
"{{ postfix_server_name }}"
mydomain:
"{{ postfix_server_domain }}"
mynetworks: >-
{{ ['127.0.0.0/8', '[::ffff:127.0.0.0]/104', '[::1]/128'] |
union( postfix_local_networks ) }}
virtual_alias_maps: >-
{% for d in postfix_mail_domains %}
{% set p = postfix_domain_config[d].alias_lookup.provider|default(postfix_lookup_provider) %}
{% if p == "ldap" %}
ldap:/etc/postfix/{{ d }}_ldap_alias.cf
{% if postfix_domain_config[d].alias_lookup.use_group_as_alias|default(postfix_ldap_use_group_alias) %},
ldap:/etc/postfix/{{ d }}_ldap_group.cf
{% endif %}
{% elif p == "sqlite" %}
sqlite:/etc/postfix/{{d}}_sqlite_alias.cf
{% elif p == "file" %}
hash:/etc/postfix/{{ d }}_aliases
{% endif %}, /etc/postfix/{{ d }}_noreply
{{ '' if loop.last else ',' }}{% endfor %}
virtual_mailbox_maps: >-
{% for d in postfix_mail_domains %}
{% set p = postfix_domain_config[d].user_lookup.provider|default(postfix_lookup_provider) %}
{% if p == "ldap" %}
ldap:/etc/postfix/{{ d }}_ldap_user.cf
{% elif p == "sqlite" %}
sqlite:/etc/postfix/{{ d }}_sqlite_user.cf
{% elif p == "file" %}
hash:/etc/postfix/{{ d }}_users
{% endif %}{{ '' if loop.last else ',' }}{% endfor %}
virtual_transport:
lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains:
"{{ postfix_mail_domains }}"
smtpd_sasl_path: private/auth
smtpd_sasl_type: dovecot
smtpd_sasl_auth_enable:
"{{ 'yes' if postfix_enable_smtpd_auth else 'no' }}"
smtpd_tls_cert_file:
"{{ postfix_tls_certificate }}"
smtpd_tls_key_file:
"{{ postfix_tls_private_key }}"
smtp_tls_security_level:
"{{postfix_incoming_tls_security}}"
smtpd_tls_security_level:
"{{postfix_outgoing_tls_security}}"
smtpd_tls_auth_only:
"{{ 'yes' if postfix_allow_insecure_auth else 'no'}}"
smtpd_tls_session_cache_database:
"{{ 'btree:${data_directory}/smtpd_scache' if postfix_tls_session_cache else '' }}"
smtpd_client_restrictions:
"{{ postfix_client_restrictions }}"
smtpd_data_restrictions:
"{{ postfix_data_restrictions }}"
smtpd_helo_restrictions:
"{{ postfix_helo_restrictions }}"
smtpd_relay_restrictions:
"{{ postfix_relay_restrictions }}"
smtpd_recipient_restrictions:
"{{ postfix_recipient_restrictions }}"
message_size_limit:
"{{ postfix_message_size_limit }}"
smtpd_helo_required:
"{{ 'yes' if postfix_helo_required else 'no' }}"
biff:
"{{ 'yes' if postfix_biff else 'no' }}"
notify: reload postfix
- name: "Enable submission service"
postconf:
service: submission
type: inet
private: 'n'
command: smtpd
parameter:
milter_macro_daemon_name: ORIGINATING
smtpd_client_restrictions:
- permit_sasl_authenticated
- reject
smtpd_sasl_auth_enable: 'yes'
smtpd_tls_security_level: encrypt
syslog_name: postfix/submission
notify: reload postfix
when: "postfix_submission_enable == True"
- name: "Disable submission service"
postconf:
service: submission
type: inet
state: absent
notify: reload postfix
when: "postfix_submission_enable == False"
- name: "Enable postscreen"
include_tasks: postscreen.yml
when: "postfix_postscreen_enable == True"
- name: "Disable postscreen"
include_tasks: postscreen_disable.yml
when: "postfix_postscreen_enable == False"
# TODO: mensajes
# TODO: milter_header_checks

8
tasks/postscreen.yml
View File

@@ -49,12 +49,12 @@
{% for entry in postfix_postscreen_access_list -%}
{{ entry.address }} {{ entry.action }}
{% endfor %}
dest: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/postscreen_access_list.cidr"
dest: "/etc/postfix/rules/postscreen_access_list.cidr"
- name: "postscreen: set postscreen_access_list parameter"
postconf:
parameter: postscreen_access_list
value: "cidr:/etc/postfix/{{ postfix_rules_dir }}/postscreen_access_list.cidr, permit_mynetworks"
value: "cidr:/etc/postfix/rules/postscreen_access_list.cidr, permit_mynetworks"
notify: reload postfix
- name: "postscreen: enable/disable after-220 SMTP greeting tests"
@@ -95,13 +95,13 @@
{% else %}
/^{{ entry.site }}$/ dnsbl blacklist
{% endif %}{% endif %}{% endif %}{% endfor %}
dest: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/postscreen_dnsbl_mask.pcre"
dest: /etc/postfix/rules/postscreen_dnsbl_mask.pcre
notify: reload postfix
- name: "postscreen: configure masking table parameter"
postconf:
parameter: postscreen_dnsbl_reply_map
value: "pcre:/etc/postfix/{{ postfix_rules_dir }}/postscreen_dnsbl_mask.pcre"
value: "pcre:/etc/postfix/rules/postscreen_dnsbl_mask.pcre"
notify: reload postfix
- name: "postscreen: set misc. parameters"

4
templates/ldap_table.cf.j2
View File

@@ -4,10 +4,10 @@ server_host = {{ postfix_ldap_server }}
server_port = {{ postfix_ldap_port }}
version = {{ postfix_ldap_version }}
scope = {{ postfix_ldap_scope }}
bind = {{ 'yes' if postfix_ldap_bind else 'no' }}
bind = {{ postfix_ldap_bind }}
bind_dn = {{ postfix_ldap_bind_dn }}
bind_pw = {{ postfix_ldap_bind_pw }}
start_tls = {{ 'yes' if postfix_ldap_start_tls else 'no' }}
start_tls = {{ postfix_ldap_start_tls }}
tls_ca_cert_file = {{ postfix_ldap_tls_ca_cert_file }}
tls_ca_cert_dir = {{ postfix_ldap_tls_ca_cert_dir }}
{% if item == 'user' %}